Brushing Scams

My oldest daughter recently accepted an offer to attend Purdue University. The following week we received a package in the mail containing a canvas laundry bag with the Purdue logo emblazoned on the side. We didn’t recognize the sender’s name or address, so we did a little Googling but that didn’t help much either. It was then that I remembered reading an article about a relatively new scam called “brushing.” We rechecked the package, and sure enough, there was a tell-tale QR code printed on the side. Had we scanned that code to see who had sent us this nice gift, personal phone data would likely have been immediately compromised.

Brushing scams have emerged as a widespread and deceptive practice, leaving countless individuals across the globe baffled by unsolicited packages arriving at their doorsteps. These scams, which have surged in prevalence since 2024, involve receiving unordered items—ranging from cheap jewelry and gadgets to random objects like single socks or plastic toys—often shipped from major retailers like Amazon or obscure overseas vendors, or in our case, the US Postal Service. While the idea of free goods might seem appealing, brushing scams pose significant risks, from identity theft to financial fraud.

The mechanics of a brushing scam are cunningly simple. Third-party sellers, primarily on e-commerce platforms, send unsolicited packages to random addresses, often using publicly available contact information. By marking these fake orders as delivered, scammers create verified purchases, allowing them to post fraudulent five-star reviews under the recipient’s name. This artificially boosts the seller’s product rankings and credibility, deceiving genuine customers into buying low-quality or nonexistent items. In some cases, scammers obtain addresses through data breaches, heightening concerns about privacy violations.

The dangers extend beyond fake reviews. Some brushing scams involve packages with QR codes or links prompting recipients to “confirm delivery” or “claim a prize.” Engaging with these can install malware, steal personal information, or lead to phishing sites. In rarer instances, scammers use stolen credit card details to fund shipments, potentially implicating victims in fraudulent transactions. The Federal Trade Commission (FTC) and Better Business Bureau (BBB) have reported thousands of cases, with victims experiencing everything from minor annoyance to serious financial repercussions.

Protecting yourself is essential. The FTC recommends not opening suspicious packages or interacting with any enclosed codes or links. Instead, report the delivery to the retailer and file a complaint with local authorities or the BBB. Monitor your bank accounts and credit reports for unauthorized activity, as your personal details may have been compromised. Legally, you’re entitled to keep unsolicited items, but notifying the sender can aid investigations.

Brushing scams exploit the complexities of online marketplaces, underscoring the need for consumer vigilance. As e-commerce continues to evolve, staying cautious, verifying unexpected deliveries, and reporting suspicious activity are critical steps to safeguard your personal and financial security. If you’ve received an unexpected package, don’t ignore it—take action to uncover and stop these deceptive practices.