QRsafer LogoQRsafer
QR Code Scams at the Post Office: USPS Kiosk and Delivery Fraud Explained
← Back to blog

QR Code Scams at the Post Office: USPS Kiosk and Delivery Fraud Explained

USPS is the most impersonated delivery brand in the United States — which means the QR codes in its name are everywhere, and many of them are fake. Here's what to watch for at the kiosk, in your mailbox, and on your door.

2026-04-30 · QRsafer Team

You drop a package off at the post office and notice a QR code on the self-service kiosk: "Scan to pay." A few days later, a text arrives: "Your USPS package is held — a $3.90 redelivery fee is required. Scan below to release it." And on another day, a pink slip on your door: "We missed you. Scan the code to schedule redelivery."

Each of these is a real attack vector. USPS is the most impersonated delivery brand in the United States — according to the FTC and the Anti-Phishing Working Group, USPS-branded phishing consistently ranks at or near the top of delivery-related scam volume. The combination of high public trust, routine low-stakes interactions, and small transaction amounts (which discourage victims from disputing a $3 charge) makes it a natural target.

Here are the three variants to know.

Variant 1: Sticker QR codes on USPS lobby kiosks

Post office lobbies are full of QR codes: self-service kiosk payment screens, mailbox rental signs, passport application instructions, and shipping supply dispensers. Most are legitimate. Some are not.

Attackers place printed sticker QR codes over legitimate codes on kiosk screens or nearby signage. When you scan to pay for postage or access a shipping label, the sticker redirects your browser to a phishing payment page that convincingly mimics USPS's payment portal — right down to the USPS logo, the blue color scheme, and a field for your credit or debit card number.

The tell is the URL. Real USPS payment pages live on usps.com or a direct subdomain of usps.com — nothing else. A fake page will use a domain like usps-pay.com, myusps-parcel.net, or any variant with hyphens, extra words, or a different top-level domain. Check the address bar before entering anything.

If a kiosk QR code sticker looks like it was placed over an existing element — slightly raised, misaligned, or glossy compared to the surrounding machine surface — tell a postal worker rather than scanning.

Variant 2: Smishing texts and mailers with redelivery fee QR codes

This is the highest-volume USPS scam variant, and one the FBI has issued repeated public warnings about.

You receive a text — often including your city name for added legitimacy — claiming that a USPS package is being held and requires a small redelivery or customs fee to release. The message includes a QR code. The page it leads to looks exactly like USPS's payment interface: a tracking number, a package description, a $3 to $5 fee, and a card entry form.

The same attack arrives by physical mail. A postcard or letter with USPS branding includes a QR code and a message about an unclaimed package or a change-of-address verification requiring confirmation.

USPS's own guidance states clearly that it does not proactively send text messages requesting payment to release a package. Redelivery and package holds are managed through USPS Informed Delivery or by visiting usps.com directly. Any text or mailer with a QR code and a payment demand is almost certainly fraudulent, regardless of how official it looks.

Variant 3: Fake "missed delivery" door tags

The third variant appears on your door rather than in your mailbox or on your phone.

Legitimate USPS missed-delivery notices (PS Form 3849) contain a barcode and a handwritten or printed tracking number. Attackers have begun producing counterfeit door tags with a QR code in place of the barcode, linking to a phishing page that asks for your address, contact details, and sometimes a small "redelivery scheduling fee" or login to a fake USPS portal.

The fake notices look convincingly printed. The tell is that real USPS PS Form 3849 slips do not contain QR codes intended for scanning by the recipient — the barcode is for postal workers' internal equipment, not for customers. If a door tag has a QR code inviting you to scan and enter information, verify the notice by searching your tracking number at usps.com directly, without following the code.

What to do if you entered card details on a fake USPS page

  1. Call your bank immediately — report the card as potentially compromised and request a replacement.
  2. Dispute any pending transactions from the fraudulent page.
  3. File a report with the FTC at reportfraud.ftc.gov.
  4. Report to USPS Postal Inspection Service at postalinspectors.uspis.gov — this is USPS's own federal law enforcement arm and it actively investigates smishing campaigns.
  5. If you also entered personal details, place a free credit freeze with Equifax, Experian, and TransUnion as a precaution against identity theft.

What to remember around USPS QR codes

  • Real USPS pages always end in usps.com — no hyphens, no extra words, no different domains. This is the single most reliable check.
  • USPS does not initiate contact via text message requesting payment or a QR scan.
  • Missed-delivery door tags do not include scannable QR codes meant for customers.
  • USPS phishing pages are often nearly pixel-perfect reproductions of the real site — the URL is the only reliable tell.
  • The same redelivery-fee attack is used for FedEx, UPS, and DHL. See our guide on package tracking QR code scams for the delivery-brand-agnostic version, and Amazon package QR code scams for the variant that targets Amazon shoppers specifically.

See also

Download QRsafer for iOS or Android and scan any USPS QR code before your browser opens it — whether it's on a kiosk, a door tag, or a link from a text message.

FAQ

Can a QR code at a USPS self-service kiosk be fake?

Yes. Attackers place sticker QR codes over legitimate codes on USPS lobby kiosks. When you scan to pay for postage or access a shipping label, the sticker redirects you to a phishing payment page that looks like a USPS portal — but your card details go to the attacker. The best defense: check that the URL in your browser ends exactly in usps.com before entering any payment information. If a kiosk QR code sticker looks different from the rest of the machine — slightly raised, misaligned, or easy to peel — notify a postal worker rather than scanning it.

Did USPS really send me a text with a QR code about my package?

Almost certainly not. USPS does not proactively send text messages about package holds, redelivery fees, or customs charges. Texts saying 'your package is held — scan to pay a $3.90 fee' are smishing — SMS-based phishing — and the QR code leads to a lookalike USPS payment page designed to steal your card details. If you have a genuine package issue, check your status directly at usps.com by typing the URL into your browser yourself, never by following a link or scanning a QR code from a text.

What should I do if I entered my card details on a fake USPS page?

Call your bank immediately and report the card as compromised. Request that the card be canceled and a replacement issued, and ask your bank to watch for and reverse any pending transactions initiated by the fraudulent page. File a report with the FTC at reportfraud.ftc.gov and with the USPS Postal Inspection Service at postalinspectors.uspis.gov. If you also entered personal information like your name and address, consider placing a free credit freeze with Equifax, Experian, and TransUnion as a precaution.

Does QRsafer help against USPS QR code scams?

Yes. Whether the QR code is on a lobby kiosk, a door tag, a text message, or a physical mailer, scan it with QRsafer before your browser opens it. QRsafer checks the destination URL against threat intelligence databases and flags links to known USPS phishing pages as Risky or Dangerous before you have a chance to enter any payment or personal information. Given that USPS phishing pages often look nearly identical to the real thing, an automated destination check is the fastest way to distinguish them.