Imagine this: You come home one day to find a package on your doorstep, but you're certain you didn't order anything. Inside, there's a random item – a Bluetooth speaker, a ring or even some seeds from overseas. A QR code offers a mysterious promise – scan it to learn more about the package or initiate a return. But before you act, take caution – this could be part of a dangerous scam.
This phenomenon is known as a "brushing scam," according to the Better Business Bureau. It's a tactic used by scammers who ship unordered products to unsuspecting victims, often without a return address.
The goal is to trick the victim into appearing as a verified buyer of a product so that scammers can post fake reviews, the BBB explained. These fraudulent reviews increase the seller's ratings, which leads to greater exposure and profits. Meanwhile, victims are left wondering how their address ended up in the hands of scammers, with no real way to stop it.
Recently, a new twist on brushing scams has emerged. The BBB reports that some packages now contain a QR code offering details about the sender or return instructions. While it may seem harmless, scanning the code could lead to a phishing website that steals your personal information or malware that compromises your device.
Multiple reports to BBB Scam Tracker over the last few months show these scams are happening all over the country. From North Carolina and Ohio to Utah and California, several people reported receiving a small box with a ring they did not order. Inside was a certificate with a QR code to scan. The potential victims did not scan the code.
Many other reports on the BBB Scam Tracker reference Amazon packages that were never ordered -- some were empty while others contained small items.
"I received a package I DID NOT order from Amazon. The package was addressed to me (name and address). There is a QR code that I have to scan in order to get any information (order number, receipt, return information, sender information). I will not scan it because I do not want malware on my phone," one potential victim reported.
"A package I didn't order was delivered to my home address from Amazon. The package contains a gift receipt from a person/company I never heard. The gift receipt includes a QR code to scan to see the name of the sender," another person reported.
The danger in a brushing scam isn't just about receiving unsolicited packages. It's about the personal information that could have been used to target you. Scammers often find your name, address and phone number online and use that data to ship the products. This could lead to further exposure, such as identity theft or fraud.
While it may seem harmless at first, receiving a surprise package can quickly turn into a headache or even a security risk. If you ever receive an unsolicited package, it's crucial to be cautious.
What You Can Do
• Don't scan any QR codes or click on any links provided in the package.
• Check for any signs of a return address or company name.
• If you suspect the package is part of a brushing scam, report it to the BBB or a relevant consumer protection agency.