Brushing Scams: Fraudsters Expose Customer Information Using QR Codes on Unexpected Packages

A new package delivery fraud is heating up as the countdown to the holiday season shortens. It’s called a “brushing scam.”

Brushing scams are packages sent to a customer’s home that contain a QR code but no return address, prompting the recipient to scan the code to reveal who sent the package. However, once that is done, the scan could expose sensitive information from their smartphones to a site or scammer or even download malicious software onto a person’s phone.

“A scammer’s QR code could take you to a spoofed site that looks real but isn’t. And if you log in to the spoofed site, the scammers could steal any information you enter. Or the QR code could install malware that steals your information before you realize it,” a blog post from the Federal Trade Commission stated.

It added that scammers “want you to scan the QR code and open the URL without thinking about it.”

There are also brushing scams linked to Amazon third-party sellers. Jennifer Leach, associate director of the Federal Trade Commission’s Bureau of Consumer and Business Education, told USA Today that these people are using customer names to boost their bottom online reputation.

“Dishonest businesses and scammers are sending all sorts of unordered junk in the mail — and then writing good reviews for their business in your name,” Leach added. “That’s bad for honest businesses, which don’t cheat to get reviews, but it could be bad for you, too. Getting this stuff in the mail could mean a scammer has created an account in your name, taken over your account on the shopping site, or even created new accounts in other names, but tied to your address.”

How Do Consumers Protect Themselves From Brushing Scams?

Authorities warn about 'brushing scams' | Here's how it works https://t.co/Iffwn5LkLm

— Action News on 6abc (@6abc) December 21, 2024

The FTC says that consumers can protect themselves from brushing scams. There are three key ways to stay safe when receiving packages this holiday season and thereafter.

First, the organization suggests that if consumers see a QR code in an unexpected place, inspect the URL before they open it. If it looks like a recognizable URL, make sure it’s not spoofed. Customers should look for misspellings or a switched letter.

Second, don’t scan a QR code in an email or text message you weren’t expecting — especially if it urges you to act immediately. If you think the message is legitimate, use a phone number or website you know is real to contact the company and verify the information first before taking further action.

Finally, the FTC strongly suggests consumers protect their phones and online accounts. The two most simple and effective ways this can be done are via strong passwords and multi-factor authentication.

USA Today also suggests that if a package addressed to you wasn’t ordered by you or anyone you know, it should be reported online by going to the Report Unwanted Package form on Amazon.

“Amazon investigates reports of ‘brushing’ and takes action on bad actors that violate our policies, including suspending or removing selling privileges, withholding payments, and working with law enforcement. Customers don’t need to return the item,” an Amazon spokesperson said regarding these types of illegal activities.