Beware of This New Brushing Scam That Uses QR Codes to Steal Personal Information

By Jenny Leight, Business Strategy, Carefull

Have you ever received a package on your doorstep that you didn’t order? It might seem like a harmless mix-up, or even a free gift, but it could actually be part of a scam called “brushing.”

In a traditional brushing scam, shady online vendors ship low-cost items to people who never ordered them. The goal isn’t to give away freebies, it’s to create fake sales and then post glowing reviews in the recipient’s name to boost their product ratings. While that may sound relatively harmless, it’s also a red flag that your personal information (like your name and address) has been exposed.

Now, the FBI is warning about a new and more dangerous variation. Criminals have started placing QR codes on brushing packages. Scammers are betting you’ll scan the code out of curiosity to learn who sent the package. But scanning can open the door to serious fraud – downloading malware to your phone or directing you to fake sites that steal financial and personal information. In some cases, attackers have siphoned off credit card numbers, bank credentials, and even access to investment or crypto accounts.

Here's How the New Brushing Scam Works

• Scammers set up fake online storefronts and place orders under your name and address.
• They ship small, inexpensive items (like phone accessories, beauty products, or gadgets) to your home.
• The package often arrives without a return address or sender details, only a QR code.
• Scanning the QR code can install malware or capture sensitive information, giving scammers direct access to your financial accounts.
• Meanwhile, the order is marked “delivered,” allowing scammers to leave fake positive reviews under your name.

The bigger concern: If you’re receiving brushing packages, it usually means your name, address, and potentially other personal information have been compromised.

How to Avoid Brushing Scams

Scammers are always evolving their tactics, and QR codes are their latest tool. Take these steps to protect yourself if you receive a package you didn’t order:

• Don’t scan QR codes from packages, emails, or texts you weren’t expecting.
• Be cautious with packages that arrive without sender information. This is a common red flag.
• Don’t approve phone permissions or website access prompted by a suspicious QR code.
• Never assume a package you didn’t order is harmless. Even small items can be tied to fraud.
• If you think you’ve been targeted, act quickly. Change your account passwords, secure your online profiles, and request a free credit report from Equifax, Experian, or TransUnion to check for fraudulent activity.
• Report it. The FBI asks the public to report suspicious brushing packages or QR code scams to the Internet Crime Complaint Center at www.ic3.gov. Include as much information as possible about the package and how you received it.

Carefull, the financial safety service, which provides account, credit and identity monitoring, offers a ScamCheck tool that members can use to help them detect whether a call, email or text message is a scam.

Connect with Carefull and request a demo to learn more.