A package you didn’t order could be a fun surprise, but be careful – especially if it comes with a QR code. It might be the setup for a scam.
In a “brushing” scam, you receive a package you didn’t order, often without a return address. This is often a setup by unscrupulous companies who found your address online. After the company ships the product to you, they can post a fake, positive review on your behalf to improve their store’s ratings and get more sales.
Reports to BBB Scam Tracker over the last few months show a twist on brushing scams where the package contains a QR code. The code comes with instructions to scan it to find out who sent the package or how to start a return. Scanning the QR code can lead to a phishing website or download malware onto your device.
In one BBB Scam Tracker report, a consumer received a package of pasta via Amazon in her name. Thinking it was a gift from a friend, she scanned the QR code that came with the package. The QR code took her to a website that appeared to be Amazon. The consumer said she has received a higher-than-normal amount of scam emails since scanning the QR code.
In another BBB Scam Tracker report, a consumer received a ring in the mail that he did not order. The ring came with a QR code. The consumer checked BBB Scam Tracker before scanning the code, and after reading other reports about brushing scams, he decided not to scan it.
It might seem like there are no downsides to a free package, but it could be a sign that someone is using your personal information for their own gain. If this happens to you, BBB recommends checking the security of your accounts and notifying the retailer who sent you the package.
- Don’t scan QR codes. They might take you to a phishing site that steals your personal information or download malware onto your device.
- Protect your identity. If you did scan the QR code and enter personal information, change your passwords for any accounts that may have been compromised, and enable two-factor authentication. Keep a close eye on your credit reports and credit card bills after you receive the package.
- Notify the retailer. If you can tell where the package is from, go directly to the retailer’s website to get their contact information and report the package as a scam. Retailers like Amazon have policies banning brushing and fake reviews, and they will investigate your report.
- Check for fake reviews. If you can identify the company that sent you the packages, look for false reviews in your name and report them to the retailer.
- Pause deliveries. One package is no big deal, but some targets of brushing scams are overwhelmed with a floor of unordered packages, creating a serious problem. If this happens, you may want to consider temporarily refusing package delivery at your home address and directing your real orders to a package acceptance service.
- Keep the package. The one silver lining of brushing scams is that you get to keep the gift – the Federal Trade Commission says you have a legal right to keep unordered merchandise. Don’t try to return it, especially if there are instructions to scan a QR code or enter information. It could needlessly compromise more of your personal information.