QR Code Scams Are Coming in the Mail Now
How scammers figured out that your mailbox is their most powerful weapon, and what to do about it.
Something unexpected arrives in your mailbox.
Could be a package with your name on it. Could be a letter on official-looking letterhead from a company you trust.
Either way, there’s a QR code inside, and the message is urgent:
scan this now.
This is the new face of phishing.
It doesn’t come through email, where spam filters can catch it. It doesn’t pop up in a browser tab.
Instead, it arrives the old-fashioned way, through your front door.
This time though, it’s wearing a logo you trust, like Amazon, or Ledger, or Trezor. And because we’ve spent twenty years being trained to distrust suspicious emails but almost no time learning to distrust suspicious mail, the scammers are stacking some wins.
Two incidents in the past few weeks make this impossible to ignore.
One involves Amazon packages. Another involves cryptocurrency wallets.
But the people who should be most concerned aren’t just Amazon shoppers or crypto investors, they’re everyone who gets mail.
The QR-Code Mailbox Attack
Everything else in this piece follows from one idea: the attack surface is moving offline.
Every piece of cybersecurity software you’ve ever used, whether spam filters, antivirus, browser warnings, or two-factor authentication prompts, is designed to catch threats that travel through digital channels.
Physical mail bypasses all of it.
A letter can’t be flagged by your email provider. A package can’t be scanned by your router’s firewall. And a QR code on a piece of paper hides its destination URL, making it harder to do something like hover over it the way you can hover over a link in an email.
Scammers have noticed. And they’re investing in postage.
Two Incidents, Same Playbook
Incident 1: The “Mystery Gift” Amazon Package
Police departments across the US are warning residents about a new twist on so-called brushing scams. Here’s how it works.
An unsolicited package arrives at your door. It has Amazon branding. It has your real name and address on the label. Inside, there’s either a small item, usually something cheap and lightweight, or just a note.
And there’s a QR code, asking you to scan it to “find out who sent this gift,” “claim your reward,” or “report a wrong delivery.”
The QR code doesn’t lead to Amazon. It leads to a fake Amazon page designed to steal your login credentials, or it prompts you to download something that hands over access to your banking information. (source)
The original brushing scam was annoying but mostly harmless and worked like this: sellers shipped you junk so they could post a “verified purchase” review. This is a different animal. The QR code turns what was a nuisance into an active threat. The package is the lure. The code is the trap.
Incident 2: The Letter That Looked More Legitimate Than the Real Thing
If the Amazon package scam is a low-budget operation, the campaign targeting cryptocurrency hardware wallet owners is something else entirely. And even if you don’t own any crypto, this incident matters to you for reasons we’ll get to shortly.
Starting around February 2026, people who own Ledger or Trezor hardware wallets (physical devices used to store cryptocurrency offline) began receiving physical letters in the mail. (source) The letters appeared on official-looking letterheads. They included holograms. They included QR codes. They bore what appeared to be the signature of company executives.
The letters claimed that an urgent “Authentication Check” or “Transaction Check” had become mandatory. Recipients were told to scan the QR code and complete the process before a specific deadline or risk losing access to their wallet entirely.
Scanning the QR code led to a website that looked exactly like the official Trezor or Ledger setup interface. The site walked users through a plausible-sounding verification process and, at the very end, asked them to enter their wallet’s recovery phrase, the 12-, 20-, or 24-word master key that controls everything in the wallet. Once entered, the funds are gone. Within minutes.
The Three Unfair Advantages of Mail Phishing
Physical mail phishing works because it exploits three things simultaneously that digital phishing almost never can.
First: it bypasses every filter you have. No spam folder. No browser warning. No antivirus scan. Your mailbox has zero security infrastructure.
Second: it feels more trustworthy. We’ve been conditioned to distrust urgent emails from companies we do business with. We’re far less conditioned to distrust urgent letters. Physical mail carries a subconscious weight because someone spent money on paper, printing, and postage. It feels like it means something.
Third: QR codes hide the destination. When you get a suspicious link in an email, you can hover over it and see where it actually goes. A QR code on paper gives you nothing. You can’t see the URL without scanning it. And most people don’t know how to preview a QR code before opening what it points to.
Combine these three factors and you have an attack that is genuinely harder to defend against than the average phishing email. Not because it’s more technically sophisticated, but because it exploits social and cognitive vulnerabilities that most people have never been warned about.
