Ray Simmons was baffled when an Amazon package containing beet chews landed on his doorstep.
“I did think that maybe someone in my family was playing a joke on me, that they were telling me that I needed to eat healthier,” Simmons shared with WSB-TV Atlanta.
Don’t miss
But the package wasn’t a joke. Simmons, as he would come to learn, had unwillingly become the target of a scam known as “brushing.” The scheme is reportedly designed to exploit consumer data and manipulate online product reviews, the U.S. Postal Inspection Service (USPIS) reports.
And while that may seem fairly harmless, USPIS has issued a warning to Americans across the country: if you receive a package that you didn’t order, do not scan any QR codes that come with it.
What Is the brushing scam?
The brushing scam involves third-party sellers on e-commerce platforms that send unsolicited, low-value items to random people whose names and addresses were found online.
Once the item is shipped, the scammers leave fake five-star reviews online using the recipient’s name, or a fake profile made to resemble the recipient. The goal is to make the seller’s products appear popular and highly rated in order to gain more visibility and sales.
“They didn’t order anything, they received it, and it’s generally a household item, a low-value item,” said U.S. Postal Inspector David Gealey. “They have your personal information, which is easy to get because they can just Google a name and address. It’s out there on the web, right?”
Although the brushing scam might not directly lead to a financial loss, it signals that your personal information — such as your name and address — is being used without your knowledge. And that personal information could be circulating on unsecured databases or among bad actors online.
All of this would be cause for concern, but the dangers of this scam can become a lot more severe if the target does not exercise caution.
Read more: You’re probably already overpaying for this 1 ‘must-have’ expense — and thanks to Trump’s tariffs, your monthly bill could soar even higher. Here’s how 2 minutes can protect your wallet right now
The real threat: QR codes
Postal inspectors say the real danger comes when these packages include a QR code, which urges recipients to scan for more information or to confirm the delivery. These codes can lead to malicious websites that steal personal data, install malware or phish for sensitive information.
“We do caution customers: do not scan any QR code on the package because sometimes that QR code can lead to a malicious site,” Gealey warned.
Fortunately, Simmons’ package did not contain a QR code. However, he still took a few necessary steps to protect himself and ensure his Amazon and banking accounts hadn’t been compromised.
What to do if you receive a package you didn’t order
Receiving an unexpected package could indicate that your personal information is being misused. Here’s what USPIS recommends.
Do not scan QR codes: As we discussed above, scanning QR codes from unreliable sources can bring on a heap of trouble that could lead to stolen personal data or harmful malware installed on your device(s).
Do not return the item: You are not legally obligated to return unsolicited items. Simply keeping or discarding the package is safe, but don’t follow any instructions that came with it.
Check your financial accounts: Review your online bank and credit card statements, as well as your online shopping profiles and Amazon account activity immediately to ensure that your accounts haven’t been hacked.
Report the package: Notify your local police department, USPIS and/or the Federal Trade Commission about the unsolicited package. Reporting the package can help authorities with their investigation and can potentially prevent others from becoming a victim.
What to read next
This article provides information only and should not be construed as advice. It is provided without warranty of any kind.