As Black Friday weekend approaches, many shoppers are eager to take advantage of discounts from online retailers. While consumers are generally cautious about online scams, cybercriminals are developing increasingly sophisticated methods to deceive shoppers and steal their money.
A recent scam known as “brushing” has emerged, where consumers receive unsolicited packages containing QR codes. When these QR codes are scanned, they direct the recipient to a phishing website that attempts to steal their personal information.
Kushal Tantry, CEO of QR Code Developer explains what a QR code ‘brushing’ scam is and provides tips to identify the scam and how to prevent falling victim to it.
What is a ‘Brushing’ scam?
A traditional “brushing” scam occurs when an individual receives an unsolicited package at their home address containing an item they did not order. These packages usually bear your name and address but lack a return address.
This scam can be executed by third-party sellers on platforms like Amazon. The fraudster may acquire your name and address through a data breach, social media, or a public directory. They then create an Amazon account using your information and purchase a product from their own store, shipping it to your home.
After you sign for the package, the scammer writes a positive, verified review of the product in your name. This boosts their seller rating and helps to drive more sales.
What is a QR code ‘Brushing’ scam?
Scammers have begun to take this a step further by including a QR code inside the package, which instructs you to register your new product online or scan to access more details on who sent you the package.
In reality, the QR code will then direct you to a phishing website, which will ask you to fill in more of your personal information such as your banking details, which the scammer will then have access to.
What to do if you encounter a QR code ‘Brushing’ scam?
If you receive an unexpected package addressed to you, it is your choice whether to keep or dispose of the item inside. However, if the package includes a QR code, do not scan it.
Instead, contact your local authorities to report the situation. This will help them issue a warning to prevent others from becoming victims of the scam.
Additionally, inform the company that allegedly sent the package using their official contact details. Avoid using any contact information provided on the package itself.
You can notify Amazon that you have received an unwanted package here: https://account-status.amazon.com/report-unwanted-packages
How to protect yourself from future scams?
The first thing to do after receiving an unexpected package is to check your existing accounts and change any passwords, in case the scammer has direct access to your online account. If you received an unsolicited package, the scammer is likely to only know your name and home address, but make sure to monitor your bank accounts in case you spot any strange activity.
Any suspicious QR codes should be treated with caution, especially if the webpage asks you to enter personal information after scanning it. As a general rule, avoid scanning any QR codes sent to you via packages, emails, and text messages unless you can confirm the source as legitimate.