Empty Envelopes and Embedded QR Codes Mark a More Aggressive Turn in Brushing Fraud

Consumer protection investigators are warning that plain, unmarked envelopes arriving at residential addresses — sometimes empty, occasionally carrying a QR code — are functioning as entry points for a two-stage fraud scheme known as brushing. The mechanics are straightforward: bad actors exploit real delivery confirmations to post fabricated verified-buyer reviews on major online marketplaces, while the QR code variant layers an active credential-theft risk on top of what might otherwise look like a minor nuisance.

The Brushing Mechanic and What the Envelope Actually Proves

A third-party seller acquires a target's name and home address through data brokers, public records, or breach data, then creates a fake order under that person's details and ships a cheap item — or nothing at all. Once the carrier marks the delivery complete, the seller can claim the recipient made a verified purchase and post a favorable review under that person's account credentials. The immediate financial damage to the recipient may be zero, but the delivery itself is confirmation that accurate personal data is already in circulation. Platforms named in incident reports include Amazon, Walmart, eBay, and TikTok Shop; carriers include USPS, UPS, and FedEx.

The QR Code Escalation

The more dangerous version embeds a QR code in the package with framing such as "scan to see who sent this gift" or "scan to verify delivery." A QR code is a machine-readable link; the destination is not visible before a phone reads it. According to the source, 73 percent of Americans scan QR codes without first verifying where they lead. Investigators flag that these codes can redirect to phishing sites soliciting names, phone numbers, credit card numbers, bank login credentials, or one-time verification codes — the last of which can be used to complete an account takeover in real time.

Recommended Response Steps

Anyone who receives an unsolicited envelope or package should avoid scanning any included QR code and should not call phone numbers or visit web addresses printed inside. If a retailer's name appears on the label, contact that retailer through its official site or app only — not through contact details supplied in the package. Recipients should review their Amazon, Walmart, eBay, and TikTok Shop accounts for unrecognized orders, changed shipping addresses, or reviews they did not write, and should audit financial accounts for small test charges or unfamiliar withdrawals.

Security specialists recommend enabling two-factor authentication via an authenticator app rather than SMS, which is more resistant to interception. For those concerned about broader identity exposure, Equifax, Experian, and TransUnion each offer fraud alerts and credit freezes.

Reporting Channels

Suspicious packages can be reported to the U.S. Postal Inspection Service at uspis.gov/report. Broader internet fraud complaints go to the FBI's Internet Crime Complaint Center at ic3.gov. If a specific retailer's branding appears on the label, file the report through that retailer's official platform as well.

The empty envelope is designed to provoke curiosity. The operational discipline it demands is the opposite: stop, bypass whatever the package instructs, and navigate to official channels independently.

Key takeaways

Plain, unmarked envelopes — sometimes empty, sometimes containing a QR code — are being used as entry points for a two-stage 'brushing' fraud scheme.

In brushing, a third-party seller uses a target's name and address to place a fake order and ship a cheap item or nothing, then uses the confirmed delivery to post a fake verified-buyer review under the recipient's account.

Receiving such a package signals that the recipient's accurate personal data is already circulating, even if there is no immediate financial loss.

The QR code variant adds a credential-theft risk by redirecting victims to phishing sites that solicit personal, financial, or one-time verification codes that can enable real-time account takeover.

Recipients should avoid scanning included QR codes, contact retailers only through official channels, review their marketplace and financial accounts, and report suspicious packages to authorities.

Frequently asked

What is brushing?

Brushing is a scheme where a seller uses someone's name and address to create a fake order and ship a cheap item or nothing, then uses the confirmed delivery to post a fabricated verified-buyer review under that person's account.

Why is the QR code version more dangerous?

A QR code's destination is hidden until scanned, and these codes can redirect to phishing sites that steal personal data, financial details, or one-time verification codes used to take over accounts in real time.

What should I do if I receive an unsolicited envelope or package?

Do not scan any QR code or call numbers/visit web addresses printed inside; contact any named retailer only through its official site or app, review your marketplace and financial accounts, and report the package to official channels.

Which platforms and carriers are involved in these incidents?

Platforms named include Amazon, Walmart, eBay, and TikTok Shop, while carriers include USPS, UPS, and FedEx.

Where can I report a suspicious package?

Suspicious packages can be reported to the U.S. Postal Inspection Service at uspis.gov/report, and broader internet fraud complaints to the FBI's Internet Crime Complaint Center at ic3.gov.

Empty Envelopes and Embedded QR Codes Mark a More Aggressive Turn in Brushing Fraud

The Brushing Mechanic and What the Envelope Actually Proves

The QR Code Escalation

Recommended Response Steps

Reporting Channels

// related, decompiled

Georgia School District Scrubbed DEI Records to Dodge Federal Crackdown, Watchdog Report Alleges

One Dead, One Critical After Double Stabbing at Brooklyn's Dyker Beach Park

Heather Graham Logs a Simultaneous Top-Two Streaming Split Across HBO and Netflix During White Lotus Location Shoot

Key takeaways

Frequently asked