A random package at your door might feel like a surprise gift — but it could actually be a warning sign that your personal data is already exposed.
What looks like harmless “brushing” is now evolving into a full-blown cyber threat, where QR codes and fake deliveries are used to steal your money and identity.
In a Nutshell
A delivery driver drops a box at your door. You open it to find a brand-new smartphone or smartwatch you never purchased. Your first instinct might be delight — but it should be alarm. The package you didn't order is a warning sign of an active threat. Scammers have your real address, your name is in criminal databases, and the parcel itself may be weaponised to steal your banking credentials.
A brushing scam is a form of e-commerce fraud in which scammers ship unsolicited packages to real addresses to manufacture fake verified sales records. They need a tracking number showing a delivered parcel to post a "verified purchase" review on platforms like Amazon or Temu.
Amazon removed more than 275 million fake reviews in 2024 alone, forcing fraudsters to constantly generate new verified shipments to keep their stores visible in search rankings. The mechanics are simple: they buy their own cheap product, ship it to your real address, and write a glowing review under a fake account linked to your delivery. You receive a worthless item; they secure a boosted ranking that deceives thousands of genuine buyers.
Brushing scams have evolved well beyond fake reviews. Fraudsters now include printed inserts inside the parcel — cards that look professionally produced, pushing you to "register your device," "scan for warranty," or "activate your product."
Source: Trendmicro
FBI Warning: The FBI has issued an active warning that scanning QR codes found in unsolicited packages directs your device to phishing websites or installs malware designed to steal banking credentials. Do not scan any QR code from an unexpected delivery.
This transforms a strange delivery into a targeted cyberattack. Criminals no longer just want a boosted review — they want direct access to your digital wallet and financial accounts.
Plugging in a mystery electronic device can compromise your entire home network. Unsolicited phones and tablets carry a severe risk of pre-installed malware — software that logs your keystrokes or intercepts the verification texts your bank sends you. Turning the device on and connecting it to your Wi-Fi hands the sender access to every device on your local network.
Hardware-level attacks bypass standard antivirus software completely because the threat lives inside the physical circuitry of the device. If you receive unsolicited electronics, treat them as hostile rather than lucky windfalls.
"They are not sending you a gift — they are sending a trap to your front door."
Receiving a brushing package confirms your name and physical address are circulating in criminal databases. In 2025 alone, 3,322 major data breaches exposed the names and home addresses used to power these operations. Scammers cross-reference your address with leaked shopping histories to make deliveries appear plausible.
You can check whether your email address has been exposed in a known breach using Have I Been Pwned, a free database that tracks compromised login credentials. If your email appears, update your passwords immediately — especially for banking and e-commerce accounts.
~ UK: Action Fraud
~ EU: Europol Cybercrime Reporting
You hold zero legal obligation to return or pay for an unsolicited delivery. Under US federal law, you are entitled to keep any unsolicited merchandise as a free gift. You do not owe the sender money and never have to pay for return shipping. The same principle applies in the UK under the Consumer Rights Act 2015.
Confirm whether the sender's website is a known scam operation before you engage further.
Keep the outer packaging and any inserts if you intend to file a formal report — they can help investigators trace the shipment origin.
Confirm whether the sender's website is a known scam operation before you engage further.
Frequently Asked Questions
Do I have to pay for an unexpected package?
No. Under US federal law and UK consumer law, you are entitled to keep unsolicited merchandise as a free gift without any payment obligation to the sender.
Can I safely use a free phone sent in a brushing scam?
No. You should never power on or connect an unsolicited device to your Wi-Fi network. Unsolicited electronics frequently contain pre-installed malware that can compromise your entire home network and intercept your banking verification codes.
How did scammers get my home address?
Fraudsters purchase lists of names and home addresses leaked in corporate data breaches and sold on dark web marketplaces. Check your email at Have I Been Pwned to see if your details are among exposed records.
What happens if I scan the QR code in the package?
The QR code directs your device to a phishing website or silently downloads malware designed to steal your passwords and intercept your banking credentials. The FBI has specifically warned consumers not to scan QR codes found in unsolicited packages.
Adam Collins is a cybersecurity researcher at ScamAdviser who operates under a pseudonym for privacy and security. With over four years on the digital frontlines, he specialises in translating complex threats into actionable advice. His mission: exposing red flags so you can navigate the web with confidence.
