Fake USPS Parcel-Locker QR-Code Phishing Scam
Criminals affix fake stickers bearing a QR code and USPS branding over or near real parcel lockers, telling recipients to scan the code to retrieve their package. The QR destination is a phishing site that captures login credentials or payment details.
Part of: Parcel Locker Phishing Scams
Last reviewed: 8 June 2026
USPS parcel lockers and package pick-up points provide a convenient self-service delivery option for customers who are not home for a delivery. Fraudsters exploit the physical trust associated with these installations by placing sticker overlays on locker panels or nearby signage that direct recipients to a fraudulent website via a QR code.
A recipient who receives a legitimate USPS missed-delivery notice referencing a locker then finds a QR code at the physical location that appears to be an official access method. Scanning it leads to a cloned usps.com portal asking for a USPS login and, in many variants, a card to cover a nominal storage or access fee.
The real USPS provides locker access codes through the official USPS website or app using a code linked to your tracking number. It does not require card payment at the locker or via a QR-code link separate from the official usps.com portal.
How this scam works on the USPS brand
A sticker is placed on the locker panel, door frame, or nearby notice board. It bears the USPS eagle logo, a reference to a package delivery, and a QR code with the instruction Scan to collect your parcel. The destination is a domain such as usps-locker.com or uspsdelivery.net — not usps.com.
The phishing page asks for a USPS username and password to retrieve the access code for the locker. Once credentials are entered the page returns an error or a fake access code while the attacker uses the real credentials to log into usps.com. Some variants also ask for card details to pay a small release fee.
Because the attack involves physical infrastructure, a single well-placed sticker can victimise many people before it is noticed and removed.
Common red flags
- QR code on or near a USPS parcel locker leads to a URL that is not usps.com
- The code was on a sticker that looks newer or has different material from the original locker panel
- Site asks for USPS login credentials or card payment to access the locker
- You did not receive a USPS access notification in your account or app before arriving at the locker
- Locker access code from the QR site does not work on the physical locker
- Site URL contains words like locker, parcel, or collection alongside usps but is not exactly usps.com
- The locker has no USPS staff present and the sticker appears hand-applied rather than printed on the panel
How to protect yourself
- Access locker codes only through your USPS account at usps.com or the USPS Mobile app
- Do not scan QR codes that are on stickers placed over original locker panels
- If the URL behind a QR code is not usps.com, close the page and use the official site
- Report any suspicious sticker to the USPS facility manager or postal worker on duty
- If you entered credentials, change your USPS account password immediately and check your account for changes
- Check your payment card statements if you entered card details
- Report the sticker to the USPS Postal Inspection Service
How to report it
- Report to the USPS Postal Inspection Service at postalinspectors.uspis.gov or call 1-877-876-2455
- Report to the FTC at reportfraud.ftc.gov
- Photograph the sticker and report it to the local post office so it can be removed
- Forward any associated smishing messages to 7726
- File at ic3.gov if financial loss occurred
Frequently asked questions
How does USPS normally provide parcel-locker access codes?
USPS sends a unique access code to your registered email or phone number when a package is placed in a parcel locker. You can also find the code in your USPS account online or in the USPS Mobile app. No QR scan or payment is required at the locker itself.
How can I tell if a QR sticker on a locker is fraudulent?
Look for signs of a sticker overlay: different material, slight misalignment, or paper edges visible under the code. Scan the code but check the URL before entering any information — it should be exactly usps.com. If in doubt, use your USPS app instead.
I entered my USPS login at the fake site. What now?
Log in to your real USPS account at usps.com immediately, change your password, and enable two-factor authentication. Review your account for any shipment redirections or address changes. Use a different password on any other accounts that shared the same credentials.