Brits given warning about 'surprise delivery' scam

With Black Friday days away and millions of parcels about to flood doorsteps across the UK, consumers are being urged to stay alert as cybercriminals roll out a dangerous new wave of scams designed to harvest financial details in seconds.

Security specialists say criminals are exploiting the seasonal surge in home deliveries by combining two existing fraud techniques: quishing, a phishing attack delivered through QR codes, and brushing, where unsolicited parcels are sent to households. The result is a far more aggressive tactic that experts believe will intensify during the Christmas shopping season.

According to recent reports, there's been a steep rise in quishing attempts in recent months, with attackers hiding fake websites and payment portals behind QR codes.

Now those codes are appearing inside and on unsolicited parcels. Tech expert Theodore Ullrich, from Tomorrow Lab, said the fraud is accelerating precisely because consumers are juggling so many deliveries at once.

He warned that the momentary trust sparked by a correctly addressed parcel is exactly what scammers depend on.

"The first thing people need to understand is that an unsolicited parcel is not just an inconvenience. It can be the opening to a much more serious breach," he said.

Ullrich added that when people assume a mystery parcel is a gift or an error, that brief lapse in suspicion can lead to a devastating mistake: scanning a QR code that silently opens the door to a phishing attack.

Once scanned, victims are redirected to webpages designed to mirror genuine delivery or returns portals.

According to Ullrich, these fraudulent pages can lift personal and banking information "in seconds," sometimes fast enough that money begins leaving an account before the victim realises the site is fake.

He said the method is an evolution of traditional brushing scams. Instead of simply sending parcels to generate fake reviews, scammers are now using parcels as a lure, embedding QR codes that lead directly into phishing systems.

"It is not about reviews anymore. It is about data and ultimately money," he explained.

Ullrich notes that scammers are becoming bolder because names and addresses have become easy to obtain through old data breaches, scraped social media, or public directories.

With those pieces of information, criminals can design parcels convincing enough that most people never question them. Some fake websites, he adds, replicate legitimate branding down to the pixel.

"Scammers use big retail events as cover. When your inbox is filled with shipping updates and your hallway is filled with cardboard, you stop questioning things," he said.

He urged the public not to interact with unexpected parcels at all, particularly ones with QR codes attached to them.

"If a package arrives unexpectedly the first step is to contact the company through official channels. Do not use any phone numbers printed on the outside of the box because those are often controlled by the scammers themselves," he said.