Received an Unexpected Package? It Could Be a Brushing Scam

If a surprise package arrives at your door, you might think it’s your lucky day. An unexpected gift can be a treat! But if something seems too good to be true, it probably is—and this “gift” may be part of a brushing scam. 

“The risks to victims of a brushing scam include unauthorized use of your personal information, fake reviews tied to your name, security threats through QR codes, fake accounts and transaction histories—and it may be a sign of a larger identity theft or fraud issue,” says Eva Velasquez, CEO of the Identity Theft Resource Center. With consumers losing more than $12.5 billion to fraud in 2024—a 25% increase over the year prior, according to the Federal Trade Commission—it’s important to understand common scams and how to avoid and report them.

So, what is a brushing scam? Ahead, Velasquez and Alex Hamerstone, an information security expert and the advisory solutions director at TrustedSec, offer insight on how a brushing scam works, advice on how to protect against brushing fraud, and what to do if you’ve received a package you didn’t order. 

Get Reader’s Digest’s Read Up newsletter for more tech, travel, humor, cleaning and fun facts all week long. 

What is a brushing scam?

In a brushing scam, sellers on Amazon or other shopping platforms ship products to an unsuspecting victim and then post a fake review in the victim’s name to boost their sales and ratings. “The intention is to give the impression that the recipient is a verified buyer who has written positive online reviews of the merchandise,” Velasquez says. This is why the brushing scam is also known as the “fake reviews scam.”

Reputable e-commerce systems generally require shipping and tracking information to show that a sale occurred and to allow a review to be posted, explains Hamerstone. Scammers attempt to evade these protections through the brushing scam.

So, why is it called “brushing”? Hamerstone says the term comes from a translation of the Chinese word for cleaning. “[It’s] similar to how in English we talk about money ‘laundering’—even though it has nothing to do with detergent and washing machines—because it makes the illicit money ‘clean,’” he explains. “The term brushing is used because the transaction is ‘cleaned’” through the fake proof of purchase and delivery.

Are brushing scams dangerous?

The brushing scam poses some risks—including fraud and potential identity theft—to the recipients of the unexpected packages. It also puts future buyers at risk; when they see a high number of sales and positive reviews, they may purchase substandard products from dishonest sellers. 

Hamerstone says that in cases where the scammers’ only objective is to gain fake sales and reviews, then the additional risk to the recipient is low. “Once you receive the package, the scammer’s goal has been reached, so there is generally little else most of these scammers will do.”

However, not all scammers stop there. If they’ve got your name, address and phone number, there is a chance they—or other scammers—will attempt to scam or impersonate you in other ways. “While the information, such as your name and address, is largely available through public records, [receiving an unsolicited package] could also be a sign that your personal information has been leaked through a data breach or some form of a phishing scam,” Velasquez says. “Leaked personal information could increase the likelihood of being targeted with another scam or identity crime in the future.”

Quishing

A new variation of the brushing scam, called quishing, opens you up to additional risks. “Quishing, also known as QR code phishing, utilizes a QR code that redirects you to a fake website when scanned,” Velasquez explains. Scammers place printed inserts with QR codes or links into the unsolicited package, suggesting they will lead you to promotional offers, product surveys or delivery confirmation requests. Sometimes, they take advantage of your natural curiosity by saying that if you use the QR code, you can find out who sent you the package. “They use these QR codes or links to lure recipients into visiting fraudulent websites designed to steal personal information, install malware or collect payment details under false pretenses.”

Payment demands

Another risk of brushing scams? The scammer could ask you to fork over payment for the package you received. “While this is much rarer than just receiving the package and never hearing anything [from the scammer] again, if the scammer demands payment, not only could you be out of any money you send them,” Hamerstone says, “but they may also use any payment information you send them to take additional money from you.”

Is brushing legal?

Dejan Marjanovic/Getty Images

Brushing scams and other online retailer scams are illegal in the U.S. and many other countries, according to the United States Postal Inspection Service. But since most brushing scams are committed by overseas sellers, it’s often too difficult for U.S. authorities to track down the criminals.

“The much bigger risk to the perpetrators is being banned from selling platforms like Amazon and eBay, which would affect their ability to earn a living,” Hamerstone says. Amazon and other online marketplaces prohibit brushing scams, so reporting the incident to the platform is the best way to hold that seller accountable. While online shopping sites have tried to crack down on fraudsters, shoppers should still watch out for scams that can pop up on Facebook Marketplace and eBay.

How to protect yourself from brushing scams

Now that you understand brushing scams and the risks, you’re probably wondering how you can protect yourself from becoming a victim. Here are some expert tips.

