USPS QR Code Scam: How to Spot It and What to Do

USPS does not send QR codes in text messages

This is the most important thing to know: the United States Postal Service does not send unsolicited texts containing QR codes. USPS does offer legitimate text tracking notifications through its Informed Delivery service — but only if you opted in, and those messages contain plain tracking numbers and link directly to usps.com. They never include a QR code and they never ask you to pay a fee.

If you received a text you did not request that contains a QR code and claims to be from USPS, it is a scam. The sender is not the postal service. They are trying to get your credit card number.

How the USPS QR code scam works

This scam is a form of smishing — phishing by SMS — and it is one of the most commonly reported fraud variants in the United States. USPS branding is used because almost everyone receives packages, and the fear of a missed or held delivery is immediate and believable.

A text message arrives on your phone. It says something like: "USPS: Your package could not be delivered due to an incomplete address. A $2.99 redelivery fee is required. Scan the QR code below to update your information and release your package. Failure to act within 24 hours will result in the package being returned."

The small dollar amount — typically $1.99 to $3.99 — is deliberate. It feels trivial enough that most people pay without thinking. But the fake payment page the QR code opens is not collecting a redelivery fee. It is harvesting your full card number, expiration date, CVV, billing address, and sometimes your email and phone number. That data is then sold or used for larger fraudulent charges.

Scammers use QR codes rather than plain links because QR codes bypass the URL-preview feature in most SMS apps. When you tap a link in a text, your phone shows you the destination before you commit. When you scan a QR code, you land on the page immediately — making it harder to spot a suspicious domain before you are already there. This tactic is at the core of what security researchers call quishing.

A separate variant arrives by physical mail: a letter designed to look like an official USPS notice, complete with a barcode and a QR code for "tracking updates" or "address confirmation." The QR code links to a lookalike USPS login page that steals your Informed Delivery credentials or payment details.

How to tell a fake USPS message from a real one

• You did not opt in to tracking updates. If you did not sign up for Informed Delivery or request USPS tracking texts for a specific package, USPS has no reason to text you. An unsolicited text is a red flag.
• The message contains a QR code. Real USPS tracking texts include a tracking number and a usps.com link — never a QR code.
• There is a fee to release a package. USPS does not charge recipients to redeliver or release packages. Customs fees on international parcels are billed differently and are not collected via text-based QR codes.
• Urgency and a deadline. Legitimate delivery notifications do not threaten to return your package within 24 hours if you don't scan something immediately.
• The QR code opens a page that is not usps.com. Real USPS web pages always use the domain usps.com — no hyphens, no extra words, no alternative domains. If the URL after scanning contains anything other than usps.com, close the page immediately.

When in doubt, go directly to usps.com yourself and enter your tracking number there. Do not use any link or QR code from the message.

What to do if you already scanned and paid

If you only scanned and looked at the page without entering any information, your risk is low. Close the browser tab and block the sender.

If you entered payment or personal information, act immediately:

1. Call your bank or card issuer right now. Report the transaction as fraud. Ask them to reverse the charge, flag the card for monitoring, and issue a new card number. Speed matters — the sooner you call, the more options you have.
2. Forward the text to 7726 (SPAM). This reports the sending number to your carrier so it can be blocked for other customers.
3. File a complaint with the FTC at reportfraud.ftc.gov. Include the phone number the text came from, what the message said, and what information you entered.
4. Report to the USPS Postal Inspection Service at postalinspectors.uspis.gov or by calling 1-877-876-2455. They investigate USPS impersonation fraud and want to hear about these cases.
5. Report to the FBI's IC3 at ic3.gov if money was lost.
6. Monitor your credit. If you entered your name, address, email, or phone number in addition to payment details, consider placing a fraud alert with Equifax, Experian, and TransUnion. Your information may be used in future phishing attempts or sold.

This scam uses the same mechanics as the toll road QR code scam and the IRS QR code scam: a trusted institution, a small urgent demand, a QR code, and a convincing fake payment page.

Frequently asked questions