This Is a Data Breach Problem, Not a Scammer Cleverness Problem
Here’s what most coverage of these incidents is getting wrong.
The Ledger and Trezor letters aren’t impressive because the scammers are creative. They’re impressive because someone handed them a roadmap.
In June 2020, Ledger suffered a data breach that ultimately exposed approximately 272,000 customer records (full names, phone numbers, and home addresses) which were later dumped publicly online.
In January 2024, Trezor disclosed a breach that exposed contact information for nearly 66,000 users, including emails.
And in January 2026, Ledger customers were notified of another exposure through a third-party payment processor called Global-e.
That is a lot of home addresses and other PI in the wild. And home addresses are the only input you need to mail someone a very convincing letter.
The Amazon brushing scam works the same way. Scammers are buying or scraping real names and addresses to make their packages look legitimate.
We tend to think of data breaches as a password problem. Change your password, enable two-factor auth, move on. But your home address doesn’t change when a breach happens. It just sits there, in some hacker’s database, waiting to be monetized. The current generation of mail phishing attacks is that monetization. The breach happened years ago. The invoice is arriving now.
This is the part that should worry you: we are in the early stages of this trend. As more personal data leaks accumulate and more scammers realize that physical mail bypasses every digital defense, this attack vector is going to get more common, more sophisticated, and harder to distinguish from legitimate correspondence.
What legislators and most cybersecurity companies don’t fully grasp yet is that the protection framework needs to extend offline. And right now, almost none of it does.
Where This Goes Next
Here’s why you don’t need to own any crypto for this to matter to you.
Crypto users were the perfect population to test physical mail phishing against. They’re identifiable by name and address thanks to documented breaches. They hold high-value assets, which justifies the cost of printing, holograms, and postage (scammers need the per-victim payout to cover their materials). And they’re already primed to think about wallet security, so a letter about a “mandatory security check” lands believably.
But testing on crypto users was never the end goal. It was the proof of concept.
Once scammers confirm that physical mail phishing converts (that people scan QR codes from letters, that the ROI works) the playbook gets ported to target populations where the per-victim take is smaller but the volume is orders of magnitude larger. Here’s where what likely comes next:
The IRS letter. Fake IRS correspondence is already the most successful phone scam category in America. A physical letter with a QR code is the obvious evolution. Something like “scan to verify your identity before your refund is processed” or “respond within 14 days to avoid an audit hold”. The IRS already communicates exclusively by physical mail, which means recipients are specifically conditioned to take letters from them seriously. Nearly every adult American is a viable target.
Medicare and Social Security. The demographic that trusts physical mail most deeply is also the demographic most heavily targeted by phone scams. A letter saying “your Medicare coverage requires reconfirmation — scan here to avoid a lapse in benefits” is perfectly engineered for that audience.
Banks and credit unions. “Your account has been flagged for unusual activity — scan to verify your identity and avoid a temporary freeze.” Banks do send physical fraud alert letters. The format is completely plausible, and the credential harvest that follows works the same way it did with Amazon.
Utilities and local government. “Final notice before service interruption” is a proven psychological lever. Fake utility QR-code letters have already appeared in parts of Europe. It’s a matter of time before this is widespread in the US.
Healthcare and insurance. People managing chronic conditions receive regular correspondence from insurers, specialty pharmacies, and providers. They’re often dealing with something stressful enough that they act quickly when they see urgent mail, and healthcare data breaches have put millions of home addresses into circulation.
Mortgage servicers and title companies. Homeowners receive physical mail from county assessors, mortgage servicers, and title companies constantly. A QR code on a letter appearing to be from your lender could be used to initiate wire transfer fraud.
The pattern in all of these: a sector where (a) physical mail is the established communication norm, (b) real urgency sometimes exists, and (c) a data breach has already put home addresses in the public domain. That describes most of modern life.
Scammers proved the model on crypto users because the payout justified the investment. The next phase is scaling it down in value and up in volume. If you pay taxes, have a bank account, or receive mail (and that’s basically everyone) you’re in the next wave of targets.
The Actual Solution: How to Protect Yourself From Mail Phishing
This section is more involved than “don’t scan QR codes from strangers,” though that’s the right instinct. Here’s a practical protocol.