• Create secure passwords for any online shopping platforms you use.
• Check your online shopping accounts for unauthorized purchases or fake profiles. If you find any, report them to the e-commerce platform or online retailer (more on this below).
• Monitor your credit reports and bank and credit card accounts for suspicious activity.
• Avoid scanning QR codes or visiting links provided in unsolicited packages, Velasquez says. “It may be wise to run security scans on your devices and update your passwords” if you have already opened any links found in unsolicited packages.
• Remove yourself from Google and people search sites. This can feel futile, as the basic info a scammer needs for the brushing scam is generally available publicly. However, you can request to be removed from Google searches and public search sites, such as WhitePages. The info is likely to pop back up again, so check periodically and request removal again in the future. 
• Don’t share personal info on social media. Don’t make it easy for scammers (or people search sites) to find your address. Keep personal info offline as much as possible. 
• Do some virtual housekeeping. You can reduce your online presence and scammers’ access to your info by deleting online accounts you no longer need.

What to do if you receive a package you didn’t order

Even if you follow all the steps above, you may still become a victim of a brushing scam. Here’s what to do if a surprise package shows up.

Don’t panic

“You were likely chosen at random,” Hamerstone says. “Generally, you will not receive direct communication from the sender.”

Check the recipient info

It’s not always a scam; delivery personnel are human and occasionally drop off packages at the wrong address. “Brushing is a very specific event, and is different from accidentally receiving a package meant for a neighbor or something like that,” Hamerstone says.

Review the intended recipient info. If it’s not your name, but the intended address is nearby, it may be a neighbor’s package. Try to ensure they get it (either by delivering it to them or returning it to the delivery service). “If a package is addressed to your neighbor and delivered to you by accident, it isn’t yours to keep,” Hamerstone says. 

It’s possible a loved one sent you a surprise. If the name on the package is yours, double-check with your friends and family to see if anyone ordered something for you.

Return to sender

If a package that came in the mail has a return address, you haven’t opened it and you’ve determined it’s not a gift from someone you know or a misplaced package meant for a neighbor, you can return it. Just write “RETURN TO SENDER” on it and pop it back in the mail. USPS will ship it back—at no charge to you. 

Keep, donate or discard

Wondering whether you can keep an Amazon package you didn’t order? Yes, you can keep an unsolicited package addressed to you. “The messaging I have seen from law enforcement and consumer advocates at all levels is that you can keep any of the merchandise that you receive without owing any payment,” Hamerstone says. Scammers typically aim to keep costs low, so the contents of the package may not be anything you need or want. In this case, donating or discarding it is also an option. 

Report it

File a report with the online retailer or the e-commerce fraud prevention department. “The most effective thing you can do is report it to the platform [such as Amazon or eBay], as the platform is most likely to be able to take action,” Hamerstone says. Amazon and other online platforms take the complaints seriously. They will investigate and remove fraudulent reviews and sellers. 

If the package contains anything suspicious, report it to law enforcement. 

The experts also suggest reporting brushing scams to the United States Postal Service, the Better Business Bureau’s Scam Tracker and the Federal Trade Commission. If you’re unsure about how to proceed, Velasquez says you can speak with an expert at the Identity Theft Resource Center.

Filing these types of reports helps online retailers and platforms identify and remove fraudulent accounts and protect other consumers.

Do not scan QR codes

Never scan QR codes or visit links that are included in the package. Remember, scammers can use them to steal more of your personal and financial information.

Do not make any payment

If the seller contacts you insisting that you owe them for the package, do not engage with them. If you didn’t order it, you don’t owe them for it. “If you didn’t place the order, there will be no record of payment (because there wasn’t a payment),” Hamerstone says.

He notes that if a scammer steals your credit card info and places an order with it, that isn’t brushing; that is just typical theft. You should absolutely report that to your bank and the online platform—but not as brushing. “Brushing is specifically related to receiving an unexpected package that you did not request or pay for.”

Secure your accounts

“Use this as an opportunity to strengthen your overall cyber and identity hygiene,” Velasquez says. “This includes using strong, unique passwords for all your accounts—or, even better, enabling passkeys where supported. It’s also a good time to enable multi-factor authentication, keep software and devices updated and regularly review your credit reports and financial accounts for any unusual or unauthorized activity. Staying proactive with these habits can significantly reduce your risk of falling victim to more serious forms of identity theft.”

Why trust us

Reader’s Digest has published hundreds of articles on personal technology, arming readers with the knowledge to protect themselves against cybersecurity threats and internet scams as well as revealing the best tips, tricks and shortcuts for computers, cellphones, apps, texting, social media and more. For this piece, Brooke Nelson Alexander tapped her experience as a journalist who covers technology and scams. We rely on credentialed experts with personal experience and know-how as well as primary sources including tech companies, professional organizations and academic institutions. We verify all facts and data and revisit them over time to ensure they remain accurate and up to date. Read more about our team, our contributors and our editorial policies.

Sources:

• Alex Hamerstone, advisory solutions director at TrustedSec
• Eva Velasquez, CEO of the Identity Theft Resource Center
• Federal Trade Commission: “New FTC Data Show a Big Jump in Reported Losses to Fraud to $12.5 Billion in 2024”
• United States Postal Inspection Service: “Brushing scam”
• Better Business Bureau: “Scam Tracker”

Emma Kumer/rd.com, Getty Images

What Is Smishing?

Emma Kumer/rd.com, Getty Images

How to Stop Spam Texts

Grace Luxton/rd.com, Getty Images

How to Avoid Gift Card Scams