If a mystery package shows up on your doorstep, don’t assume it’s a lucky break. It could mean your personal information has been exposed.
The U.S. Postal Service is warning Americans about a fast-growing scheme known as a “brushing” scam. It may look like a harmless delivery, like a keychain, some socks, a random kitchen gadget, but it’s often a red flag that cybercriminals have gotten hold of your name and address.
Worse, experts say these schemes can be just the beginning of a broader attempt to exploit your identity or financial accounts.
Here’s how the scam works, what it means for your data and what to do if you’ve been targeted.
Don’t miss
What is a brushing scam?
Brushing scams involve unsolicited deliveries from third-party online sellers looking to boost their product ratings and visibility. These sellers send cheap, low-value items to real names and addresses, then leave fake “verified” reviews, often posing as the recipient.
“These scams occur when a customer receives unsolicited packages containing low-cost items like household goods,” U.S. Postal Inspector Kelly McNulty told KOB 4 News in Albuquerque. “These packages are often sent by online retailers or third parties who use compromised personal information to create fake transactions.”
In other words: if you get a package you didn’t order, someone may already have your data, and they’re using it for profit.
Why you should care
At first glance, a free item might not raise alarms. But it should.
Brushing scams don’t just manipulate e-commerce platforms. They suggest that your personal details, including your full name, phone number, home address and possibly even payment info, have been scraped, sold or stolen. That’s information that can be used in identity theft, credit fraud, phishing scams or even attempts to bypass two-factor authentication.
“This is about more than just a package,” McNulty warned. “Treat your personal information like cash.”
Part of a larger problem
The brushing scam warning comes as part of a broader initiative by the USPS called “Project Safe Delivery,” launched in 2023 to combat mail-related crime. Since its rollout, the program has led to 2,800 arrests, including over 1,200 this year alone, tied to mail theft and attacks on postal workers.
Now, the USPS is working to raise awareness about fraud tactics targeting consumers directly, especially as scams become more personalized and harder to detect.
Read more: You don’t have to be a millionaire to gain access to this $1B private real estate fund. In fact, you can get started with as little as $10 — here’s how
What to do if a strange package shows up
If you receive a mystery box in the mail, don’t panic, but do take action. Here’s what the Postal Service and cybersecurity experts recommend:
-
Report it: Go to USPIS.gov and file a report with the U.S. Postal Inspection Service. Reporting these scams helps federal investigators trace the origin and stop future incidents.
-
Audit your accounts: Check your online shopping, banking and credit card accounts for any unusual charges. It’s also smart to request a free credit report from Equifax, Experian or TransUnion to spot any suspicious activity.
-
Update your passwords: Even if you don’t see fraud, it’s a good idea to change your passwords, especially for your email, Amazon, bank and any accounts where financial or personal data is stored.
-
Use a password manager: Password managers generate and store complex, unique passwords for every account, making it harder for hackers to break in if your data has already been exposed.
-
Don’t engage: You are not obligated to return or review the item. In fact, doing so may validate your address to scammers and lead to more unwanted deliveries.
Most importantly, don’t scan any QR codes on the package. These codes can lead to malicious websites that steal personal data, install malware or phish for sensitive information, postal workers say.
Don’t fall for fake stamps, either
While brushing scams are grabbing attention, USPS is also flagging another fraud risk: counterfeit postage.
“If you see large discounts on stamps, like 40 to 50% off, it’s probably too good to be true,” McNulty said. These fakes often pop up on social media or discount sites and can result in your mail being rejected or you facing penalties. To stay safe, always buy stamps directly from USPS or licensed retailers.
The bottom line
Scams like brushing or counterfeit postage don’t just waste your time, they can open the door to financial and identity theft.
So, if something feels off, a strange delivery, a fishy discount, or a request for personal info, don’t ignore it.
Protect yourself by treating your personal data the same way you’d treat your debit card or Social Security number: carefully, and with skepticism.
As McNulty puts it: “Think before you send it.”
What to read next
Stay in the know. Join 200,000+ readers and get the best of Moneywise sent straight to your inbox every week for free. Subscribe now.
This article provides information only and should not be construed as advice. It is provided without warranty of any kind.
