You walk to your mailbox or front porch and find a package waiting for you. It has your name and address on the label. You open it up, expecting something you ordered, but instead, you find a cheap plastic necklace, a packet of seeds, or maybe even just a hair tie. You check your bank account and credit card statements—no charges. You check your Amazon or eBay order history—nothing there.
You aren’t lucky, and this isn’t a mistake. You are a prop in a scheme known as brushing scams.
While receiving free merchandise might feel like a win, it is actually a warning sign. These packages are evidence that your personal information—specifically your name and home address—has been compromised. Understanding how this scam works is the first step to securing your privacy.
How Do Brushing Scams Work?
Brushing is a technique used by unethical online sellers to boost their search rankings on platforms like Amazon, Temu, eBay, and AliExpress. These marketplaces rely heavily on algorithms that prioritize products with high sales volume and “Verified Purchase” reviews.
To trick the system, scammers need to create fake sales. But they can’t just make up an order number; the platform requires a valid tracking number from a shipping carrier (like UPS, FedEx, or USPS) to prove an item was actually delivered.
Here is the step-by-step process of the “Verified Review” loop:
1. Data Acquisition
First, the scammer needs a real delivery address. They often buy lists of names and addresses from the dark web, usually obtained from previous data breaches. This is often why websites are leaking your info is such a critical issue—your data ends up in the hands of “brushers.”
2. The Ghost Order
The scammer creates a fake buyer account or uses a compromised account. They place an order for their own product. To avoid leaving a money trail that leads back to them, they often pay using gift cards or separate accounts. They enter your address as the shipping destination.
3. The Delivery
To generate the all-important tracking number, they ship a package to you. Since they are paying for the shipping, they want to keep the package as light and cheap as possible. This is why you receive trinkets instead of valuable items.
4. The Fake Review
Once the carrier marks the package as “Delivered,” the platform sees a completed, verified transaction. The scammer then logs into the fake buyer account and writes a glowing 5-star review. Because there is a tracking number attached, this review shows up as a “Verified Purchase,” which boosts the seller’s rating and tricks real customers into buying their products.
Common Types of Brushing Packages
Not all brushing scams look the same. Scammers use different items depending on their budget and goals. These are some of the scams you need to stay alert to when opening unsolicited mail.
The “Token” Item
This is the most common variation. You receive cheap, lightweight items that cost pennies to manufacture. Common examples include:
- Plastic jewelry or keychains.
- Hair elastics or scrunchies.
- Cheap Bluetooth dongles or phone cases.
- Face masks.
Unsolicited Seeds
This variation is particularly concerning. Victims receive small packets of seeds, often mailed from China or other international hubs.
- The Danger: The USDA has issued strong warnings about these packages. The seeds could be invasive species that threaten local agriculture, or they could carry plant diseases.
- What to do: Do not plant them. Do not throw them in the trash where they could sprout in a landfill. Contact your state’s plant regulatory official or the USDA’s APHIS division for disposal instructions.
Empty Packages
Sometimes, scammers want to save even more money. They send an empty envelope or a box filled with paper. For the scammer, the contents don’t matter—only the “Delivered” scan from the postal carrier matters.
“Quishing” (QR Code Phishing)
This is a newer, more dangerous evolution of the brushing scam. The package arrives containing a card that says, “Scan to see who sent this gift,” “Claim your prize,” or “Contact Support.”
- The Trap: If you scan the QR code with your phone, it directs you to a malicious website. This site may attempt to install malware on your phone or trick you into entering your login credentials. This pivots the scam from a simple nuisance to active identity theft.
Red Flags: Is This Package a Scam?
How can you tell the difference between a brushing scam and a genuine gift from a forgetful aunt? Look for these red flags:
- No Return Address: The label often lacks a return address, or the address is a generic “Fulfillment Center.”
- Foreign Origin: The package originates from an international address (often China) when you didn’t order anything from abroad.
- Cheap Items: The contents are low-value items that don’t make sense as a gift (like a single ping-pong ball or a cheap plastic ring).
- No Gift Receipt: A real gift usually comes with a slip identifying the sender. Brushing packages are anonymous.
