https://whitelabel-manager-production.ams3.digitaloceanspaces.com/thumbs/x-1920x1080-9-74ac8.jpg_800x.jpg
July 7, 2026
Author: Adam Collins

What is a Brushing Scam? And Why That "Free" Package Isn't Good News

A surprise package might seem like free shopping, but it could be evidence that your personal information has already been misused. Here's what a brushing scam is, why it happens, and how to protect yourself.

In a Nutshell

  • A brushing scam is when sellers send unsolicited packages to real addresses so they can post fake "verified purchase" reviews and boost product rankings.
  • Mystery packages often contain cheap items like phone accessories, jewelry, or seed packets because the seller is paying for the shipping.
  • Some brushing scams now include QR codes that lead to phishing websites designed to steal your passwords or personal information.
  • Receiving a brushing package is a warning that your name and address may have been exposed through a data breach or sold by data brokers.
  • Don't scan QR codes, check your shopping accounts for unauthorized orders or reviews, change reused passwords, and monitor your credit for signs of identity theft.

A box shows up with your name and address on it. You didn't order anything. Inside is something small and cheap, maybe a phone case, a pair of earrings, or a packet of seeds. No invoice, no return address, nothing to explain where it came from.

It's tempting to shrug and keep it. Most people do. But the package is a symptom of something that already happened before it ever reached your door: your personal information got used without your permission. Here's what's actually going on, and what to do about it.

What a brushing scam actually is

A brushing scam is when a third-party seller on a marketplace like Amazon, eBay, Temu, or AliExpress ships an item to a real address without the recipient ordering it, so they can mark the sale as delivered and post a five-star "verified purchase" review under that person's name.

A reddit user received this weird potato without ordering

The word comes from "brushing up" a seller's numbers. Marketplaces rank products partly by sales volume and by how many of their reviews come from verified buyers, meaning someone the platform can confirm actually received the item. A verified review carries far more weight in the algorithm than an anonymous one, and shoppers trust it more too. Buying that trust legitimately, through real sales, takes time. Faking it is cheaper and faster, and that gap is the entire business model behind brushing.

How it works, step by step

The seller needs a valid name and shipping address that isn't theirs. These get pulled from data broker sites, leaked databases from old breaches, or lists bought outright on parts of the internet where stolen personal data is traded.

With your details in hand, they open an account (or several) that looks like a normal customer, then place an order for their own product and enter your address as the delivery destination. They pay for it themselves, usually with a method that doesn't trace back to their real identity. Because the item genuinely gets delivered, the marketplace records it as a completed, verified transaction. Once tracking shows "delivered," the seller logs back in under the fake account and leaves a glowing review. Multiply this across hundreds of addresses and a mediocre product can climb to the top of search results within days.

The items are almost always cheap and light, since the seller is paying for shipping out of pocket and wants to keep the cost as close to zero as possible. That's why brushing packages tend to be things like hair ties, cheap jewelry, phone accessories, or seed packets rather than anything of real value.

The QR code twist worth knowing about

A newer variation, flagged by the U.S. Postal Inspection Service, adds a card inside the box with a QR code, telling you to scan it to find out who sent the gift or to claim some kind of reward. Scanning it takes you to a convincing fake site, often styled to look like a bank or government portal, designed to harvest your login details or personal information. This tactic is called quishing, short for QR code phishing, and it turns a mostly passive scam into an active attempt to steal from you directly. If a package includes a QR code, don't scan it, no matter what it promises.

Why it matters even though you didn't lose money

It's easy to write this off as harmless since nothing was charged to your card. But think about what the package actually proves: someone you've never interacted with already has your full name and home address, accurate enough to route a package through the postal system. That data didn't appear out of nowhere. It's a strong sign your information showed up somewhere it shouldn't have, whether that's an old data breach, a broker site, or a list sold on darker corners of the web.

There's also a quieter problem. A review is now sitting on a marketplace with your name attached to it, for a product you never bought and have never seen used. If that seller's product turns out to be defective, unsafe, or the subject of a dispute later, your name is publicly tied to praise you never gave.

What to actually do if it happens to you

Don't scan any QR code that came with the package, and don't call a number printed on an insert claiming to explain the "gift." Legally, in the US you're allowed to keep unsolicited merchandise and you owe the sender nothing, so there's no need to try to return it or pay for it.

Check your accounts on the marketplace the item likely came from. Log in and look for an order you don't recognize, or a review posted under your name that you never wrote. Most major marketplaces have a specific reporting flow for this exact situation. On Amazon, for example, you can report it directly and ask that any fake review under your name be removed.

Take the data exposure seriously even though no money moved. Change the password on the account tied to the address the package was sent to, especially if you reuse that password anywhere else. Pull your credit report and watch for accounts you didn't open, since the same stolen data used for brushing sometimes gets reused for more serious identity theft down the line. Filing a report with the FTC at reportfraud.ftc.gov helps build the broader picture regulators use to go after the sellers running these schemes.

One more thing worth doing: don't just throw the item away with your name still attached to shipping labels or the seller's return information. Cut off or shred any label showing your address before recycling the box.

The one exception: don't ignore what's inside

If what arrived isn't a trinket but seeds, an unknown liquid, or anything you can't identify, don't plant it, drink it, or dispose of it normally. Unmarked seed packets sent from overseas have shown up as part of brushing schemes before, and agricultural authorities warn they can carry invasive species or plant diseases that cause real damage if planted. Contact your state's plant regulatory office or, in the US, USDA APHIS, and follow their disposal instructions instead of tossing it in the trash or the compost bin.

The bottom line: Be Cautious of brushing scam

A brushing scam won't drain your bank account, but it's rarely the full story. It's usually the visible tail end of a data exposure that happened somewhere else, weeks or months earlier. Treat the free package as a prompt to check your accounts and tighten up your data, not as a stroke of luck.

Scammers don't take days off, so why should your scam checker? Download the ScamAdviser app today and keep it in your pocket.

Adam Collins is a cybersecurity researcher at ScamAdviser who operates under a pseudonym for privacy and security. With over four years on the digital frontlines, he specialises in translating complex threats into actionable advice. His mission: exposing red flags so you can navigate the web with confidence.

See Full Bio

Report a Scam!
Have you fallen for a hoax, bought a fake product? Report the site and warn others!
About Us Check Yourself Contact Disclaimer
Developed By: scamadviser-logo