An apparently harmless letter delivered by the postman, which appears to come from an authoritative body such as the Italian Post Office, contains a QR code, i.e. a square identification code made of black and white “pixels”. Known as “postman scam”this fraud uses social engineering to trick users into downloading a fake app containing malware by scanning the malicious QR code. Once installed, in fact, the malware takes control of the user’s sensitive data, including banking credentials and personal information, putting your digital security at risk. The phenomenon, initially reported in Switzerland, is also spreading in Italy, particularly affecting Android users. Below, we explain in more detail How the “postman scam” workshow to recognize it and how to protect yourself.
How the “postman scam” arrived in Italy works and how to recognize it
The scam presents itself with a physical letter, apparently sent by a government institution or a reliable body, inviting you to download a dedicated app, often linked to security or emergency issues, such as weather alerts or civil protection notifications. The trick is simple but effective: at the bottom of the letter you will find a QR codewhich is a square image with black modules on a white background which, if scanned, redirects you to the download of ainfected app. The QR code, originally conceived to simplify access to digital content, has also become a popular means for scammers, thanks to its spread during the pandemic, causing incidents of Quishing or QR phishing (i.e. phishing perpetrated through the use of QR codes).
A recent example of this fraud emerged in Switzerland, where many citizens received bogus letters apparently sent by the Federal Office of Meteorology and Climatology MeteoSwiss and from FOCP (Federal Office for Civil Protection). The QR code in question redirected to the download of an app named Severe Weather Warning Appwhich instead contained the malware Cover (also known as Octo2). This malicious software, once installed on Android devices, disguises itself as an official civil protection app, even modifying the graphic appearance to appear authentic. In reality, the malware aims to steal login credentials from over 380 appsincluding home banking services, thus putting the victims’ current accounts at risk.
Similar cases have also been reported in Italy, with stickers containing fake QR codes attacked in car parks or inserted in messages apparently sent by banking institutions. In this context, scammers use phishing techniques, a form of digital deception that uses fake messages or websites to steal personal data. For example, they clone QR codes of banking portals or payment systems, tricking victims into entering their credentials on fake pages.
How to protect yourself from the QR code scam that can empty your bank account
To protect yourself from this threat, take some basic precautions. Never scan a QR code that comes from an unknown or suspicious source. Remember that applications from public bodies, banks, etc. must be downloaded exclusively from official stores such as the Google Play Store or the App Store. And if you are contacted in some way by your bank (via a paper letter, via e-mail, via message, with a phone call, etc.), ensure the legitimacy of the communications receivedespecially if you are invited to carry out potentially suspicious actions, perhaps contacting customer service yourself to ascertain how things really are.
If you suspect you have fallen for a scam, act quickly. Uninstall the suspicious app and reset your device to factory settings to eliminate the malware. Equally important, report the incident to the competent authoritieslike the Postal Police.