
<KeyTakeaways>

*   USPS and Postal Inspectors are warning about a rise in "brushing" scams where unsolicited packages arrive at your door.
*   Scammers use your name and address to ship cheap items, then post fake positive reviews under your identity.
*   A new variant called "quishing" includes QR codes that lead to phishing sites designed to steal personal information.
*   If you receive an unexpected package, do not scan any QR codes—report it to the [Postal Inspection Service](https://www.uspis.gov/report).

</KeyTakeaways>

WASHINGTON — The United States Postal Inspection Service (USPIS) is issuing a renewed warning to Americans about the dangers of "brushing" scams, urging consumers to treat their personal information "like cash."

The scam, which has surged in recent months, involves third-party sellers shipping unsolicited packages—often inexpensive items like keychains, socks, or seeds—to individuals who never ordered them.

The goal is not generosity. It's fraud.

## How the Scam Works

Scammers obtain names and addresses through data breaches, leaked databases, or purchases from third-party sources. Once they have your information, they create fake accounts on e-commerce platforms like [Amazon](/blog/usps-vs-amazon-battle-for-last-mile-delivery), eBay, or Alibaba.

After shipping a cheap product to your address, they wait for it to be marked "delivered." Then, using your identity, they post glowing five-star reviews to artificially boost their product rankings and sales.

You never ordered anything. But on paper, you're a verified purchaser.

## The "Quishing" Twist

Postal Inspectors have also identified a newer, more dangerous variant of the scam called "quishing"—a combination of QR codes and phishing.

In these cases, packages arrive with QR codes printed on labels or inserts. When unsuspecting recipients scan the code, they're directed to fake websites designed to harvest personally identifiable information (PII), including credit card numbers, Social Security numbers, and login credentials.

"Do not scan QR codes from packages you did not order," USPIS warns. "This can validate your address to scammers or even install malware on your device."

## Why This Matters for Carriers

For letter carriers, the brushing scam presents a unique frustration. [Carriers often bear the brunt](/blog/dealing-with-usps-supervisor) of customer complaints about suspicious packages, even though the issue originates far outside USPS operations.

Carriers should be aware that customers may ask questions about unmarked packages. The best advice is to direct them to the Postal Inspection Service at [uspis.gov/report](https://www.uspis.gov/report) or 1-877-876-2455.

## What to Do If You Receive an Unsolicited Package

USPIS recommends the following steps:

1. **Do not scan any QR codes** on the package or inserts.
2. **Do not return the item** unless you're certain it's safe. You are not legally obligated to return or pay for unordered goods.
3. **Audit your accounts immediately.** Check online shopping, banking, and credit card statements for unauthorized activity.
4. **Update your passwords.** Prioritize email, banking, and any accounts storing financial data. Consider using a password manager.
5. **Monitor your credit reports.** If you suspect your data was stolen, consider a credit freeze or fraud alert.
6. **Report the scam** to the Postal Inspection Service online at [uspis.gov/report](https://www.uspis.gov/report).

## The Bigger Picture

A brushing scam isn't just about receiving a random pair of socks. It's a red flag that your personal information is circulating in places it shouldn't be.

"If scammers have your name and address, they may have more," USPIS cautions. "Other sensitive information—like your Social Security number or bank account—could also be at risk."

For USPS employees navigating the [ever-changing postal landscape](/blog/usps-craft-transfer-rules), staying informed about these scams helps protect both the public and the integrity of the mail system.

<ShareCallout />