Don’t brush off this warning.
As a flurry of holiday gifts arrive on people’s doorsteps this season, unsuspecting shoppers could also receive packages addressed to them that they never ordered.
With a scam known as “brushing,” cybercriminals will ship packages with no return address that contain a QR code, prompting the confused recipient to scan the code to reveal who sent the package.
Unbeknownst to the recipient, the code could expose sensitive information from their smartphones or download malicious software onto the devices.
“A scammer’s QR code could take you to a spoofed site that looks real but isn’t. And if you log in to the spoofed site, the scammers could steal any information you enter,” a blog post from the Federal Trade Commission stated.
“Or the QR code could install malware that steals your information before you realize it.”
Now, law enforcement agencies across the country are warning local residents to stay vigilant this holiday season.
Nancy Kowalik from Mullica Hill, New Jersey, said she received a “really nice gift set for skincare,” but couldn’t figure out from whom.
“There was a QR code,” she told a local ABC News outlet, adding that she had seen warnings of brushing scams. “And I’m paranoid so I don’t scan anything. But I kept asking friends and no one ever claimed sending that gift to me.”
Sometimes, brushing scams are also used to boost seller reviews on sites such as Amazon, according to USA Today.
The sellers are trying to boost their reviews, Jennifer Leach, associate director of the Federal Trade Commission’s Bureau of Consumer and Business Education, told USA TODAY.
“Dishonest businesses and scammers are sending all sorts of unordered junk in the mail – and then writing good reviews for their business in your name,” Jennifer Leach, the associate director of the FTC’s Bureau of Consumer and Business Education, told the outlet, adding that it can negatively affect businesses that “don’t cheat to get reviews.”
She also warned that shoppers’ personal information or accounts have been compromised in some way, or that the scammer has made a new account using your name and address.
Melanie McGovern, a spokesperson for the Better Business Bureau, advised checking and securing accounts, such as Amazon or other frequently used shopping sites, she told a local Fox News outlet in New Jersey.
She also told USA Today that recipients should notify the shopping site or company that a fraudulent order was received.
An Amazon spokesperson told the outlet that third-party vendors are strictly prohibited from shipping unsolicited parcels to customers, and explained that the online retailer takes swift action against sellers who violate the policy, such as “withholding payments, suspending selling privileges, and reporting bad actors to law enforcement.”
“What people need to do is not be so curious about it,” McGovern said. “Don’t scan a QR code and start entering information if you’re not sure where that package came from.”