Brushing Scam + QR Code Fraud: New Cyber Threat Empties Bank Accounts

Navi Mumbai, August 7, 2025 – A shocking case has emerged where an unsuspecting woman lost her entire bank balance after falling victim to a dangerous new form of the brushing scam, combined with a QR code phishing attack.

How the Scam Unfolded

Sakshi, a middle-class homemaker, received a parcel she never ordered. It was addressed to her by name, with her full address and phone number printed on the label. Thinking it could be a prepaid gift or something ordered by a family member, she accepted it.

Inside the package, she found a simple pair of headphones and a letter saying:

“Congratulations! You are our premium customer. Scan this QR code to win a ₹2,000 gift voucher!”

The QR code took her to a website that looked exactly like a popular e-commerce portal. Believing it to be genuine, Sakshi entered her mobile number, bank account details, and UPI credentials. Soon after, she received OTPs and entered them as instructed.

Within minutes, large transactions drained her bank account—₹49,500, ₹9,999, and ₹15,000—leaving her with nothing.

What Is a Brushing Scam?

A traditional brushing scam involves sending unsolicited parcels so scammers can post fake “verified” reviews using the recipient’s details.
In this upgraded version, cybercriminals insert QR codes inside the parcels, which lead to phishing websites designed to steal financial information.

This technique—called “Quishing” (QR phishing)—is rapidly spreading in India, with attackers often obtaining personal details from data leaks and the dark web.

Why It’s Dangerous

• Uses real personal information (name, phone, address) to seem legitimate.

• QR codes hide dangerous phishing links.

• Fake websites perfectly mimic trusted shopping portals.

• Victims willingly enter sensitive details and OTPs, enabling instant fund transfers.

How to Stay Safe

• Never scan QR codes from unsolicited parcels or unknown sources.

• Treat unexpected rewards, vouchers, or offers with suspicion.

• Do not share bank account, UPI, or OTP details—no legitimate company will ask for them in such a manner.

• Enable multi-factor authentication and keep SMS alerts on for all bank transactions.

• If targeted, immediately contact your bank and file a complaint with the National Cyber Crime Portal (cybercrime.gov.in).

HacktechNews Safety Note

This case is a reminder that cybercrime is evolving. Scammers now blend traditional fraud with new-age technology like QR codes to bypass caution. The best defence is awareness and instant action—once the money is gone, recovery becomes almost impossible.

Stay alert. Stay safe.
HacktechNews – Safe Internet, Aware Society.