QRsafer LogoQRsafer
QR Code Scams in Amazon Package Inserts: What to Do When a Card Asks You to Scan
← Back to blog

QR Code Scams in Amazon Package Inserts: What to Do When a Card Asks You to Scan

A QR code card tucked inside your Amazon package feels trustworthy — it just arrived in your order. Here's why attackers exploit that feeling, the three ways it plays out, and how to tell a legitimate insert from a scam.

2026-04-22 · QRsafer Team

You tear open the box, pull out your new purchase, and find a small card at the bottom. "Scan to register your warranty and get a free gift." It feels like a normal part of buying something online.

That feeling — the trust that comes with a package you actually ordered — is exactly what Amazon package insert QR code scams are designed to exploit.

The package is real. Your order is real. The card is not.

How the scam gets into your box

Most Amazon sellers are legitimate, but the marketplace is open to millions of third-party sellers, and enforcement is imperfect. Attackers register as sellers, list cheap products, fulfill genuine orders — and include a fraudulent insert card in every shipment. The product arrives, which removes the obvious red flag of "I got nothing," and the card is waiting inside.

There are three main versions of this attack.

Fake review-exchange and warranty sites

The most common insert reads something like: "Scan the QR code for a full refund / a free gift / a chance to win a prize — just leave us a 5-star review first."

The QR code leads to a form that asks for your name, email, Amazon order number, and credit card number "to process the refund." The refund never arrives. Your card details go to the attacker, and your email is sold or used for phishing. In some cases the page also asks you to log in with your Amazon credentials — which hands over your entire account.

This is a credit card scam dressed up as customer service.

What to look for: The URL behind the QR code should match the brand's official domain. A domain you don't recognize — especially one registered recently — is a warning sign. Scan with QRsafer first to preview the destination.

Counterfeit products with "authentication" QR codes

A more sophisticated version targets buyers of electronics, luxury goods, or supplements — categories with active counterfeit markets. The insert reads: "Scan to verify authenticity and activate your warranty."

The page mimics the real brand's design well enough to be convincing. It asks you to create an account, provide personal details, and sometimes pay a small "activation fee" or enter a card for a "free extended warranty."

The product is counterfeit. The authentication page is fake. There is no warranty.

What to look for: Go directly to the brand's official website (type the URL manually or search for it) and find the real warranty registration page. If the real brand has one, use it — not the QR code from the insert.

Fraudulent Amazon-branded shipping emails

A related attack arrives by email rather than in the box itself. After you place an order, you receive a shipping confirmation that looks convincingly like an Amazon message. It includes a QR code labeled "Track your package" or "Confirm your delivery address."

The QR code leads to a fake Amazon login page. Entering your credentials there gives the attacker full access to your account — including saved payment methods and your order history.

Check for package tracking QR code scams for a full breakdown of how these emails work.

Why this works so well

Timing is everything. You just received a package you actually ordered, so your guard is low. The card is physically inside the box — which feels like it passed through Amazon's hands. The ask (register your warranty, get a free gift) is plausible and familiar.

None of that changes what the card is.

How to tell a legitimate insert from a scam

A few quick checks before you scan:

  • Preview the URL first. Use QRsafer or long-press the QR code in your phone's camera app to see where it points before the page loads. A legitimate brand's URL looks like brand.com/warranty — not brand-warranty-activate.com or a random string of characters.
  • Be skeptical of cash or gift-card offers. Real manufacturers don't offer you a refund or a free product in exchange for a review. Amazon's own policies prohibit incentivized reviews. A card promising money for a review is a scam card.
  • Never enter your Amazon login via a third-party page. Amazon will not ask you to log in through a QR code found in a package. If a page asks for your Amazon credentials, close it.
  • Don't enter payment details for a warranty. Legitimate product warranties are free and don't require a credit card to activate.

How QRsafer helps

QRsafer checks the destination URL in any QR code — including package inserts — against threat intelligence feeds before your browser loads the page. You get a Safe, Risky, or Dangerous verdict in seconds. A freshly registered phishing domain shows up in the verdict before you have a chance to type anything.

Same scan motion. Better outcome.

If something already happened, the guide on what to do if you scanned a suspicious QR code walks through every recovery step.

Quick checklist for your next delivery

  • Any insert with a QR code: scan with QRsafer first — preview the URL before the page opens
  • Offers money or gifts for a review: stop, this is a scam signal
  • Asks for your Amazon login: close it, go to amazon.com directly
  • Asks for a credit card to "activate" a warranty: close it, warranties don't cost money
  • Authentication QR on a luxury or electronics item: verify on the brand's official site, not the insert

The box was real. The order was real. The card in the bottom is worth thirty seconds of skepticism before you scan.

See also

Download QRsafer for iOS or Android and bring it to every delivery.

FAQ

Is it safe to scan a QR code that came inside an Amazon package?

Sometimes, but not always. Legitimate manufacturers do include QR codes for product registration, warranty activation, or user manuals. The risk is that some third-party sellers insert cards with QR codes that lead to fake review-exchange sites or phishing pages. Before scanning, check whether the QR code's destination URL clearly matches the brand's official domain. Scan with QRsafer first — it checks the destination before your browser opens it.

Can a package-insert QR code steal my Amazon login?

Yes. The most common version of this scam routes to a page styled to look like Amazon's login screen and asks you to 'verify your order' or 'activate your warranty.' If you enter your Amazon credentials there, they go directly to the attacker. Amazon will never ask you to log in via a QR code included in a package — always go to amazon.com directly.

I scanned a QR code from a package insert and entered my credit card. What now?

Call your bank or card issuer immediately and report unauthorized use. Ask to freeze or replace the card. Change the password for any accounts associated with that card or email address. Then check your Amazon account for unauthorized orders — go to Account & Lists > Your Account > Login & security. Our full recovery guide covers every step.

How do I tell a real manufacturer insert from a scam?

Three checks: (1) The QR destination URL should match the brand's official domain — hover or use QRsafer to preview it before the page loads. (2) Legitimate inserts rarely offer cash, gift cards, or full refunds in exchange for a review; if it does, that's a strong signal it's a review-manipulation scheme. (3) Real warranty or registration pages should not ask for your Amazon login, full credit card number, or Social Security number.