Receive a random package you didn't order? You may be a victim of a ‘brushing' scheme — here's how it works

Yahoo

20-05-2025

Ray Simmons was baffled when an Amazon package containing beet chews landed on his doorstep.
'I did think that maybe someone in my family was playing a joke on me, that they were telling me that I needed to eat healthier,' Simmons shared with WSB-TV Atlanta.
Thanks to Jeff Bezos, you can now become a landlord for as little as $100 — and no, you don't have to deal with tenants or fix freezers. Here's how
I'm 49 years old and have nothing saved for retirement — what should I do? Don't panic. Here are 5 of the easiest ways you can catch up (and fast)
Nervous about the stock market in 2025? Find out how you can access this $1B private real estate fund (with as little as $10)
But the package wasn't a joke. Simmons, as he would come to learn, had unwillingly become the target of a scam known as 'brushing.' The scheme is reportedly designed to exploit consumer data and manipulate online product reviews, the U.S. Postal Inspection Service (USPIS) reports.
And while that may seem fairly harmless, USPIS has issued a warning to Americans across the country: if you receive a package that you didn't order, do not scan any QR codes that come with it.
The brushing scam involves third-party sellers on e-commerce platforms that send unsolicited, low-value items to random people whose names and addresses were found online.
Once the item is shipped, the scammers leave fake five-star reviews online using the recipient's name, or a fake profile made to resemble the recipient. The goal is to make the seller's products appear popular and highly rated in order to gain more visibility and sales.
'They didn't order anything, they received it, and it's generally a household item, a low-value item,' said U.S. Postal Inspector David Gealey. 'They have your personal information, which is easy to get because they can just Google a name and address. It's out there on the web, right?'
Although the brushing scam might not directly lead to a financial loss, it signals that your personal information — such as your name and address — is being used without your knowledge. And that personal information could be circulating on unsecured databases or among bad actors online.
All of this would be cause for concern, but the dangers of this scam can become a lot more severe if the target does not exercise caution.
Read more: You're probably already overpaying for this 1 'must-have' expense — and thanks to Trump's tariffs, your monthly bill could soar even higher. Here's how 2 minutes can protect your wallet right now
Postal inspectors say the real danger comes when these packages include a QR code, which urges recipients to scan for more information or to confirm the delivery. These codes can lead to malicious websites that steal personal data, install malware or phish for sensitive information.
'We do caution customers: do not scan any QR code on the package because sometimes that QR code can lead to a malicious site,' Gealey warned.
Fortunately, Simmons' package did not contain a QR code. However, he still took a few necessary steps to protect himself and ensure his Amazon and banking accounts hadn't been compromised.
Receiving an unexpected package could indicate that your personal information is being misused. Here's what USPIS recommends.
Do not scan QR codes: As we discussed above, scanning QR codes from unreliable sources can bring on a heap of trouble that could lead to stolen personal data or harmful malware installed on your device(s).
Do not return the item: You are not legally obligated to return unsolicited items. Simply keeping or discarding the package is safe, but don't follow any instructions that came with it.
Check your financial accounts: Review your online bank and credit card statements, as well as your online shopping profiles and Amazon account activity immediately to ensure that your accounts haven't been hacked.
Report the package: Notify your local police department, USPIS and/or the Federal Trade Commission about the unsolicited package. Reporting the package can help authorities with their investigation and can potentially prevent others from becoming a victim.
Want an extra $1,300,000 when you retire? Dave Ramsey says this 7-step plan 'works every single time' to kill debt, get rich in America — and that 'anyone' can do it
Rich, young Americans are ditching the stormy stock market — here are the alternative assets they're banking on instead
Robert Kiyosaki warns of a 'Greater Depression' coming to the US — with millions of Americans going poor. But he says these 2 'easy-money' assets will bring in 'great wealth'. How to get in now
Here are 5 'must have' items that Americans (almost) always overpay for — and very quickly regret. How many are hurting you?
This article provides information only and should not be construed as advice. It is provided without warranty of any kind.