Cybercriminals are exploiting the confusion of millions of parcels moving through the postal system in the run up to Black Friday by slipping dangerous scams straight through people’s front doors
Black Friday is mere days away, and whilst bargain hunters throughout the UK are monitoring falling prices, fraudsters are keeping watch on something completely different.
With millions of packages set to travel through the postal network in the coming weeks, cybercriminals are capitalising on the chaos by delivering dangerous scams directly to people’s doorsteps.
During recent months, several UK publications have documented a steep increase in so-called quishing, where criminals conceal phishing attacks within QR codes.
Experts now warn the technique is being combined with a resurrected brushing scam and is growing increasingly aggressive ahead of Black Friday.
Technology specialist Theodore Ullrich from Tomorrow Lab reports witnessing the scam intensify precisely because consumers are anticipating deliveries.
READ MORE: Shocking little-known symptoms that could mean you have testicular cancer and few men checkREAD MORE: ‘I’m a beauty editor – these are the best make-up and skincare brands for teenagers’
He clarifies that when buyers are monitoring numerous orders simultaneously, they become far more inclined to trust an unexpectedly arriving package.
According to him, that fleeting moment of confidence is precisely what fraudsters depend upon and represents the most perilous instant of the entire assault.
“The first thing people need to understand is that an unsolicited parcel is not just an inconvenience. It can be the opening to a much more serious breach. When a box arrives at your door with your name correctly printed on it, it feels legitimate.
“People assume it must be a gift or a mistake. That assumption is powerful and criminals know it. They are using that moment of curiosity to push victims into scanning QR codes that lead directly to phishing pages,” warned Theodore.
He elaborated on how easy it is for individuals to fall prey to this scam. “When someone sees a QR code on packaging they tend to think it belongs to the delivery company and must have something to do with tracking or returns. Scanning it feels routine.
“But the moment you scan it, you are effectively stepping into a website built entirely to strip personal and banking information from you. It can happen in seconds. I have seen cases where the victim had money leaving their account before they even realised the page was fake.”
The expert highlighted that this method is a modern twist on brushing scams that have been circulating for several years but have now become more calculated. “Traditional brushing involved sending unsolicited parcels so fraudsters could write fake reviews on retail platforms. It was dishonest, but nowhere near as dangerous.
“What we are seeing now is a second layer added to that scam. Attackers are placing QR codes in or on the parcels and those codes connect victims to phishing infrastructure. It is not about reviews anymore. It is about data and ultimately money.”
Ullrich cautions that criminals are growing increasingly brazen as vast amounts of personal information are readily accessible online. “Names and addresses are extremely easy for scammers to get hold of. They can come from previous data breaches, scraped social media posts or public directories.
“Once they have those two pieces of information they can make a parcel look entirely authentic. People underestimate how convincing these scams can be. Some of the fake websites copy every pixel of the genuine page and the victim doesn’t notice the difference until the damage is done.”
Fresh news reports back up his worries. This spring The Guardian spotlighted motorists who had scanned bogus QR codes stuck on parking machines and were diverted to fraudulent payment sites.
Ullrich reveals the identical tactic has been cropping up inside packages and cautions it will intensify during Black Friday week.
“Scammers use big retail events as cover. When your inbox is filled with shipping updates and your hallway is filled with cardboard, you stop questioning things. That is when people fall victim. I am genuinely concerned that we will see a spike in these incidents because the timing is ideal for criminals,” the expert cautioned.
He emphasises that simply disregarding the parcel isn’t sufficient. “If a package arrives unexpectedly the first step is to contact the company through official channels.
“Do not use any phone numbers printed on the outside of the box because those are often controlled by the scammers themselves. Go to the company’s verified website and speak to them directly. They will be able to tell you immediately whether the parcel came from them.”
The expert urges people to take the arrival of an unusual parcel seriously even if they are convinced the scammers do not have their financial details yet.
“If a scammer knows your name and address, consider it a sign that your information has been circulating somewhere it should not be. Change the passwords on your shopping accounts, your bank logins and your email.
“Turn on two factor authentication. Keep an eye on your statements for the next few weeks. The first transaction criminals make is often a small one to test the card. The next one is the one that drains it.
“Treat every QR code with suspicion unless you know exactly where it came from. Scanning a code in a parcel that you never ordered is never a good idea. Even if the page looks familiar, even if it uses the correct branding, even if it tells you it is simply verifying your address, close it. It only takes a single scan for the entire attack to unfold.”
Ullrich reckons the strongest defence is staying alert and keeping your head rather than panicking.
He says, “Scammers are relying on the rush of Black Friday. They want you to act quickly and without thinking. The way to beat them is to slow down. If you did not order it, do not trust it.
“If you see a QR code, do not scan it. And if anything feels even slightly unusual, assume something is wrong. It is far better to be overly cautious than to discover too late that you have handed over your entire identity.”
READ MORE: Brit yoga teacher arrested in midst of teaching £10 tantric sex class in Thailand
