Trezor has got a blog entry on the matter in their site: https://blog.trezor.io/psa-non-genuine-trezor-devices-979b64e359a7, although it does date back to end of 2018 and it is very shallow in details.

The classical scam is through a fake site that claims your device is faulty, stating that you need to provide your passphrase (see https://www.reddit.com/r/TREZOR/comments/e1a9o1/fake_trezor_website_all_funds_lost/ for example), but there are no hard new of fake devices being out there now that I’m aware of.
 
Nevertheless, they could be created and sold as we speak, you never know. It’s not that simple really, and cases I’ve read about in the past are more related to the device being preconfigured (with a printed leaflet containing your 24 word passphrase) than anything else. Making the purchase through the official site (or resellers if not feasible) is always the right move (i.e. don’t use eBay and such), and always revise that the packaging has not been tampered with.