By Scott Sykes, CISO, Asurity

If you receive a package you didn’t order, you may be the unknowing target of a brushing scam—a deceptive tactic used by third-party sellers on e-commerce platforms to boost product reviews and rankings.

Here’s how it works: sellers send low-value items to individuals using names and addresses often sourced from public records or data breaches. Once delivered, the scammers post fake five-star reviews using the recipient’s name or a fictitious profile, making their products appear more credible and popular.

While recipients typically don’t lose money directly, brushing scams are a red flag that your personal information is being used without your consent—and may be circulating among bad actors.

A growing concern: Some of these packages now include QR codes, which pose a real threat. U.S. Postal Inspectors strongly advise against scanning QR codes from unexpected deliveries, as they can lead to malicious websites that steal data, install malware, or carry out phishing attacks.

What to do if you receive a brushing package:

• You're not obligated to return or pay for unsolicited merchandise—you can keep or discard it.
• Monitor your financial accounts and online shopping profiles for any suspicious activity.
• Consider updating your passwords and enabling two-factor authentication as a precaution.

If you’re concerned your personal data may have been compromised, consider checking your information through a credit monitoring service or data breach tracking platform.