Is the QR Code at the Post Office Safe to Scan? Here's the Quick Answer
Short answer: yes — official USPS QR codes at in-person kiosks and on printed receipts are safe. USPS legitimately uses QR codes in several specific, well-defined places, and those codes always resolve to usps.com. The scam risk is a physical sticker placed over a kiosk code by a bad actor, or a fake USPS text or email that contains a QR code demanding urgent payment. Here's how to tell the difference in one second.
Where USPS legitimately uses QR codes
USPS uses QR codes in a handful of specific, official contexts:
- Click-N-Ship shipping labels. When you pay for postage online at usps.com, your printed shipping label contains a barcode and often a QR code that the postal clerk or automated system scans — not you. You never need to scan your own outgoing shipping label with your phone camera.
- Self-service kiosk screens. The Automated Postal Center (APC) kiosks in post office lobbies display QR codes at certain steps — for example, to confirm a transaction or look up a rate on the companion usps.com page. These codes resolve to usps.com and are safe.
- Printed receipts and package tracking. Paper receipts from the counter or a kiosk may include a QR code linking to your shipment's tracking page on usps.com. These are low-risk — they're printed by USPS equipment and should always resolve to usps.com.
- USPS Informed Delivery confirmation codes. Some Informed Delivery enrollment flows include QR codes on physical mailers sent to your home to verify your address. These are rare and always come from official USPS mail — not texts. The destination is always informeddelivery.usps.com.
If the QR code fits one of those patterns and the URL preview shows usps.com or a usps.com subdomain — no hyphens, no extra words — you are safe to proceed.
The two real scam risks at the post office
1. Sticker swaps on self-service kiosks
Unattended APC kiosks in post office lobbies — often accessible 24 hours a day — are an attractive target for scammers because staff rarely inspect them. A bad actor can press a pre-printed QR sticker over the legitimate kiosk code in seconds. When the next customer scans it, they land on a phishing page designed to look like a USPS payment or login screen.
This is the same attack used at gas station pumps, EV chargers, and parking meters — any unattended payment terminal with a QR code can be tampered with. The check is the same: inspect for raised sticker edges and verify the URL before tapping.
2. Fake USPS texts and emails with QR codes
USPS is the most impersonated delivery brand in the United States. Scammers send smishing texts and phishing emails claiming your package is held, a delivery failed, or a small redelivery fee is owed — and include a QR code to pay or verify your address. These messages are not from USPS.
The critical rule: USPS never sends a text or email with a QR code asking you to scan with your phone camera to pay a fee or verify your account. Real USPS delivery updates contain a plain tracking number and a link to usps.com — you type the tracking number at usps.com yourself. If a message asks you to scan a QR, it is a scam. You can read more about these attacks on our USPS QR code scam page.
How to check any post office QR code in one second
- Inspect the physical code. Look for a raised border or misaligned corners — signs that a sticker has been applied over the original. Run a fingernail across the code; if you feel a ridge, don't scan and notify post office staff.
- Check the URL preview. After scanning, your phone shows the destination URL before opening it. The address must start with usps.com — for example, usps.com/tracking or informeddelivery.usps.com. No hyphens, no extra words before or after usps.com. Anything else is a red flag.
- Use QRsafer before tapping. QRsafer decodes the QR, unwinds any redirect chain, and checks the final destination against threat intelligence — all before your browser loads the page. You get a safety verdict in under a second.
What if you already scanned and something felt off?
- Close the page immediately — do not enter any information and do not tap any buttons on the suspicious page.
- If you entered payment details: call your bank or card issuer right away to report potential fraud and request a card replacement. Credit card disputes are protected under the Fair Credit Billing Act.
- If you entered personal information: consider placing a free fraud alert with the three major credit bureaus — Equifax, Experian, and TransUnion — to prevent new accounts being opened in your name.
- Tell the post office staff or the on-duty clerk about the suspicious code so they can inspect the kiosk and remove a tampered sticker before other customers are affected.
- Report the scam to the FTC at reportfraud.ftc.gov and to the US Postal Inspection Service at postalinspectors.uspis.gov — the Inspection Service has jurisdiction over mail and package fraud.
Frequently asked questions
Is it safe to scan a QR code at a USPS self-service kiosk?
QR codes displayed on official USPS self-service kiosk screens are generally safe. The risk is a sticker placed over the real code by someone other than USPS. Before scanning, look for a raised edge or misaligned corners — signs that a sticker has been applied on top. If the destination URL in your phone's preview does not start with usps.com, do not proceed.
Does USPS send QR codes in texts or emails?
USPS Informed Delivery sends email digests with package previews, but those emails contain images and links — not QR codes requiring you to scan with your camera. Any text message containing a QR code that claims to be from USPS is almost certainly a smishing scam. Real USPS delivery notifications direct you to usps.com; they never embed QR codes demanding immediate payment or account verification via a phone scan.
What should I do if I scanned a post office QR code and it took me somewhere unexpected?
Close the browser immediately without entering any information. If you already entered payment details, call your bank to report potential fraud and request a new card. If you entered personal information such as your name and address, place a fraud alert with Equifax, Experian, or TransUnion. Report the incident to the FTC at reportfraud.ftc.gov and to USPS at postalinspectors.uspis.gov so the tampered code can be investigated.
Check before you scan — every time
QRsafer previews any QR code destination and flags unsafe links before you ever open them. Free on iOS and Android.