Brushing Scams That Mean You're Compromised

You check your email and see a notification: “Your package has been delivered – tracking number 1Z999AA10123456784.” Except you didn’t order anything. A few days later, a small, unmarked box shows up on your porch. Inside: a cheap ring, a set of earbuds, or a packet of seeds you never bought. You shrug, toss it in the trash, and forget about it. But that package wasn’t a mistake. It was a brushing scam – and it’s a clear signal that your personal information is already in the wrong hands.

Brushing scams are one of the most overlooked threats in the world of online fraud, especially dangerous because they often go undetected until it’s too late. Unlike a phishing email that screams for your credit card number, brushing works quietly. Here’s how it happens: a scammer gets hold of your name, address, and sometimes your phone number or email – often from a data breach, a fake online store, or a public records database. They use that information to order a cheap product from a major retailer like Amazon, Walmart, or eBay. The package is sent to your home, not to scam you out of immediate cash, but to create a fake verified purchase. Once the tracking shows delivered, the seller can post a glowing five-star review under your name, making a worthless product look legitimate. The scammer pockets the sale, and you’re left with a mystery item.

But the real danger isn’t the junk on your doorstep. It’s what the scam reveals about your security. If someone can send you a physical package using your real name and address without your permission, they already have enough data to attempt identity theft, open credit accounts, or target you with more sophisticated phishing attacks. The brushing scam is often a test – a way for criminals to confirm that your contact details are active and correct. Once they know you’re reachable, they can move to the next stage: fake delivery notifications that ask you to click a link to “reschedule” a delivery, or texts claiming a package is held at customs and you need to pay a small “fee” online. These messages look exactly like real tracking alerts from FedEx, UPS, or USPS. If you click, you hand over your login credentials or banking information.

For middle-class Americans aged 45 to 64, this is a particularly insidious threat. You likely shop online regularly, receive legitimate packages, and are accustomed to notifications from retailers and shipping companies. Scammers exploit that trust. They know you might not think twice about a strange package – you might assume a friend sent a gift, or that a website made a mistake. But every unrequested item is a red flag. If you receive something you didn’t order, do not open it, do not use the included QR code or link, and do not call any phone number on the packaging. Instead, report it to the retailer’s fraud department, check your credit report for unauthorized accounts, and change passwords on your email and shopping accounts immediately.

The most important takeaway: brushing scams are not harmless mix-ups. They are evidence that your identity has been partially stolen. Ignoring them is like finding a burglar’s fingerprint on your doorframe and deciding not to call the police. Scammers count on you to dismiss the package as a warehouse error. Don’t. Treat every unsolicited delivery as a notification that you’ve been compromised. Monitor your bank statements, credit card charges, and credit scores for the next several months. Consider freezing your credit with the three major bureaus – Experian, Equifax, and TransUnion – to block new account openings. Set up two-factor authentication on your online shopping accounts. And be hyper-vigilant about any emails or texts that claim “your package is on its way” unless you are 100 percent certain you placed an order.

The rise of brushing scams coincides with the surge in online shopping and data breaches. Over 400 million consumer records were exposed in 2023 alone, according to the Identity Theft Resource Center. That means your address, name, and phone number are likely circulating on the dark web. Scammers buy these lists in bulk and use brushing to “validate” which addresses are still good. They don’t need your Social Security number to start the process – just your mailing address and a cheap product. From there, they can pivot to delivery notification scams that mimic trusted carriers. A text from “Amazon Logistics” asking you to confirm a delivery time slot might look legitimate, but it could be a gateway to a fake login page that captures your password.

Bottom line: if a package arrives that you didn’t order, your guard should go up, not down. You are not being spoiled by a secret admirer. You are being tested. The brush is the warning shot. The next message may be a full-on attack. Stay ahead of it by treating every unsolicited delivery as proof that your data is exposed. Change your passwords, lock down your credit, and report the incident to the Federal Trade Commission at ReportFraud.ftc.gov. The package might be free, but ignoring it could cost you everything.