Home » Blog » Fraud with Delivered Packages: Brushing and Quishing | Kaspersky Blog

Information

Fraud with Delivered Packages: Brushing and Quishing | Kaspersky Blog

Benhcmark Administrator

16/08/2025

0 Views 0

SaveSavedRemoved 0

Unexpected Package at Your Door? Beware of Brushing and Quishing Scams

Have you ever received a package you didn’t order? While it might seem like a lucky mistake or a secret gift, an unsolicited delivery could be the first sign of a sophisticated scam designed to exploit your personal information. In today’s digital age, even a simple package delivery can be a vector for fraud.

Two increasingly common schemes, known as “brushing” and “quishing,” leverage the convenience of e-commerce to compromise your security. Understanding how they work is the first step toward protecting yourself.

The Brushing Scam: More Than Just Free Stuff

The “brushing” scam begins when a mysterious package, often containing a cheap, lightweight item like a phone case or a pair of plastic sunglasses, arrives at your doorstep. You don’t recognize the sender, and you certainly didn’t order it.

The real goal here is not to give you a gift, but to generate fake “Verified Purchase” reviews. Here’s the breakdown:

1. Data Compromise: A dishonest online seller obtains your name and address, likely from a data breach or by purchasing it from data brokers.
2. Fake Account Creation: The seller uses your information to create a fake customer account on a major e-commerce platform like Amazon or eBay.
3. Sham Transaction: They then “purchase” their own product through this fake account and ship it to your address.
4. Bogus Review: Once the delivery is confirmed, the seller can log into the fake account and post a glowing five-star review. Because a product was actually shipped and delivered, the review gets the coveted “Verified Purchase” tag, making it appear legitimate to other shoppers.

This scheme helps fraudulent sellers artificially boost their product ratings, tricking real customers into buying low-quality goods.

Why Brushing is a Serious Red Flag

While receiving a free, albeit useless, item might seem harmless, it’s a clear warning sign. The core issue with brushing is that your personal information is in the hands of unknown third parties. It confirms that your name, home address, and possibly your phone number have been compromised and are being actively used without your consent. This is a security breach that should be taken seriously, as it could be a precursor to more severe forms of identity theft.

What to Do If You Receive a Brushing Package

If you’re the target of a brushing scam, take these immediate steps to secure your information:

• Report the Delivery: Contact the customer service department of the e-commerce platform where the seller likely operates (Amazon, eBay, etc.). Report the unsolicited package and the seller if that information is available. They can investigate the fraudulent account and remove the fake review.
• Change Your Passwords: As a precaution, change the passwords on your important online accounts, especially your e-commerce and financial accounts. Use strong, unique passwords for each service.
• Monitor Your Finances: Keep a close eye on your credit card and bank statements for any unauthorized charges. Consider setting up transaction alerts for your accounts.
• You Can Keep the Item: In the United States, the Federal Trade Commission (FTC) states that you have a legal right to keep merchandise you receive but did not order. You are not obligated to pay for or return it.

The Quishing Scam: When QR Codes Go Rogue

A more direct and potentially more damaging scam is “quishing,” or QR code phishing. This scheme can even target packages you did order.

Scammers will place a sticker with a QR code on a package left on a doorstep. This sticker is designed to look official and often includes a tempting offer or an urgent message, such as:

• “Scan here to claim your free gift!”
• “There’s a problem with your delivery. Scan to resolve.”
• “Confirm your delivery and receive a discount.”

The goal of quishing is to trick you into scanning the malicious QR code. Once scanned, the code will direct your smartphone’s browser to a phishing website. This fraudulent site might perfectly mimic the login page of Amazon or another trusted retailer, prompting you to enter your username and password. In other cases, the site may ask for credit card information or attempt to install malware on your device.

Because the QR code is on a real package delivered to your home, it can carry an undeserved air of legitimacy, making people more likely to fall for the trick.

How to Protect Yourself From Malicious QR Codes

• Be Extremely Skeptical: Treat any unexpected QR code on a package with suspicion. Official delivery instructions or offers will almost always come through official channels, like an app or email, not a random sticker.
• Preview the URL: Many modern smartphone cameras and QR scanner apps allow you to see a preview of the website URL before it opens. Carefully inspect this link. Look for misspellings, strange character strings, or unofficial domain names. If it looks suspicious, do not open it.
• Never Enter Sensitive Information: As a golden rule, never enter login credentials, personal details, or financial information on a website you accessed through an unsolicited QR code.
• Go Directly to the Source: If a QR code claims to be from a specific company, ignore the code and navigate to that company’s official website or app yourself to check for any notifications.

By staying informed and vigilant, you can recognize these deceptive tactics and ensure that the convenience of online shopping doesn’t come at the cost of your personal security.

Source: https://www.kaspersky.com/blog/brushing-quishing-and-other-threats-of-unexpected-parcels/54126/