How to Protect Yourself From Brushing Scams

A mysterious package arrives at your door. You did not order it. There is no return address, or the return label shows an unfamiliar retailer. Inside you find a cheap item — a phone case, a pair of sunglasses, a bag of seeds, or a small gadget. Congratulations: you have likely been targeted by a brushing scam. While keeping a free item might seem harmless, the real concern is what this package reveals — someone out there has your name and home address, and they are using it for fraud.

What Is a Brushing Scam?

A brushing scam is a deceptive practice in which third-party sellers on e-commerce platforms like Amazon, eBay, Walmart, or AliExpress send unsolicited packages to real people. The goal is not generosity. The seller uses your name and address to create a fake "verified purchase" and then posts a glowing five-star review under your identity. These fabricated reviews boost the product's visibility, push it higher in search results, and make it appear more popular and trustworthy to genuine shoppers.

The term "brushing" comes from the concept of "brushing up" sales numbers. Because the marketplace registers a confirmed delivery to a real address, the review appears legitimate. Sellers can repeat this process hundreds or thousands of times, manufacturing a flood of positive reviews that mislead consumers and manipulate platform algorithms.

Why Brushing Scams Are a Privacy Problem

Many people shrug off brushing scams — after all, you got something for free. But the package itself is the least important part of the equation. The real issue is that a scammer has obtained your personally identifiable information, specifically your full name and mailing address. If they have that, they may also have your phone number, email address, or other details.

How Scammers Get Your Address

Brushing scam operators obtain names and addresses from several sources:

• Data brokers and people-search sites — Sites like Spokeo, Whitepages, BeenVerified, and Intelius compile and sell personal information scraped from public records, social media profiles, and commercial databases. In less than ten minutes, a scammer can build a detailed profile on you using these sites, no hacking required.
• Data breaches — When companies suffer security breaches, stolen customer records including names, addresses, and emails end up sold on dark web forums.
• Public records — Property records, voter registrations, and court filings are often publicly accessible and contain home addresses.
• Social media oversharing — Posting photos or information that reveals your location, neighborhood, or home address gives scammers free intelligence.
• Past online orders — Compromised e-commerce accounts or retailers with poor data practices can leak your shipping information.

The QR Code Twist: A Dangerous New Variant

In 2025 and 2026, the U.S. Postal Inspection Service and the FBI's Internet Crime Complaint Center (IC3) warned about an evolved version of the brushing scam. Unsolicited packages now arrive with cards inside that read "Register Your Gift" alongside a QR code. Scanning the code takes you to a phishing website designed to steal your credit card number, login credentials, or other sensitive information.

This technique, known as quishing (QR code phishing), is especially dangerous because many people assume a physical card inside a package must be legitimate. It is not. If you receive an unsolicited package containing a QR code or a card directing you to visit a website, do not scan it and do not visit the URL.

What to Do If You Receive an Unsolicited Package

If a package you did not order shows up at your door, follow these steps:

1. Confirm it is not a gift — Check with family members, friends, or coworkers to make sure nobody sent you a surprise.
2. Do not scan any QR codes — If the package contains a card with a QR code or a link to "register" or "claim" your item, ignore it entirely.
3. Do not use consumable items — Avoid eating, planting, or applying anything from an unsolicited package. If you receive seeds, report them to your state's department of agriculture or the USDA.
4. Document the package — Take photos of the shipping label, any inserts, and the item itself. Note the tracking number if visible.
5. Report it to the retailer — If the package appears to come from Amazon, report it using their Report Unwanted Package form. For other platforms, contact their customer service or fraud team. Ask the retailer to check for and remove any fake reviews posted under your name.
6. Report it to authorities — File a complaint with the FTC at ReportFraud.ftc.gov. If the package was delivered by USPS, report it to the U.S. Postal Inspection Service at uspis.gov/report, as it may constitute mail fraud.
7. Secure your online accounts — Change the passwords on your e-commerce accounts and enable two-factor authentication. Check for unauthorized orders or address changes.
8. Monitor your financial accounts — Watch your bank and credit card statements for unfamiliar charges over the following weeks.

How to Protect Yourself From Brushing Scams

Since brushing scams start with your personal data being accessible to the wrong people, the most effective defense is to reduce how much of your information is exposed online.

1. Remove Your Information From Data Broker Sites

Data brokers are the primary pipeline through which scammers obtain names and addresses at scale. Hundreds of these sites exist, and each one may have a different opt-out process. You can submit removal requests manually, but it is time-consuming and brokers often re-list your data within months.

PrivacyOn automates this process by continuously scanning and removing your personal information from over 100 data broker and people-search sites. With ongoing monitoring, PrivacyOn ensures that when brokers re-collect your data — which they routinely do — it gets removed again. Cutting off the supply of your personal information at the source makes it significantly harder for brushing scammers and other bad actors to find you.

2. Limit What You Share Online

Audit your social media profiles and remove or hide your home address, phone number, and location details. Avoid posting photos that reveal your street name, house number, or neighborhood landmarks.

3. Use a P.O. Box or Alternative Address

When possible, use a P.O. box or a virtual mailbox service for online orders and subscriptions. This keeps your home address out of databases that could be breached or sold.

4. Monitor for Data Breaches

Use a breach notification service to find out if your information has appeared in known data breaches. If your address or other details have been compromised, take immediate steps to change passwords and tighten account security.

5. Be Selective About Where You Shop Online

Stick to reputable retailers with strong privacy practices. Read privacy policies before creating accounts, and avoid giving your address to sites that do not need it.

6. Use Unique Email Addresses for Shopping

Create a dedicated email address for online shopping and subscriptions. This limits the damage if that email is involved in a breach and makes it easier to spot phishing attempts connected to your shopping activity.

Why Brushing Scams Are More Than a Nuisance

It is tempting to dismiss a brushing scam as a minor annoyance — or even a lucky break. But the implications go beyond a free trinket:

• Your data is exposed — If a scammer has your address, they likely have other personal details too. This information can be used for identity theft, social engineering, or account takeover attacks.
• Fake reviews harm consumers — Brushing inflates ratings for products that may be low-quality or unsafe, misleading genuine buyers.
• It can escalate — Scammers who start with brushing may move on to more harmful schemes using the same personal data, including opening fraudulent accounts in your name or conducting targeted phishing attacks.

Taking action when you receive an unsolicited package is not just about dealing with that one item. It is about recognizing that your personal information is in the wrong hands and taking steps to regain control. By reporting the scam, securing your accounts, and reducing your data footprint through services like PrivacyOn, you can turn a suspicious delivery into an opportunity to strengthen your overall privacy and security.