Brushing scam's QR codes attack cities worldwide amid the holiday season

The most festive time of the year is here. And with that, scammers are sending unsolicited packages to people’s homes in a “brushing scam” campaign.

Brushing scam tactics are not a new thing. A quick Google search shows that they’ve been around since at least last year or even longer. You never order these packages, and when you open them, it has a scannable QR code that can be dangerous. No return addresses in these packages, too.

“Online stores and third-party sellers thrive when their products receive high volumes of great reviews. But what do they do if they’re trying to sell cheap or poor-quality products in a market that’s already saturated? If they’re a dishonest retailer, they may start a brushing scam,” said cybersecurity company LifeLock.

While brushing scams—where scammers send unrequested packages to generate fake positive reviews—are real, fact-checking site Snopes clarifies that the warnings exaggerate QR code risks.

Simply scanning a QR code cannot automatically steal data or drain bank accounts; scammers typically need victims to actively provide sensitive information through malicious links. QR codes are largely harmless unless paired with phishing tactics, and they need your participation to succeed.

So, what happens if a “brushing scam” package has been delivered to your address?

The best is not to scan the QR codes, register warranties of the products, or let alone pay for the packages. You may also report the incident to the said online marketplace where the package is supposedly sent from and monitor your bank accounts/statements for suspicious activities.