Home > Tech

Hackers are now sending scam QR codes via physical mail — and they can steal your passwords

The postal service is being weaponized by hackers.
By Matt Binder  on 
Share on Facebook Share on Twitter Share on Flipboard
QR code on a piece of paper with person scanning it on their phone
Hackers are now sending scam QR codes via physical mail — and they can steal your passwords, Credit: Africa Studio / Shutterstock.com

We've warned you about QR code scams before. Now, we're warning you about a new QR code scam – one that may show up in your physical mailbox.

The National Cyber Security Centre (NCSC) in Switzerland has issued a new alert based on a new scheme from hackers and scammers that weaponizes the postal service. The scam involves a physical piece of mail arriving at a target's door, urging them to download an app. 

The app, which can be downloaded via a QR code displayed on the mailer, is actually malware disguised as a legitimate app that can steal data from the user's device.

A new type of QR code scam

The hackers and scammers behind this fraudulent scheme imitate Switzerland's Federal Office of Meteorology and Climatology, right down to the official governmental seals on the mailed document. The mailer urges recipients to scan the QR code in order to download a "Severe Weather Warning App" for Android devices. 

When the QR code is scanned, users aren't taken to the official Google Play store, but instead a third-party site. Once there, they are asked to download an "AlertSwiss" app.

Mashable Light Speed
Want more out-of-this world tech, space and science stories?
Sign up for Mashable's weekly Light Speed newsletter.
By signing up you agree to our Terms of Use and Privacy Policy.
Thanks for signing up!

As first reported on by The Register, there are some obvious discrepancies between the hacker's app and the real one that it copies. There is a genuine government app with the same name, but it's called "Alertswiss," without the capitalized "S." In addition, while the fake app attempts to mimic the app logo, it isn't exactly the same.

The fake app, when downloaded, installs a "variant of the Coper trojan" malware on the target's device. This malware can log the user's activity on the device, stealing passwords, messages, notifications, as well as other sensitive information. In addition, phishing pages can be automatically displayed on the infected device as well.

NCSC told The Register that this was the first time it had ever come across malware being delivered via physical mail in this way. 

Unlike email, there is a cost associated with sending each piece of physical mail, so this attack method must be delivering some level of success to the scammers behind it.

If bad actors aren't already looking at replicating this campaign outside of Switzerland yet, this warning should serve as an important notice to be on the look out for QR code scams being sent to your physical address in the not-so-distant future.

Topics Cybersecurity

Recommended For You
iOS 18.2 Apple Mail gets major redesign: 3 biggest updates
By Cecily Mauran
Mail icon displayed on an iPhone screen
Don't feel like cooking? Here are the best DoorDash codes to redeem this week.
By Dylan Haas
Illustration of DoorDash logo on a smartphone
One thing to know before you buy a gift card
By Rebecca Ruiz
A store displays gift cards for purchase.
Worst passwords of 2024 prove we still suck at digital security
By Amanda Yeo
Password protected icon and padlock on blue background.
Report: Google removed voter scam ads from search results
By Rebecca Ruiz
A voter leans over their ballot in a voting booth.
Trending on Mashable
NYT Connections hints today: Clues, answers for December 15, 2024
By Mashable Team
A phone displaying the New York Times game 'Connections.'
Wordle today: Answer, hints for December 15
By Mashable Team
a phone displaying Wordle
'SNL' cold open questions why the internet finds Luigi Mangione so hot
By Chase DiBenedetto
Sarah Sherman dressed up as Nancy Grace in front of a blue screen.
NYT Strands hints, answers for December 15
By Mashable Team
A game being played on a smartphone.
Spacecraft makes daring approach of metal object in Earth's orbit
By Mark Kaufman
A view of the large rocket debris captured by the Astroscale ADRAS-J spacecraft
The biggest stories of the day delivered to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up. See you at your inbox!