What are ‘brushing scams’ & how to protect yourself

You go to collect the mail, and among the bills and flyers sits a small package. It has your name and address on it. You didn’t order anything, but open it anyway. Maybe it’s a gift from one of your kids or grandkids? Instead of a homemade present or something you did order (and forgot about), you find a cheap smartwatch or piece of costume jewelry. But there’s no packing slip, note, company name, or return address. Maybe I got lucky, you think. Spoiler alert: you didn’t.

This unexpected “gift” is a tiny, modern-day version of the original Trojan Horse. While it appears harmless, it’s actually a brushing scam — that is, a calculated test run by scammers. For the older demographic, these packages can become a gateway drug to much more aggressive, financially devastating fraud.

Read: More helpful personal finance tips

Discover: One kidney, two friends … and a life saved

What is a brushing scam?

Brushing scams happen when a third-party seller on a platform like Walmart or Amazon sends unsolicited things to unsuspecting people. Do not mistake these “sellers” as altruists. They’re gaming the system.

Online marketplaces prioritize products with high sales volumes and verified purchase reviews. To fake these numbers, a scammer needs a real delivery to a legit address. Once a tracking number updates to “delivered,” the scammer can write a glowing, five-star review in your name.

Commonly brushed items:

• Bluetooth speakers or inexpensive earbuds.
• Seed packets (Beware: These packets can include invasive, non-native plants that are ecologically dangerous to your area.).
• Inexpensive costume jewelry, like bracelets or rings.
• Small household gadgets or those “As seen on TV” items.

The QR code trap

Previously, brushing scams were annoying but generally harmless. You got a free (though low-quality) item and someone wrote a fake review using your name. But the scam has since evolved into something far more dangerous.

According to warnings from various police departments across the country and the Better Business Bureau, scammers have gotten fancier. Now they do include a gift message inside the box. It often includes a QR code with a request, like “Scan this QR code to learn who sent this gift” or “Scan to activate your warranty.” The problem? Fraudsters have learned to manipulate QR codes to send unsuspecting people to websites that can gather personal information and use it for criminal activity.

Don’t scan the code

When you scan a QR code from an unknown source, you’re opening a digital door to your life and inviting scammers in to:

• Deploy malware. The code can trigger an automatic download of a keylogger or spyware onto your phone.
• Intercept communications: Sophisticated man-in-the-middle attacks can change your phone settings to forward your text messages, including two-factor authentication (2FA) codes from your bank, to the scammer.
• Social engineering. The code leads to a cloned website that looks just like Amazon or Netflix. It asks you to verify your account to claim a gift. Because most people reuse passwords, once the scammer has your Amazon login, they potentially have the keys to your email and social media and bank accounts.

Why scammers target the 50+ crowd

Scammers view the 50+ demographics as the Goldilocks Zone of targets. You’ve probably accumulated more wealth than, say, a 20-year-old, and you may be less digitally savvy and more apt to trust an official-looking QR code.

The brushing scam is a test run

Forgive this analogy, but since I do work in marketing… think of brushing scams as a fraudster’s market research. They send the package to confirm three things:

• The validity of your address. They know someone lives there and opens the mail.
• The validity of your identity. Your name matches your physical location.
• Your level of tech-savviness. If you scan the QR code or call the support number included in the box, you signal that you’re susceptible to social engineering.

If you inadvertently engage with a brushing scam, your name gets added to a “sucker list.” It’s sold on the dark web to more aggressive fraudsters who will follow up with sophisticated phishing emails, fake IRS threats, and other scams.

Why QR codes make the perfect weapon

Unfortunately, your phone’s camera can’t distinguish between a good and a bad QR code. These codes are merely visual representations of data (usually a URL or web address). Your phone can’t tell that a link is malicious until after you’ve already tapped and opened it.

How QR codes compromise your phone:

• The redirect: The code sends you to a URL that looks safe but redirects you to a malicious site (and it’s often really difficult to tell at a glance that a site is harmful).
• Payload mining: Some code is embedded in picture files that, once rendered on your phone, executes a script that mines for personal data.
• Permission exploits: The site may ask for permission to show notifications or access photos. Once you click “Allow,” you’ve given the scammer a foothold in your phone’s operating system.

Protect yourself: A step-by-step guide

Before you unplug completely from the internet and ditch your smartphone (totally my dad’s reaction when I educated him and my mom on potential scams a few years ago), you can take steps to protect yourself.

If a mystery package arrives at your house, follow these steps to guard your privacy.

1. Don’t scan or click. Never scan a QR code inside a package you didn’t order. If it includes a card with a website, don’t type it into your browser. If you’re wondering whether a friend or family member sent you something, ask — or check your Amazon account by typing amazon.com directly into your browser.
2. Check your account security. Receiving a brushing package means your name and address are out there, in the wild. Change passwords for all your major retail, bank, and social media accounts, and your primary email address. Enable two-factor authentication using an app like Google Authenticator rather than relying only on SMS text messages.
3. Notify the retailer. If the package has an Amazon or Walmart logo, for example, contact the company’s customer service. They need to know that a third-party seller is using your information to manufacture fake reviews. Bigger retailers have procedures for investigating and shutting down seller accounts.
4. Treat the item as contaminated. While you’re legally allowed to keep unsolicited merchandise through the U.S. mail, be wary. Don’t plug any electronic items (like a USB drive or smartwatch) into your computer or phone. These devices can contain pre-installed malware that activates the moment you power them on. If you receive seeds, follow the instructions on the CT Dept. of Agriculture website for safely disposing of organic material.
5. Return to sender. If you haven’t opened the box yet and know you didn’t order it, write “Addressee not known — return to sender” on the box and hand it back to the carrier. Doing so tells the sender that this lead is cold.

Be cynical

Most of us were raised to be polite and helpful. Unfortunately, the fraudsters who have fully embraced the digital age exploit these virtues. Train yourself to treat any unsolicited contact — a text, email, phone call, or physical box — with extreme suspicion.

If you didn’t ask for it, don’t trust it. A free Bluetooth speaker isn’t worth the price of a drained bank account. Returning a package or ignoring a QR code doesn’t make you rude. It makes you smart. Protect your data like you protect your home. Keep your digital doors and windows locked until you can verify conclusively who’s on the other side.

More from Nifty50+

• With Artemis splashing down, Boomers Remember Apollo’s Historic Moment
• I’m an estate planning lawyer; here’s what your family needs after you die
• A tandem bike ride across America: You’re too old for that
• When Your Kids Move Back Home – And Take Your Money