The Rising Threat of Physical Phishing Scams: How Scammers Exploit Mail
Phishing has long been a significant challenge in the realm of digital security, but a new twist has emerged that is particularly concerning. Instead of relying solely on emails, scammers are now resorting to postal mail, effectively bypassing the filters of traditional email clients. This adaptation in their tactics highlights their constant evolution, making it crucial for consumers to stay informed about these threats.
The phishing tactic we’ll explore today has been making the rounds for several years, with an increasing number of users sharing their experiences. This specific scam mimics Amazon’s branding and offers a promotional card that promises free products and commissions of up to €40 in exchange for scanning a QR code. This scheme has been documented internationally, with instances reported in the United States, the United Kingdom, Germany, France, and even Spain.
A new modus operandi has emerged. Scammers are sending physical letters adorned with the Amazon logo, inviting recipients to join an alleged “test club” of new products. These letters promise enticing perks, including free items and commissions that can reach €40, as reported in various posts circulating on platforms like Reddit. To participate, recipients are instructed to scan a QR code to register their name and contact information, which reveals a suspicious contact email at the end.
Why this scam works can be attributed to its reliance on physical letters. Unlike emails, which are often flagged by spam filters, physical mail can instill a sense of trust, especially among older individuals who may not be as familiar with digital scams. The use of a QR code adds another layer of complexity; recipients often have no means of verifying where the link will redirect them, making it easier for criminals to cover their tracks.

An international problem, this fraudulent tactic has been identified across multiple countries. Users have reported receiving identical letters in their mailboxes in the United Kingdom, Germany, France, and even Spain, all exhibiting the same format and similar claims. The cybersecurity company Knowbe4 has recognized this technique after one of their employees received such a letter. Upon contacting the scammers, they discovered that the scheme could potentially facilitate illegal fund transfers, fake review campaigns, or other scams.
What to do if you receive such a letter is straightforward: ignore it. Amazon does not reach out to potential customers through unsolicited postal mail to offer test products. The company utilizes specific, official channels for its testing programs that require prior registration, and they never promise cash rewards. To confirm their legitimacy, one can easily see that the contact email does not belong to any official Amazon domain. Amazon has even established a webpage outlining the measures to take if someone has fallen victim to a “Brushing” scam, which involves receiving unsolicited packages.
Thus, the best course of action is to throw the letter directly into the trash without scanning the QR code or responding to any email. It’s essential to spread the word about this scam to ensure that others, especially older individuals and those less familiar with the internet, are also made aware and can avoid falling prey to this deception.
Cover image | Thanhy Nguyen and U/Lozit93
In conclusion, as scammers continually evolve their methods, staying informed and vigilant is our best defense against phishing attempts—whether digital or physical. Awareness is key in protecting not only ourselves but also those around us from falling victim to these malicious tactics.

