As you gather all the last-minute holiday packages arriving at your doorstep, be careful about any that you didn’t order or ones that don’t have a return address and want you to scan a QR code: it could be a scam.
These so-called brushing scams have been around for a few years and there’s a few varieties. They can range from a “victimless” crime to one that involves scanning a QR code to find out who the package is from.
That could lead consumers to a site tricking them to enter personal information, similar to a phishing scam. In some cases, malicious QR codes could also install malware to steal information from the consumer’s phone.
Police departments around the country have been sharing warning messages on social media about the scams this holiday season.
The reports of the brushing scam started a few years ago with packages appearing on people’s doorsteps. But when consumers were trying to figure out if it was something they ordered, they contacted Amazon or the retailer only to be told to just keep it, even if it wasn’t something they ordered.
Holiday deals: Shop this season’s top products and sales curated by our editors.
Many packages are from Amazon, but from third-party sellers – and an Amazon spokesperson said the company takes action against them.
The sellers are trying to boost their reviews, Jennifer Leach, associate director of the Federal Trade Commission’s Bureau of Consumer and Business Education, told USA TODAY.
“Dishonest businesses and scammers are sending all sorts of unordered junk in the mail – and then writing good reviews for their business in your name,” Leach.
“That’s bad for honest businesses, which don’t cheat to get reviews, but it could be bad for you, too,” she said. “Getting this stuff in the mail could mean a scammer has created an account in your name, taken over your account on the shopping site, or even created new accounts in other names, but tied to your address.”
The consumers receiving the product often aren’t “harmed” in the scam – and they often get to keep the free product – so some call the brushing scams “victimless” crimes. But the items are usually things consumers don’t necessary want and are inexpensive, like ping pong balls or a flashlight.
And future shoppers looking at reviews by the seller who sent the package could be making a bad buying decision based on pumped-up reviews.
If you get an unexpected package, there are several steps you can take to protect your identity,” said Melanie McGovern with the Better Business Bureau.
“First, notify the retailer that you received a package, check your account for recent orders, and change your passwords,” said McGovern, who also encouraged consumers to report the activity to the BBB’s Scam Tracker, www.bbb.org/scamtracker as a warning to others.
Leach with the FTC also said to check online accounts to see if there are any problems.
An Amazon spokesperson provided this statement regarding brushing scams: “Third-party sellers are prohibited from sending unsolicited packages to customers, and we take action when our policies are violated, including by withholding payments, suspending selling privileges, and reporting bad actors to law enforcement.”
Amazon suggests if you receive a package or item that you didn’t order, check with friends and family or contact Amazon customer service to confirm it’s not a gift to you. If you receive a package addressed to someone else, please contact Amazon customer service.
If you can confirm the package addressed to you wasn’t ordered by you or anyone you know, report the package online by going to the Report Unwanted Package form on Amazon at https://account-status.amazon.com/report-unwanted-packages.
“Amazon investigates reports of ‘brushing’ and takes action on bad actors that violate our policies, including suspending or removing selling privileges, withholding payments, and working with law enforcement. Customers don’t need to return the item,” the Amazon spokesperson said.
Another type of brushing scam will also have no return address on an unexpected package, but there will be a QR (quick-response) code with instructions to scan on your phone to see who the package is from.
Scams involving QR codes are not new. But with the popularity of QR codes, which when scanned are a shortcut to a website, and are used for tasks ranging from reading a restaurant menu to paying for parking, there are also bad actors.
If you get a package you are not expecting or you didn’t order, don’t scan the QR code, said the FTC in a blog post in 2023.
“A scammer’s QR code could take you to a spoofed site that looks real but isn’t. And if you log in to the spoofed site, the scammers could steal any information you enter,” the FTC blog post said. “Or the QR code could install malware that steals your information before you realize it.”
Avoid holiday scams:Don’t let fraudsters ruin your holidays. Protect yourself with these tips.
The U.S. Postal Inspection service also recently issued an alert reminding customers not to interact with text messages indicating your package is lost or with tracking information for a package you did not order.
Smishing is a form of phishing, the fraudulent practice of sending messages disguised as reputable sources to get consumers to reveal personal or financial information, as previously reported by USA TODAY.
Betty Lin-Fisher is a consumer reporter for USA TODAY. Reach her at blinfisher@USATODAY.com or follow her on X, Facebook or Instagram @blinfisher. Sign up for our free The Daily Money newsletter, which will include consumer news on Fridays, here.
English 
Français