For years, consumers have been trained to distrust emails and text messages; people scan for typos, suspicious sender addresses, and generic greetings before clicking anything.
Caution often disappears when the threat arrives in a physical envelope. A letter delivered to the front door carries with it an assumption of legitimacy. Many believe if a bank or credit card company truly needed to warn them about fraud or a security issue, it would do so through official mail. I have seen many comments on our Global Scam Watch Facebook illustrating this dangerous assumption.
The fact is, scammers are exploiting this false assumption. By shifting from digital messages to physical letters, fraud actors are launching a rapidly growing attack known as Postal Quishing, or QR code phishing by mail. This tactic bypasses spam filters entirely and targets victims at a moment when their guard is naturally lower.
How the Scam Works
Much in the same way as package scams involving QR codes, victims receive a professionally printed letter appearing to originate from a major bank or financial institution, often the bank or credit card company you deal with. The document often includes high quality logos, accurate branding, and dense legal or urgent compliance language designed to look official and authoritative.
The message typically claims suspicious activity has been detected stating a mandatory security update is required, or claiming your account access has been temporarily restricted. To resolve the issue quickly, the recipient is instructed to scan a QR code printed prominently on the letter. The letter describes the QR code as a secure or encrypted link to the bank’s verification portal.
Once scanned, the QR code directs the victim to a website resembling the real financial institutions login page. Logos, fonts, and layouts are carefully copied to reduce suspicion. When the victim enters their username, password, or even a one time passcode from an authenticator app, the information is captured and instantly forwarded to the scammers. Scammers then use the stolen credentials in real time to access the legitimate account and move funds before the victim realizes what has happened.
Key Red Flags to Watch For
- Banks never require customers to complete security actions exclusively through a QR code sent by physical mail.
- Most smartphones display a preview of the web address when a QR code is scanned. If the domain name looks unfamiliar, misspelled, or shortened, the letter is fraudulent.
- Urgent threats such as account closure within 24 hours are a classic pressure tactic. The goal is to push victims into acting quickly without verifying the request.
- No legitimate financial institution will ever ask for a full PIN, CVV number, or complete answers to security questions through a link accessed from a mailed QR code.
How to Protect Yourself
- The safest response is simple. Do not scan the QR code. Treat any unsolicited financial letter containing a QR code as suspicious by default.
- If the message causes concern, independently access your bank. Open a browser and manually type the official website address, or use your bank’s official app. If there is a real issue, it will be clearly listed in your secure message center.
- Never call phone numbers printed in a suspicious letter. Only use contact numbers found on the back of your debit or credit card or on your bank’s official website.
- If you receive one of these letters, report it. Contact your bank’s fraud department and file a report with your local police and federal Anti Fraud Authority. Each report helps authorities identify active campaigns and disrupt future mailings.
Postal quishing works because it feels official and familiar. Recognizing physical mail can be just as dangerous as digital messages is a critical part of protecting your financial security.
- Log in to post comments