Package Scam Texts Now Include QR Codes to Bypass Filters

A text arrives on your phone: USPS tried to deliver a package, but they need your signature. There's a document attached. Inside the document: a QR code.

You scan it. Convenient, right?

Wrong. The Better Business Bureau says these messages look more convincing now, and the scam has evolved to include documents with QR codes because scammers know QR codes are common and convenient.

Karen Reeves with the BBB of North Alabama explained that scammers are attaching QR codes because they're widespread and people may scan them without thinking twice. WAFF 48 heard from several viewers in May 2026 who said they received the texts, and multiple members of the news team also received versions claiming they needed to provide information to receive a package.

What changed in the package delivery text scam

Fake delivery texts have circulated for years. But in March 2026, Arizona Attorney General Kris Mayes warned residents about a surge in fake package delivery notices designed to steal information. Scammers pretend to be UPS, FedEx, or the U.S. Postal Service and send a text message claiming a package is on its way or there's a problem with an upcoming delivery, and the text includes a link.

If a victim clicks the link, it can expose them to malware, identity theft, and financial fraud. But by May 2026, the tactic shifted.

Instead of only embedding a suspicious link in the text body, scammers now send texts that include what looks like an attached delivery notification document. Inside that document sits a QR code. It looks official. It feels less suspicious than a naked URL. And because smartphones make scanning QR codes frictionless, people do it.

The code takes you to the same fake payment portals or credential-harvesting sites the old links did. But the document wrapper makes it feel legitimate. The U.S. Postal Inspection Service warns that sometimes a 'gift' comes with a QR code that leads to a fake website set up to steal your identity, and if there's a QR code with a 'free' gift, don't scan it.

Why this version works better than the original

QR codes bypass a mental checkpoint. When you see a raw link in a text, especially one with a sketchy domain or a bit.ly shortener, you might hesitate. You might Google the sender. You might delete it.

A QR code inside a document feels procedural. Official. It mimics the format of legitimate shipping labels, boarding passes, and restaurant menus. Your phone's camera app does the rest automatically. No typing. No scrutiny. Just point and tap.

Reeves pointed out that scammers' two favorite tactics are fear and urgency, especially when someone is waiting on a package or worried about a delay. That cocktail of emotion plus a familiar QR code format creates the perfect opening.

The infrastructure behind the scam

A new smishing campaign impersonates package delivery services, with over 10,000 fraudulent domains registered targeting people across multiple U.S. states and Canada. An earlier FBI-flagged campaign involved texts claiming recipients owed small toll amounts, usually under ten dollars, and included links to convincing fake payment portals that harvested credit card numbers, personal information, and login credentials. The FBI's Internet Crime Complaint Center received over 2,000 complaints from just three states in the initial wave, and the campaign quickly spread to all 50 states.

The same criminal infrastructure now powers the package scams. The domains rotate constantly. The text sender numbers change. The branding looks current. And now, the addition of QR codes adds one more layer of perceived legitimacy.

Think about it: when was the last time you hovered over a QR code to inspect where it actually points? You can't. The whole design hides the destination until after you scan.

What happens if you scan one

You land on a page that looks like FedEx, UPS, or USPS. It asks you to confirm your shipping address. Then it asks for a small 'redelivery fee' or 'customs charge.' Usually under five dollars. You enter your debit card number, billing address, and CVV.

The scammer now has your payment credentials. By interacting with the fake site or providing details, your personal and financial information can be taken and misused for identity theft, fraudulent accounts, and other scams. In some cases, clicking the link can install harmful software on your device and steal sensitive data, and scammers use that information to make unauthorized charges and take your money.

Or worse: the QR code installs malware directly. Your phone becomes a data collection tool. Texts, photos, contacts, app logins. All of it can be siphoned.

Since early March 2024, the FBI's Internet Crime Complaint Center has received over 2,000 complaints related to fraudulent toll payment messages, and the latest smishing scams have exploited more than 10,000 newly registered domains. The same architecture now supports the delivery scams.

How to actually verify a delivery issue

If you're expecting a package and you get a text about a problem, do not tap anything in that message.

Open the retailer's website or app where you made the purchase. Amazon, Target, Walmart, whoever. Check your order status there. If there's a delivery problem, it will show up in your account.

Instead of clicking links in the message, go to the online retail site or account you ordered your item from to look up the shipping and tracking information for your package. The USPS does not send communications unless you have requested the service for a specific tracking number beforehand, and legitimate FedEx and USPS text messages do not include links for tracking or payment updates.

If the text claims to be from the carrier directly and you didn't order anything recently, it's almost certainly fake. Both FedEx and UPS say they do not seek payment or personal information through unsolicited texts and email.

Delete the text. Don't scan the code. Don't reply, even to say 'stop.' Even replying 'STOP' signals that your number is active and can lead to more scam attempts.

What to do right now

If you haven't fallen for one of these yet, set up a mental rule: never scan a QR code from an unsolicited text. Ever. No exceptions.

If you already scanned a code and entered information, act immediately. Contact your bank and let them know what happened so they can monitor your account for fraudulent activity and help protect your money. Change passwords for the affected accounts, and if you use that specific password on other sites or apps, make updates there as well.

Enable transaction alerts on every bank account and credit card. Set the threshold to zero dollars. If a fraudulent charge hits, you'll know within minutes, not days.

Report unwanted text messages and scams using your messaging app's option to report junk or spam, and if your phone doesn't have that option, forward the message to 7726. Then report the scam to the FTC. If you have been targeted, you can also report it to the FBI's Internet Crime Complaint Center at ic3.gov.

Anyone who provided personal information to a scammer should visit identitytheft.gov and consider placing a fraud alert or credit freeze with the three major credit bureaus: Experian, TransUnion, and Equifax. Anyone who shared financial information should contact their bank immediately.

Run a malware scan on your phone if you scanned a code and tapped through to a site. Apple and Android both have security settings that can filter unknown senders. Turn them on. Most major carriers also offer spam-blocking tools. Use them.

Why this matters more than the last version

QR codes removed the last friction point. You used to have to consciously tap a link. Now you just point your camera. The decision happens before you think.

And because legitimate businesses do use QR codes for everything from restaurant menus to event tickets to retail checkout, your brain has been trained to trust them. Scammers know this. Barclays' comprehensive 2025 scam report reveals a sharp 40% surge in SMS-originated scams compared to the previous year, underscoring how attackers are increasingly exploiting text messages as a gateway for fraud.

The delivery scam isn't new. But the QR code evolution makes it harder to catch, easier to fall for, and faster to execute. That's why the BBB, the Arizona Attorney General, and the U.S. Postal Inspection Service all issued warnings within weeks of each other in early 2026.

If a delivery text includes a document, an attachment, or a QR code, it is not real. Carriers do not operate that way. If you get one of these texts, don't click the link or scan the code. Instead, go directly to the retailer or shipping carrier you used and check your tracking information there.

The scam works because it looks like every other digital interaction you have in 2026. The only defense is to pause, verify independently, and never let a text message be the single source of truth about your money or your deliveries.

Verified against Better Business Bureau alerts, Arizona Attorney General warnings, FBI IC3 complaint data, and FTC consumer advisories from March through May 2026. Last updated: June 10, 2026. Reviewed and published by the RecentScam Editorial Team on 2026-06-10.