The United States Postal Service (USPS) is warning Americans of a new phishing-related scam known as “brushing” – and it's being delivered right to your mailbox.
The scam starts with an unsolicited package, addressed to the victim, arriving in the mail and most often coming from popular retailers or e-commerce sites, with some packages having no return address.
Most people will open the seemingly harmless package to discover “various sorts of low-cost items, such as household goods, which were not ordered or requested by the recipient,” the USPS said.
The packages are usually sent by an “international, third-party seller” who has lifted the recipient’s address off the internet or through past data breaches.
At this point, the victim can already assume that their personal information has been compromised by the scammers, the USPS warning said. But the scheme doesn’t stop here.
Once the package is delivered to the recipient’s address, the seller will then use the victim's name to write a fake review of the product – all so that the scammer can boost the product’s ratings and ultimately increase sales.
In some cases, victims have even reported getting phone calls from the scammers harassing them to pay for “the unsolicited gift.”
"Whatever you do, DON'T pay for it and don't get conned. If you didn't order the package, you don't have to return it or pay for it,” said United States Postal Inspector Andrea Avery.
“By law, unsolicited merchandise is yours to keep,” Avery said as a reminder. “This happens to be that rare instance where 'finders, keepers' applies unconditionally.”
The USPS further cautions that the bad actors will often reuse your information for other scams and illicit activities, now or in the future.
“While it may appear to be a victimless crime – you did, after all, get some free stuff - the reality is that your personal information has most likely been obtained through nefarious means,” the federal agency said.
Additionally, in some cases, the scammers will order items using a victim's account and address, even paying for it with stolen financial information, and then lie in wait to grab the parcel from the mailbox when it arrives – all without the victim's knowledge.
Brushing with a side of "quishing"
Another variation of the scam, known as “quishing,” tricks the unsuspecting victim into scanning a QR code – also sent via the postal service – leading them to a fake website where hackers are ready and waiting to steal their personally identifiable information (PII).
In quishing – a truncated version of “QR code phishing” – the fake websites are made to look like replicas of “official sites of banks, government organizations, or other institutions” where the user is asked to input their sensitive information, such as credit card account numbers or login credentials so the scammers can steal it.
In these cases, the recipient is mailed a 'QR card,' again, inside a package without a return address. On the card are instructions for the recipient to scan the QR image printed on it to find out more information, such as who sent the package or to claim a special gift.
To protect from both brushing and quishing scams, the USPS suggests recipients can do the following:
- Do not pay for the merchandise.
- Keep it.
- Throw it away.
- Return it to sender through the post office (at no cost) if unopened.
- Change your account passwords.
- Closely monitor credit reports and credit card accounts.
- Notify authorities.
- Look out for suspicious contents.
Finally, the USPS says to notify the retailer. “If unsolicited merchandise arrives from Amazon, eBay, or another third-party seller, go to that company’s website and file a fraud report. Then ask the company to remove any fake reviews under your name,” the agency said.
Your email address will not be published. Required fields are markedmarked