When Free Stuff Isn’t Free
You check your porch and find a package from Amazon. You didn’t order anything. You ask your family — nobody sent you a gift. You open it anyway and find a random item: cheap earbuds, a phone case, some costume jewelry, or maybe a small gadget.
Free stuff, right? What’s the harm?
The harm is this: someone has your personal information, and they’re using it.
This is called a brushing scam, and it’s becoming increasingly common. What looks like a harmless surprise delivery is actually a sign that your data has been compromised — and things could get worse.
What Is a Brushing Scam?
A brushing scam works like this:
- A seller (usually overseas) finds your name and address online — from a data breach, a people-search website, social media, or purchased databases
- They create a fake account in your name on Amazon or another marketplace
- They ‘order’ their own cheap product and ship it to you
- Once the tracking shows ‘delivered,’ they write a glowing five-star review in your name
- The fake ‘verified purchase’ review boosts their product rankings and credibility
The term ‘brushing’ comes from sellers trying to ‘brush up’ their sales numbers and ratings with fake transactions.
The items are typically lightweight and cheap to ship — rings, seeds, phone accessories, face masks, small electronics. The seller loses a few dollars on each package but gains valuable fake reviews that drive real sales.
Why This Is More Dangerous Than It Seems
You might think: ‘So what? I got free earbuds and someone wrote a fake review. Who cares?’
Here’s why you should care:
Your Personal Information Is Compromised
The package arrived at your door with your name on it. That means someone has your:
- Full name
- Home address
- Possibly your phone number
- Possibly your email address
Where did they get it? Most likely from a data breach or a people-search site that aggregates public records. The same information that let them send you a brushing package could be used for identity theft, phishing attacks, or other scams.
In 2025 alone, there were over 3,300 major data breaches affecting more than 343 million people in the United States. Your information is out there.
Someone May Have Access to Your Accounts
In some cases, brushing scammers don’t just have your address — they’ve actually accessed your Amazon or other shopping accounts. Check your order history. If you see purchases you didn’t make, you have a bigger problem than a random package.
Fake Reviews Hurt Everyone
Those fake five-star reviews push low-quality products to the top of search results. Real shoppers see ‘verified purchase’ and trust it. They buy junk because of reviews written in your name without your knowledge.
Amazon removed over 275 million reviews in 2024 alone on suspicion of being fake. In 2025, they filed lawsuits against 75 companies selling fake reviews. It’s that big of a problem.
You Could Be Banned
If Amazon or another platform discovers fake reviews posted under accounts linked to your identity, your legitimate account could be flagged or suspended — even though you did nothing wrong.
The New Twist: QR Codes That Steal Your Data
Brushing scams have recently evolved to become even more dangerous.
The US Postal Inspection Service is warning about a new variation: packages that include a card with a QR code. The message says something like ‘Scan to find out who sent you this gift!’ or ‘Register your product here.’
If you scan the code, you’re taken to a fake website designed to steal your information. It might look like an Amazon login page, a bank verification site, or a product registration form. Enter your credentials or personal details, and you’ve handed them directly to scammers.
This combination of brushing and QR code phishing is called ‘quishing’ — and it’s on the rise.
Never scan a QR code from an unexpected package.
What to Do If You Receive a Package You Didn’t Order
If a mystery package shows up at your door:
1. Don’t Panic — But Don’t Ignore It
First, confirm it’s not actually a gift. Ask family members, check if it’s near anyone’s birthday, and look for a gift receipt or note inside.
2. Check Your Accounts
Log into Amazon (or whatever retailer the package appears to be from) and check your order history. Look for orders you didn’t place. Check your payment methods for unauthorized charges.
3. Report It to the Retailer
Amazon has a specific process for reporting brushing scams:
- Go to Amazon’s ‘Report Unwanted Package’ page
- Provide order IDs if visible, the number of packages received, and photos of shipping labels
- Amazon will investigate and take action against the seller
Other retailers have similar reporting processes — check their customer service pages.
4. Do NOT Scan Any QR Codes
If there’s a card or insert with a QR code asking you to ‘find out who sent this’ or ‘register your product’ — throw it away. It’s almost certainly a phishing attempt.
5. Change Your Passwords
Update passwords for your shopping accounts, email, and any accounts that share the same password. Use strong, unique passwords for each account. Enable two-factor authentication wherever possible.
6. Check Your Credit and Bank Statements
Look for unauthorized charges. If you find any, contact your bank immediately.
7. Consider a Credit Freeze
If you’re concerned about identity theft, you can freeze your credit with the three major bureaus (Equifax, Experian, TransUnion) for free. This prevents anyone from opening new accounts in your name.
8. You Can Keep the Item
By law (FTC regulations), you’re allowed to keep unsolicited merchandise. You’re under no obligation to pay for it or return it. But understand that keeping it doesn’t make the underlying problem go away — your information is still compromised.
How to Protect Yourself Going Forward
Brushing scams are a symptom of a bigger problem: your personal information is too easy to find online. Here’s how to reduce your exposure:
Limit What You Share Online
Be cautious about posting your full name, address, phone number, or other personal details on social media or public websites.
Opt Out of People-Search Sites
Websites like Spokeo, WhitePages, BeenVerified, and dozens of others aggregate and sell your personal information. Most have opt-out processes — though they’re often tedious. Services like DeleteMe or Incogni can automate this for you.
Use Strong, Unique Passwords
If one account gets breached and you use the same password everywhere, attackers can access everything. Use a password manager to create and store unique passwords for each account.
Enable Two-Factor Authentication
Adding a second layer of security to your accounts means that even if someone has your password, they can’t get in without also having access to your phone or authenticator app.
Monitor for Data Breaches
Services like HaveIBeenPwned.com let you check if your email address has appeared in known data breaches. Consider signing up for alerts.
Be Skeptical of Unexpected Packages
If you didn’t order it and weren’t expecting it, treat it with caution — especially anything with QR codes or requests for additional information.
Protect Your Business Too
Brushing scams typically target individuals, but the underlying problem — compromised personal information — affects businesses as well. Employee data, customer records, and business accounts can all be exposed through data breaches.
At Pendergrass Consulting, we help businesses protect their data and train employees to recognize scams. From cybersecurity assessments to employee awareness training, we provide the tools and knowledge to keep your business safe.
Contact us today if you have questions about protecting your business from scams and data breaches.
Pendergrass Consulting provides cybersecurity, IT support, and technology consulting services throughout the Triangle area, including Raleigh, Durham, Chapel Hill, Cary, Apex, and the surrounding communities.
