FedEx QR Code Scam: How to Spot It and What to Do
A text or email arrives saying your FedEx package is held and a small fee is due — scan the QR code to pay and get it released. It looks official. It is not. FedEx is one of the most impersonated delivery brands in the world, and this smishing scam steals card details from thousands of people every month. Here's exactly how it works and what to do if you already scanned.
FedEx does not send QR codes asking for payment
This is the most important thing to know: FedEx does not send unsolicited texts or emails containing QR codes that demand a payment to release or redeliver a package. FedEx does send legitimate delivery status notifications — but only if you opted in via your FedEx account or a specific shipment, and those messages link directly to fedex.com. They never include a QR code and they never ask you to pay a customs or redelivery fee.
If you received an unsolicited message containing a QR code and claiming to be from FedEx, it is a scam. The sender is not FedEx. They are trying to steal your credit card number.
How the FedEx QR code scam works
This scam is a form of smishing — phishing by SMS — and it mirrors the tactics used to impersonate USPS, UPS, and other carriers. FedEx branding is used because nearly everyone receives packages, and the anxiety of a missed delivery is immediate and believable.
A message arrives — by text or email — saying something like: "FedEx: Your shipment is on hold due to an incomplete address or unpaid customs fee. A $3.49 payment is required before we can deliver. Scan the QR code below to confirm your details and release your package. This hold expires in 24 hours."
The small fee — typically $1.99 to $4.99 — is deliberate. It feels too trivial to question. But the payment page the QR code opens is not FedEx. It is a convincing lookalike site built to harvest your full card number, expiration date, CVV, billing address, and often your name and email. That data is sold or used for larger fraudulent charges.
Scammers use QR codes rather than plain links because QR codes bypass the URL-preview feature in most SMS and email apps. Tapping a link shows you the destination first. Scanning a QR code takes you directly to the page — making it harder to spot a suspicious domain before you are already looking at a convincing fake site. This tactic is what security researchers call quishing.
A less common variant uses physical mail: a letter or door tag designed to look like an official FedEx missed-delivery notice, with a QR code printed on it that leads to a fake FedEx tracking or payment page.
How to tell a fake FedEx message from a real one
- You did not sign up for FedEx tracking notifications. If you have no FedEx account or did not opt in to alerts for a specific shipment, FedEx has no reason to contact you. An unsolicited message is a red flag.
- The message contains a QR code. Real FedEx delivery alerts include a tracking number and a direct link to fedex.com — never a QR code.
- A fee is required to release or redeliver the package. FedEx does not charge recipients an upfront redelivery fee via text or email. Legitimate customs charges on international shipments are handled differently and are never collected through an SMS QR code.
- Urgency and a tight deadline. Real FedEx notifications do not threaten to return your package within 24 hours if you don't scan something immediately.
- The QR code opens a page that is not fedex.com. Legitimate FedEx web pages always use the fedex.com domain. If the URL after scanning contains anything other than fedex.com — extra words, hyphens, unfamiliar suffixes — close the page immediately.
When in doubt, go directly to fedex.com yourself and enter your tracking number there. Do not use any link or QR code from a message you did not request.
What to do if you already scanned and paid
If you only scanned and looked at the page without entering any information, your risk is low. Close the browser tab and block the sender.
If you entered payment or personal information, act immediately:
- Call your bank or card issuer right now. Report the transaction as fraud. Ask them to reverse the charge, flag the card for monitoring, and issue a new card number. The sooner you call, the more options you have.
- Forward the text to 7726 (SPAM). This reports the sending number to your carrier so it can be blocked for other users.
- Report to FedEx directly. Forward suspicious emails to abuse@fedex.com. You can also report phishing attempts through the FedEx website at fedex.com/en-us/trust-center/report-fraud.html.
- File a complaint with the FTC at reportfraud.ftc.gov. Include the phone number or email the message came from, what it said, and what information you entered.
- Report to the FBI's IC3 at ic3.gov if money was lost.
- Monitor your credit. If you entered your name, address, email, or phone number in addition to payment details, place a fraud alert with Equifax, Experian, and TransUnion. Your information may be used in future phishing attempts.
This scam uses the same mechanics as the USPS QR code scam and the package tracking QR code scam: a trusted brand, a small urgent demand, a QR code, and a convincing fake payment page.
Frequently asked questions
Does FedEx ever send QR codes in text messages or emails?
No. FedEx does not send unsolicited texts or emails with QR codes. Legitimate FedEx delivery notifications, sent only when you opt in, contain a tracking number and a fedex.com link — never a QR code and never a payment request. If you received an unsolicited message with a FedEx QR code, it is a scam.
How can I tell if a FedEx delivery message is fake?
Key red flags: the message was unsolicited, it contains a QR code, it demands a fee to release a package, it uses urgent deadline language, and the page the QR code opens is not fedex.com. When in doubt, go to fedex.com directly and enter your tracking number yourself — never through a link or QR code in a message you didn't request.
What should I do if I scanned the QR code and entered my card details?
Call your bank immediately to report fraud and request a reversal and a new card number. Forward the text to 7726 (SPAM). Report to FedEx at abuse@fedex.com and file a complaint with the FTC at reportfraud.ftc.gov. If personal information was also entered, place a fraud alert with the three major credit bureaus — Equifax, Experian, and TransUnion.
Check any QR code before it opens
QRsafer previews where a QR code leads before your browser loads the page — so you can confirm it's safe before you tap through. Free on iOS and Android.