Your weekly dose of scam-proofing in 3 minutes or less. No fluff, just the latest hacks, scams, phishing attacks, and cyber cons you actually need to know about.
🚨SCAM OF THE WEEK: Brushing Scams
When a free package on your doorstep is actually bait.
What is a Brushing Scam?
Originally, a brushing scam was an underhanded trick used by dodgy online sellers to boost their product rankings. They'd send cheap, random items to real addresses (often found online), then leave glowing 5-star "verified purchase" reviews under your name.
You weren’t charged. You didn’t order it. But your name and address helped them fake legitimacy.
Now? It’s evolved. Scammers are piggybacking on this method and adding malicious QR codes and phishing tactics to steal your data or install malware.
🧠 How It Works
Classic brushing scam:
A mystery parcel shows up that you never ordered.
It contains some ultra-cheap junk (e.g. nail clippers, socks, stickers).
The seller uses your name and address to leave a fake review.
Malicious version:
The package still arrives unexpectedly.
Inside is a "thank you" note or card with a QR code.
The note might say:
"Track your reward"
"Claim your gift"
"See who sent this"
The QR code leads to a phishing site or downloads malware.
💥 Why It Works
For sellers:
Shipping costs are often pennies thanks to subsidised shipping
(e.g. ePacket).
The item is worthless, but the goal is to generate fake reviews and boost sales.
A few hundred of these can manipulate product rankings and mislead real shoppers.
For scammers:
The package lowers your guard: who suspects malware in a pair of fluffy socks?
You’re curious: who sent this? Why?
And QR codes make it dangerously easy to act without thinking.
🙈 Real-world Facepalms
A Chicago-area police department issued a warning after multiple residents received parcels with sketchy QR codes linking to fake Amazon logins.
In the UK, a woman scanned a QR from a package she never ordered. Her phone was infected with spyware that harvested her saved passwords.
A New Zealand man received multiple packages with socks and toys, scanned a card out of curiosity, and had his Google account compromised the next day.
⚠️ Red Flags for Customers to Watch Out For
Packages you didn’t order from Amazon, Temu, Wish, or AliExpress.
Cheap, random content that makes no sense.
Notes inside asking you to scan a QR code or click a shortened URL.
Messages that feel overly vague: “Your reward is waiting”, “Track your free gift”, etc.
🛡️ How Not to Get Played
Don’t scan QR codes from unknown or unsolicited packages.
Never enter login or banking info after scanning a code, even if the site looks legit.
Check your Amazon/online retail accounts for suspicious orders.
Report the incident to the retailer and keep photos of the item, packaging, and QR code.
If you did scan it and input personal info, change passwords and monitor your accounts immediately.
🔥 ONE-LINER HOT TAKE
If it looks like a gift and smells like a trap, don’t scan it.
That’s it for this week.
Remember: not everything that shows up at your door is a surprise gift. Sometimes it’s bait.
Catch you next time,
Dan & the Goldphish Team
📌 P.S. Know someone who gets overly excited about free stuff? Forward them this before they scan a QR code to hell.
