Brushing Scams Explained: How to Spot Unsolicited Packages

A package shows up at your door. You did not order anything, but there it is, sitting on the porch with your name on it. For a moment, it feels like a nice surprise. Then you open it and find something small and cheap inside, something you would never actually choose to buy. There is no note, no receipt, and sometimes not even a clear sender.

This situation has a name. It is called a brushing scam, and it has become common enough that government consumer protection agencies have started warning people about it directly. The good news is that once you understand how it works, it becomes very easy to handle calmly and correctly.

This guide explains what a brushing scam is, why it happens, what changed about it recently, and the simple steps you can take to protect yourself going forward.

What Is a Brushing Scam

A brushing scam is a method used by some online sellers to make their products look more popular than they really are. Instead of selling the item to a real customer, the seller ships it directly to a random person using an address they found or purchased, without that person ever placing an order.

Once the package shows tracking and delivery, the seller can claim it as a completed sale on the marketplace. They often follow up by posting a glowing review in the recipient's name, labeled as a verified purchase. This is where the term fake verified reviews comes from. To shoppers browsing the platform, the product looks trusted and popular, even though no real customer ever bought or used it.

The name brushing comes from the idea of brushing up a seller's reputation. The package you receive is mostly a side effect of that process, not the main goal.

Why This Happens

Online marketplaces reward products that sell well and receive positive feedback. Higher sales and better reviews usually mean a product shows up higher in search results, which leads to even more sales. This creates pressure for some sellers to find shortcuts.

Sending real packages to real addresses gives a seller something powerful: a legitimate shipping record. A delivery confirmation from a real carrier is hard for a marketplace to question, which makes the fake sale look authentic from the outside.

This is part of a wider pattern sometimes called online shopping scam activity, where the goal is not to take money from the person receiving the package, but to manipulate the system around them.

How a Brushing Scam Works, Step by Step

Understanding the process makes it much less confusing if it happens to you.

Step one: Information gathering. A seller obtains a list of names and addresses. This usually comes from a data breach, a public records source, or a data broker that collects and resells personal details. Most people never agreed to have their information shared this way, and most never find out until something like this happens.

Step two: A fake order is placed. The seller creates an account or uses an existing one to "buy" their own product, listing your address as the delivery destination.

Step three: The item ships. A low cost item, something light and inexpensive to mail, gets sent to your home. This keeps shipping costs low while still producing a valid tracking number.

Step four: A review appears. Once the tracking record shows the package was delivered, the seller posts a review in your name, calling it a verified purchase, even though you never selected, paid for, or asked for the product.

At no point in this process do you lose money. The package itself usually causes no direct harm. The real concern is what it reveals about your information being available to people who should not have it.

The Newer Twist: QR Codes and Quishing

This is the part of the story that has changed recently, and it deserves real attention.

Some unsolicited packages now arrive with a small card or insert. It often says something friendly, like an invitation to scan a code to discover who sent the gift, or to learn how to return the item. The code itself is a QR code, the same square pattern used for many legitimate purposes like restaurant menus or payment apps.

The problem is that scanning this particular code can lead somewhere unsafe. This tactic has a name: quishing, which combines the word QR with phishing. Instead of taking you to a real company page, the code can lead to a copycat website built to collect personal details, login information, or payment data. In some cases, visiting the site can also lead to harmful software being installed on a phone or device.

The safest choice with any QR code scam insert is simple and direct: do not scan it. There is no real gift information you need from that code, and nothing valuable is lost by ignoring it completely.

Common Signs You Received a Brushing Package

A few patterns show up again and again with these deliveries:

  • There is no return address, or the listed sender does not match any company you recognize
  • The item is small, cheap, and something you would not normally buy, such as jewelry, a phone case, hair accessories, or a small gadget
  • The package includes a card asking you to scan a code or visit a website to find out who sent it
  • A text message or email arrives afterward asking you to confirm that you received a delivery you never actually requested

That last point is worth remembering. Replying to confirm a delivery you never made simply tells the sender that your phone number or email address is active and connected to that home address, which is exactly the kind of detail they were hoping to confirm.

