FTC just issued warning over new 'brushing' scams

Woman tapping smartphone while delivery person hands her a package.
(Image credit: Indypendenz/Shutterstock)

You may have heard about – or even experienced – a brushing scheme without ever knowing what it was called or what it is. Basically a scam to boost product ratings and sales with falsified verified purchase reviews, a brushing scheme involves sending unsolicited packages to a victim using personal information that a fraudster has stolen or purchased online.

Though it might seem like a harmless scam, and the law states that you are entitled to keep any gifts that arrive at your doorstep even if they’re part of a scam, brushing is an indication that your personal information has been compromised and that you have been potentially exposed to identity theft.

Now though, according to a new warning issued by the Federal Trade Commission (FTC) and reported on by Cybernews, brushing scams have evolved to include a new threat. In addition to the free gifts, the schemes now include cards or notes that instruct victims to scan a QR code to find out who sent the gift or find out how to return the unwanted item.

This QR code is, unfortunately, embedded with malicious code that takes you to a phishing website that will steal your personal information, including usernames, passwords and credit card numbers or infect your devices with malware so hackers can have access to them and the data they contain.

“If you know it's really a gift, you can keep it.’ says the FTC, “but also know that this unexpected package could be a new twist on a brushing scam that could steal your personal information.”

How to protect yourself from brushing and phishing

A woman looking at a smartphone while using a laptop

(Image credit: Shutterstock)

The FTC encourages anyone who has interacted with suspicious QR codes to take immediate protective steps which include changing your passwords right away if your credentials were compromised. The FTC also says you can report suspected identity theft at identitytheft.gov.

To stay safe from phishing and account takeover, you always want to create strong and unique passwords that are hard to guess, or use a trusted password manager. Likewise, whenever possible turn on multi-factor authentication (MFA) or two-factor authentication for your online accounts.

You can monitor your credit reports at annualcreditreport.com to look for signs of fraud, like open accounts in your name that you don’t recognize, and you should always review credit card bills and bank statements for suspicious activity.

Also, follow best practices, which means never click on QR codes or links from unknown sources – whether that’s an email, text, or card in the mail. You can also protect your devices, both mobile, PCs and tablets, by having one of the best antivirus souftware suites installed which in addition to top notch malware protection, may also inclue a VPN, password manager and more. Some will even have a “rollback” feature that will let you undo any damage done by a malware or ransomware attack.

More from Tom's Guide

Amber Bouman
Senior Editor Security

Amber Bouman is the senior security editor at Tom's Guide where she writes about antivirus software, home security, identity theft and more. She has long had an interest in personal security, both online and off, and also has an appreciation for martial arts and edged weapons. With over two decades of experience working in tech journalism, Amber has written for a number of publications including PC World, Maximum PC, Tech Hive, and Engadget covering everything from smartphones to smart breast pumps. 

Read more
Reddit logo and Reddit logo on phone
Hackers have created hundreds of fake Reddit sites to spread info-stealing malware
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
A person typing on a computer while hackers use phishing to steal a file from their computer
Phishing: What is it, and how to avoid it
PayPal logo on iPhone
Watch out! Scammers are using this PayPal setting to take over your PC
A hacker typing quickly on a keyboard
Hackers are posing as Apple and Google to infect Macs with malware — don’t fall for these fake browser updates
Man stressed at computer
How to avoid romance scams
Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in News
Gemini screenshot image
Google unveils Gemini 2.5 — claims AI breakthrough with enhanced reasoning and multimodal power
Samsung Galaxy Z Flip 6 review.
Samsung Galaxy Z Flip 7 design just teased in new cases leak — and the outer display is huge
Google Chrome
Chrome failed to install on Windows PCs, but Google has issued a fix — here's what happened
nyc spring day AI image
OpenAI just unveiled enhanced image generator within ChatGPT-4o — here's what you can do now
WWDC logo on yellow background
Apple WWDC 2025 date set for June 9 — iOS 19, Apple Intelligence and more expected
Motorola Razr Plus 2024 cover display
Motorola Razr Plus (2025) leaked specs hint at bigger upgrades — here's what we know
  • JackMchue
    I knew qr codes were very potentially dangerous! Nice to see someone finally admitting it. You can't tell just by looking at it what website it will send you to, unlike scam emails where you can actually read the link text. Also, who's to say scammers aren't printing up stickers with malicious qr codes and sticking them over legitimate qr codes on products? I will NEVER scan a qr code for as long as I live. There's too much potential for malicious use.
    Reply
  • rgd1101
    there a web site that let you upload an image with qr code to get the url.
    Reply