Christmas is just one month away, and if you’ve not already started your shopping, then this week is the perfect time. November 28 marks Black Friday 2025, one of the biggest shopping events of the year, when most retailers drop their prices in time for Christmas.
In just a few clicks, you could have all of your shopping done, ready to be delivered to your home in time for the big day. However, a warning has been issued to all shoppers expecting packages this festive season. A little-known scam could end up being very dangerous, and the warning signs are very easy to miss.
Over the past few months there’s been a reported sharp rise in ‘quishing’, where criminals hide phishing attacks inside QR codes. Now, experts say the method is becoming far more aggressive in the run up to Black Friday.
Tech expert Theodore Ullrich from Tomorrow Lab says he is seeing the scam ramp up, because people are expecting deliveries. He says that when shoppers are tracking multiple orders at once, they’re far more willing to trust a parcel that arrives unexpectedly. According to him, that ‘brief moment of trust’ is exactly what scammers rely on and it is the most dangerous moment of the entire attack.
He said: “The first thing people need to understand is that an unsolicited parcel is not just an inconvenience. It can be the opening to a much more serious breach. When a box arrives at your door with your name correctly printed on it, it feels legitimate.
“People assume it must be a gift or a mistake. That assumption is powerful and criminals know it. They are using that moment of curiosity to push victims into scanning QR codes that lead directly to phishing pages.”
He explained that the wrong move is incredibly easy to make. “When someone sees a QR code on packaging they tend to think it belongs to the delivery company and must have something to do with tracking or returns. Scanning it feels routine.
“But the moment you scan it, you are effectively stepping into a website built entirely to strip personal and banking information from you. It can happen in seconds. I have seen cases where the victim had money leaving their account before they even realised the page was fake.”
The expert says the method is a modern twist on ‘brushing’ scams that have been circulating for several years but have now become more calculated.
He said: “Traditional brushing involved sending unsolicited parcels so fraudsters could write fake reviews on retail platforms. It was dishonest, but nowhere near as dangerous.
“What we are seeing now is a second layer added to that scam. Attackers are placing QR codes in or on the parcels and those codes connect victims to phishing infrastructure. It is not about reviews anymore. It is about data and ultimately money.”
The expert has urged people to take the arrival of an unusual parcel seriously even if they are convinced the scammers do not have their financial details yet.
He said: “If a scammer knows your name and address, consider it a sign that your information has been circulating somewhere it should not be. Change the passwords on your shopping accounts, your bank logins and your email.
“Turn on two factor authentication. Keep an eye on your statements for the next few weeks. The first transaction criminals make is often a small one to test the card. The next one is the one that drains it.
“Treat every QR code with suspicion unless you know exactly where it came from. Scanning a code in a parcel that you never ordered is never a good idea. Even if the page looks familiar, even if it uses the correct branding, even if it tells you it is simply verifying your address, close it. It only takes a single scan for the entire attack to unfold.”
