The Nebraska Preparedness Partnership has shared information about a new scam, known as “brushing.”
“Brushing” is a type of scam where a person receives an unsolicited package in the mail containing various items that they never ordered. The package often appears to be a “free gift,” and is marked with the person’s name and home address. This could mean, first, that personal information has been exposed online.
The packages usually contain inexpensive items like beauty products, gadgets, or cheap jewelry. Once a package is delivered, scammers use the recipient’s name and address to post fake positive reviews for their product to inflate, or “brush up” their sales and reputation on online shopping sites.
If you receive one of these packages, the United States Postal Service has the following recommendations:
• Don’t pay for merchandise you didn’t order.
• Monitor your credit report and credit card bills – your personal information may have been compromised.
• If you haven’t opened the package, mark as Return to Sender and the USPS will send it back at no charge to you.
• Be wary of the contents inside. They may not be safe to use.
• Dispose of the item in a safe manner if you do not want to keep it.
• File a fraud report with the retailer, such as Amazon, eBay, or another third party.
As an additional danger, brushing scammers are now including QR codes in their packages in the hopes that the package recipient will scan it and follow their instructions. This tactic is known as QR Code Phishing or “Quishing”.
The QR code provided in the package will redirect the recipient to a malicious website disguised as an authentic business (e.g., Amazon, Walmart, USPS) to trick the recipient into providing additional personal information (e.g., banking numbers, SSN, employment information), or clicking malicious downloads like malware, ransomware, or spyware.
The information stolen or malicious files downloaded could leave the victim open to future attacks.
Other similar package scams include tracking scams in which scammers send fake package tracking links through text messages to get recipients to click malicious links. Brushing packages may also be sent with instructions to plug in an included USB drive which has malicious capabilities when plugged into a computer.
As a reminder, never click suspicious links, and never plug in unknown USB devices.
With holiday package deliveries around the corner, these scams may become more common. Make sure to know what packages you are expecting, and be cautious with those you are not.