Your Rights When You Receive an Unwanted Package

Here is something genuinely reassuring: federal law is very clear and very favorable to you in this situation. Under longstanding mail regulations, merchandise that arrives without being ordered can be treated as an unconditional gift. This means you are allowed to keep it, use it, give it away, or simply throw it out. You owe nothing, and you are never required to send it back or make a payment of any kind.

If anyone later contacts you demanding payment for an item you never ordered, you can confidently let them know that no payment is owed, since the law already protects you here.

Simple Steps to Take Right Away

If a package like this shows up, here is a calm and effective way to handle it:

  1. Do not scan any QR code included with the package, and do not click on any link sent through a follow up text or email about it.
  2. Decide what to do with the item. You can keep it, donate it, or throw it away, depending on what makes sense for you.
  3. Avoid paying anything, even if a message claims you owe a fee, a customs charge, or a shipping balance.
  4. Look through your online accounts for the marketplace it appears to be linked to. Check your order history, saved payment methods, and any recent account changes you do not recognize.
  5. Update your password for that account and turn on extra login protection, such as a verification code sent to your phone, if you have not already done so.

These steps take only a few minutes and give you a clear sense of control over the situation.

How to Report It

Reporting an unsolicited package helps marketplaces identify the sellers behind these schemes and helps protect other shoppers too. Most major platforms, including large online marketplaces, have a specific page for reporting an unwanted package or suspicious seller activity. A quick search within the platform's help section, using a phrase like "report unwanted package," will usually lead you to the right form.

You can also file a report with the FTC scam alert system through the Federal Trade Commission's consumer reporting site. This report does not cost anything and takes only a few minutes to complete.

If the package included seeds you cannot identify, do not plant them and do not throw them directly into the trash or outdoor compost. Some agricultural officials have raised concerns about unfamiliar seed shipments potentially introducing unwanted plant species. Contacting your local state agriculture department for guidance on disposal is the safest path here.

Protecting Your Personal Information Going Forward

Since brushing packages usually trace back to information that was already shared somewhere without your full awareness, taking a few preventive steps can lower the chances of this happening again.

Searching your own name on major people-search and data broker websites lets you see what information about you is publicly listed, and most of these sites offer a way to request removal. It takes a little time, but it is free to do yourself.

Checking whether your email address has appeared in a known data breach is another helpful habit. Several free and trusted tools online let you search this safely. If your email does show up in a past breach, treating that as a gentle reminder to update your passwords is a smart move.

Pulling your free credit report once a year, available through the major credit bureaus, gives you a clear picture of any accounts opened in your name that you do not recognize. This is one of the simplest forms of identity theft protection available, and it costs nothing.

A Few Words on Staying Calm

It helps to remember that a brushing package, on its own, is not dangerous. The item is yours to keep, the situation costs you nothing financially, and the steps to respond are simple and quick. The only real action point is avoiding the QR code and taking a short moment to check your accounts.

Many people receive one of these packages at some point, especially as more shopping moves online. Treating it as a useful reminder, rather than a reason to worry, is the healthiest and most accurate way to look at it. A little awareness goes a long way, and now you have a clear, simple plan ready whenever it happens.

Frequently Asked Questions

Did I do something wrong if I received a brushing package?

No. This almost never has anything to do with something you personally did. Your address was most likely part of a larger batch of information collected from a breach or a broker site.

Am I required to pay for the item or send it back?

No. Federal law allows you to keep unordered merchandise without any payment or return obligation.

Is it safe to scan the QR code just to see who sent the gift?

It is best to avoid this completely. The safer choice is to simply set the card aside or throw it away without scanning anything.

Why does this matter if the package does not cost me anything?

The package itself is harmless, but it is a sign that your name and address are available somewhere they should not be. Taking a few minutes to secure your accounts is a smart and simple precaution.

What should I do with seeds I cannot identify?

Do not plant them. Contact your local agriculture department for safe disposal guidance.