What is the brushing scam?
The brushing scam involves third-party sellers on e-commerce platforms that send unsolicited, low-value items to random people whose names and addresses were found online.
Once the item is shipped, the scammers leave fake five-star reviews online using the recipient’s name, or a fake profile made to resemble the recipient. The goal is to make the seller’s products appear popular and highly rated in order to gain more visibility and sales.
“They didn’t order anything, they received it, and it’s generally a household item, a low-value item,” said U.S. Postal Inspector David Gealey. “They have your personal information, which is easy to get because they can just Google a name and address. It’s out there on the web, right?”
Although the brushing scam might not directly lead to a financial loss, it signals that your personal information — such as your name and address — is being used without your knowledge. And that personal information could be circulating on unsecured databases or among bad actors online.
All of this would be cause for concern, but the dangers of this scam can become a lot more severe if the target does not exercise caution.
Dave Ramsey’s plan has people crushing debt fast
Drowning in debt? Dave Ramsey’s viral 7-step method is helping people wipe it out and finally build real savings. No gimmicks—just a clear plan that works. Moneywise breaks it down so you can get started in minutes. If you’re serious about getting ahead, don’t miss this.
See the stepsThe real threat: QR codes
Postal inspectors say the real danger comes when these packages include a QR code, which urges recipients to scan for more information or to confirm the delivery. These codes can lead to malicious websites that steal personal data, install malware or phish for sensitive information.
“We do caution customers: do not scan any QR code on the package because sometimes that QR code can lead to a malicious site,” Gealey warned.
Fortunately, Simmons' package did not contain a QR code. However, he still took a few necessary steps to protect himself and ensure his Amazon and banking accounts hadn’t been compromised.
What to do if you receive a package you didn’t order
Receiving an unexpected package could indicate that your personal information is being misused. Here's what USPIS recommends.
Do not scan QR codes: As we discussed above, scanning QR codes from unreliable sources can bring on a heap of trouble that could lead to stolen personal data or harmful malware installed on your device(s).
Do not return the item: You are not legally obligated to return unsolicited items. Simply keeping or discarding the package is safe, but don’t follow any instructions that came with it.
Check your financial accounts: Review your online bank and credit card statements, as well as your online shopping profiles and Amazon account activity immediately to ensure that your accounts haven’t been hacked.
Report the package: Notify your local police department, USPIS and/or the Federal Trade Commission about the unsolicited package. Reporting the package can help authorities with their investigation and can potentially prevent others from becoming a victim.
Under 60? Lock in life insurance in minutes
Get term life insurance fast—with no agents, no exams, and no stress. Ethos lets you apply online in minutes and get covered for as low as $15/month. It’s affordable peace of mind, without the hassle Get your free quote now
