Best Practices

How to Protect Yourself From ‘Brushing’ Scams

We make a lot of online purchases these days, so much so that, for some of us, packages show up at our doorsteps on a daily basis. But every once in a while, a package might not be something we actually ordered. If you open your front door to such a scene, you might be curious why someone would send
August 19, 2025
 / 
meritsolutions
 / 
Leave a Comment
 / 
Image

We make a lot of online purchases these days, so much so that, for some of us, packages show up at our doorsteps on a daily basis. But every once in a while, a package might not be something we actually ordered.

If you open your front door to such a scene, you might be curious why someone would send you an unsolicited package, and, as such, open the parcel. Inside, you might find one of two things. First, you may actually find a product, likely something inexpensive. On the other hand, you might simply find a QR code. If it’s the latter, don’t scan it. In either case, consider scrubbing your address from the internet: You’ve been the target of a scam.

How brushing scams work

Traditionally, brushing scams were tactics used by dishonest businesses to boost their reviews. These businesses would obtain names and addresses from leaked databases on the internet, and send these targets merchandise. Usually, these products were not too expensive, so the company could send out many packages in one scam.

Once a package was sent to a legitimate address, that enabled the business to write a review in the target’s name. After all, that target “ordered” the product, so the sale could be verified. The business would look like it was doing well, with happy customers, while those “customers” were confused why they received a package in the first place.

This version of the brushing scam is bad enough, but newer variants are more malicious. Scammers will still send unsolicited packages to unsuspecting victims, but this time, the package contains a QR code. The package might not contain the senders’ information, which scammers hope piques the target’s curiosity enough to scan the code. This code leads to a site that tricks the user into downloading malicious software. That malware can do anything from scraping financial data to personal information.

How to protect yourself

If you find a package you did not order addressed to you, especially if the package does not contain sender information, be cautious. If the package contains a QR code, do not scan it. If strange apps or websites ask for permissions on your phone, deny them.

You may also want to consider steps to protect your identity as well, as receiving this package implies your name and address has leaked online. You can try a service that requests information take downs from data collection agencies, like DeleteMe. You could also consider requesting a credit report from Equifax, Experian, or TransUnion to ensure you are not the victim of identity fraud.

Finally, report the incident to the FBI.

Share This

Leave a Reply

Referral program

Refer a friend and get rewarded

Refer A Friend

More Articles

Featured image for “Watch Out for This Apple Scam”
Dec. 02, 2025

Watch Out for This Apple Scam

Featured image for “There Are About 500 Million PCs Still Running Windows 10”
Dec. 02, 2025

There Are About 500 Million PCs Still Running Windows 10

Featured image for “Don’t Fall for a Shipping Scam This Holiday Season”
Nov. 25, 2025

Don’t Fall for a Shipping Scam This Holiday Season

View All

Sign Up for weekly MERIT Security Briefing

By signing up, you agree to our Privacy Policy.