UPS QR Code Scam: How to Spot It and What to Do

UPS does not send QR codes asking for payment

This is the most important thing to know: UPS does not send unsolicited texts or emails containing QR codes that demand a payment to release or redeliver a package. UPS does send legitimate delivery status notifications through UPS My Choice — but only if you enrolled and opted in, and those messages link directly to ups.com. They never include a QR code and they never ask you to pay a customs or redelivery fee by scanning something.

If you received an unsolicited message containing a QR code and claiming to be from UPS, it is a scam. The sender is not UPS. They are trying to steal your credit card number.

How the UPS QR code scam works

This scam is a form of smishing — phishing by SMS — and it mirrors the tactics used to impersonate USPS, FedEx, and other carriers. UPS branding is used because nearly everyone expects packages, and the anxiety of a missed or held delivery is immediate and believable.

A message arrives — by text or email — saying something like: "UPS Alert: Your shipment is on hold due to an unpaid customs fee. A payment of $3.49 is required before your package can be delivered. Scan the QR code below to confirm your delivery address and release your parcel. This hold expires in 24 hours."

The small fee — typically $1.99 to $4.99 — is deliberate. It feels too trivial to question. But the payment page the QR code opens is not UPS. It is a convincing lookalike site built to harvest your full card number, expiration date, CVV, billing address, and often your name and email. That data is sold or used for larger fraudulent charges.

Scammers use QR codes rather than plain links because QR codes bypass the URL-preview feature in most SMS and email apps. Tapping a link shows you the destination first. Scanning a QR code takes you directly to the page — making it harder to spot a suspicious domain before you are already looking at a convincing fake site. This tactic is what security researchers call quishing.

A less common variant uses physical mail: an envelope or door tag designed to look like an official UPS missed-delivery notice, with a QR code printed on it that leads to a fake UPS tracking or payment page. The brown and gold UPS color scheme and logo are easy to replicate convincingly in print.

How to tell a fake UPS message from a real one

• You did not sign up for UPS My Choice notifications. If you have no UPS My Choice account or did not opt in to alerts for a specific shipment, UPS has no reason to contact you. An unsolicited message is a red flag.
• The message contains a QR code. Real UPS delivery alerts include a tracking number and a direct link to ups.com — never a QR code.
• A fee is required to release or redeliver the package. UPS does not collect redelivery fees from recipients via text or email. Legitimate customs charges on international shipments are handled differently and are never collected through an SMS QR code.
• Urgency and a tight deadline. Real UPS notifications do not threaten to return your package within 24 hours if you don't scan something immediately.
• The QR code opens a page that is not ups.com. Legitimate UPS web pages always use the ups.com domain. If the URL after scanning contains anything other than ups.com — extra words, hyphens, unfamiliar suffixes — close the page immediately.

When in doubt, go directly to ups.com yourself and enter your tracking number there. Do not use any link or QR code from a message you did not request.

What to do if you already scanned and paid

If you only scanned and looked at the page without entering any information, your risk is low. Close the browser tab and block the sender.

If you entered payment or personal information, act immediately:

1. Call your bank or card issuer right now. Report the transaction as fraud. Ask them to reverse the charge, flag the card for monitoring, and issue a new card number. The sooner you call, the more options you have.
2. Forward the text to 7726 (SPAM). This reports the sending number to your carrier so it can be blocked for other users.
3. Report to UPS directly. Forward suspicious emails to fraud@ups.com. You can also report phishing attempts through the UPS fraud prevention page at ups.com.
4. File a complaint with the FTC at reportfraud.ftc.gov. Include the phone number or email the message came from, what it said, and what information you entered.
5. Report to the FBI's IC3 at ic3.gov if money was lost.
6. Monitor your credit. If you entered your name, address, email, or phone number in addition to payment details, place a fraud alert with Equifax, Experian, and TransUnion. Your information may be used in future phishing attempts.

This scam uses the same mechanics as the USPS QR code scam and the FedEx QR code scam: a trusted delivery brand, a small urgent demand, a QR code, and a convincing fake payment page.

Frequently asked questions