From the Better Business Bureau
A package you didn’t order could be a fun surprise, but be careful, especially if it comes with a QR code. It might be the setup for a scam.
What you’ll learn:
-
How brushing scams use fake packages—and now QR codes—to trick consumers and post fake reviews
-
Why scanning a QR code from an unexpected package can expose your personal information or device to scammers
-
What steps to take if you receive a package you didn’t order, including how to protect your identity and report the scam
How the scam works
In a “brushing” scam, you receive a package you didn’t order, often without a return address. This is often a setup by unscrupulous companies who found your address online. After the company ships the product to you, they can post a fake, positive review on your behalf to improve their store’s ratings and get more sales.
Reports to BBB Scam Tracker over the last few months show a twist on brushing scams where the package contains a QR code. The code comes with instructions to scan it to find out who sent the package or how to start a return. Scanning the QR code can lead to a phishing website or download malware onto your device.
In a recent BBB Scam Tracker report, a consumer shared this experience, “I received a small package at my door marked UNIUNI from: LEO This person/company has my name and address – when I googled them the information states this is a brushing scam and that someone has obtained my personal information from either AliExpress, TEMU, or Amazon. I have an Amazon account but have not used those other sites. The label has a tracking number, QR code, customer number, and reference number. I have not opened the package, nor do I wish to – this is highly suspicious. I did not order anything from this company/person.”
It might seem like there are no downsides to a free package, but it could be a sign that someone is using your personal information for their own gain.
If this happens to you, BBB recommends checking the security of your accounts and notifying the retailer who sent you the package.
What to do if you receive a package you didn’t order:
Don’t scan QR codes. They might take you to a phishing site that steals your personal information or download malware onto your device.
Protect your identity. If you did scan the QR code and enter personal information, change your passwords for any compromised accounts and enable two-factor authentication. Also, keep a close eye on your credit reports and credit card bills after you receive the package.
Notify the retailer. If you can tell where the package is from, go directly to the retailer’s website to get their contact information and report the package as a scam.
Check for fake reviews. If you can identify the company that sent you the packages, look for false reviews in your name and report them to the retailer.
Pause deliveries.One package is no big deal, but some targets of brushing scams are overwhelmed with a floor of unordered packages, creating a serious problem. If this happens, you may want to consider temporarily refusing package delivery at your home address and directing your real orders to a package acceptance service.
Keep the package.The one silver lining of brushing scams is that you get to keep the gift – the