Brits given warning about ‘surprise delivery’ scam | UK | News
With Black Friday behind us and millions of parcels across the UK about to flood their doorsteps, consumers are being advised to remain vigilant as cybercriminals launch a dangerous new wave of scams designed to harvest financial details in seconds.
Security experts say criminals are taking advantage of the seasonal surge in home deliveries by combining two existing fraud techniques: quishing, a phishing attack sent via QR codes, and scrubbing, which sends unsolicited packages to households. The result is a much more aggressive tactic that experts believe will intensify during the Christmas shopping season.
According to recent reports, there has been a huge increase in blocking attempts in recent months, with attackers hiding fake websites and payment portals behind QR codes.
Now these codes appear in and on unwanted packages. Technologist Theodore Ullrich of Tomorrow Lab said fraud is accelerating precisely because consumers are juggling multiple deliveries at once.
He warned that the instantaneous trust triggered by a package sent to the correct address is exactly what fraudsters are counting on.
“The first thing people need to understand is that an unwanted package is not just an inconvenience, it can lead to a much more serious breach,” he said.
Ullrich added that when people assume a mysterious package is a gift or a mistake, that brief loss of doubt can lead to a devastating mistake: Scanning a QR code, which silently opens the door to a phishing attack.
Once scanned, victims are directed to web pages designed to reflect real delivery or return portals.
According to Ullrich, these fake pages can remove personal and banking information “in seconds,” sometimes so fast that money begins leaving the account before the victim realizes the site is fake.
He said the method is an evolution of traditional brushing scams. Instead of simply sending packages to create fake reviews, scammers are now using packages as bait and placing QR codes that lead directly to phishing systems.
“It’s no longer about reviews. It’s about data and ultimately money,” he explained.
Ullrich notes that fraudsters have become bolder because names and addresses have become easier to obtain through old data breaches, scraped social media or public directories.
With this information, criminals can design packages that are so convincing that most people will never question them. He adds that some fake websites copy legitimate branding down to the pixel.
“Scammers use major retail events as cover. When your inbox is filled with shipping updates and your aisle is filled with cardboard, you stop questioning things,” he said.
He urged the public not to interact with unexpected packages in any way, especially those with QR codes attached.
“If a package arrives unexpectedly, the first step is to contact the company through official channels. Do not use the phone numbers printed on the outside of the box as these are often controlled by scammers,” he said.