- QR Code Demands: The only paperwork inside is a card urging you to scan a QR code to “release” the item or identify the sender.
- No Order Record: You cannot find a matching order in your Amazon, eBay, or Temu history.
The Dangers: Why Should You Be Worried?
If you get free stuff, why is this a problem? While you aren’t losing money directly on the transaction, brushing scams carry hidden risks.
Your Data is Compromised
The arrival of the package is proof that your Name, Address, and likely your Phone Number are circulating on “sucker lists” or dark web databases. If a scammer has this info, they may try to target you with more severe fraud later.
Porch Piracy Drops
In some aggressive variations, scammers use stolen credit cards to buy expensive items (like laptops) and ship them to your house. They track the delivery and try to swipe the package from your porch before you get home. If you receive a brushing package, be on high alert for “porch pirates.”
The Phishing Pivot
Once a scammer knows your address is active (because the package wasn’t returned), they may follow up with fake invoices or letters demanding “customs fees.” This connects the physical mail scam to digital fake invoice scams, attempting to trick you into paying for the item you never wanted.
What To Do If You Receive a Brushing Package
If a mystery package lands on your doorstep, don’t panic. Follow this checklist to protect yourself.
1. Don’t Pay for Anything
According to the Federal Trade Commission (FTC), you have a legal right to keep unsolicited merchandise as a free gift. You are under no obligation to pay for it, and you do not have to return it. If the sender sends you a bill later, you can legally ignore it.
2. Do Not Scan QR Codes
If there is a card inside asking you to scan a code, throw it away. Scanning unknown QR codes is a fast way to compromise your smartphone security.
3. Report It to the Platform
If the package has Amazon, eBay, or Temu branding (or you can identify the sender from the label), contact the retailer’s Customer Support or Fraud department. Give them the tracking number. This helps them identify and ban the fake seller account.
4. Secure Your Identity
Because this scam implies a data leak, take this opportunity to tighten your digital security.
- Change Passwords: Update your passwords on major shopping sites.
- Enable MFA: Turn on Multi-Factor Authentication. This is one of the best ways to prevent account compromise even if scammers have your password.
- Check Bank Statements: Just to be safe, review your credit card statements to ensure the scammers didn’t use your money to buy the item.
Warning: Beware of Recovery Scams
There is a secondary trap that often follows a brushing scam. Scammers know that receiving unexpected packages makes people nervous. They exploit this fear.
You might receive a phone call or an official-looking email claiming to be from “Customs,” “Amazon Security,” or a “Private Investigator.”
The Pitch: They claim the package sent to your house contained illegal contraband (like drugs or counterfeit goods) and that you are in legal trouble.
The Trap: They offer to “clear your name” or “stop the investigation” if you pay a fine or a fee.
The Reality: Legitimate law enforcement and companies like Amazon will never ask you to pay a fine via gift cards, cryptocurrency, or wire transfer to resolve a package issue. If you get this call, hang up immediately.
Frequently Asked Questions (FAQ)
Q: Is brushing illegal?
A: Yes. It is considered mail fraud in the United States and many other countries. It also violates the terms of service of every major e-commerce platform because it creates false advertising.
Q: Can I keep the items?
A: Yes. Federal laws regarding unsolicited mail allow you to treat these items as unconditional gifts. You do not need to pay for them or return them.
Q: Why did they pick me?
A: It likely wasn’t personal. Your information was probably part of a large batch of data purchased by the scammer. They simply needed a valid US address to send the package to.
Q: Should I verify the order if they ask?
A: No. If you receive a text or email asking you to “verify receipt” of the package, do not click the link. This confirms to the scammer that your email/phone number is active and connected to that address.
Conclusion
Brushing scams are a nuisance, but they are also a helpful alarm bell. They signal that your personal information is out in the wild. While you can enjoy the free hair ties or keychains (after checking them for safety), use the arrival of these packages as a reminder to audit your online privacy.
Change your passwords, monitor your bank accounts, and stay skeptical of unsolicited mail. By understanding the scam, you turn a confusing mystery package into a trigger for better security.
Thodex.com – Your guide to digital safety, privacy, and scam prevention.