ScamVerify
Menu
A small brown cardboard package sitting on a doormat at a residential front door, with a Register Your Gift sticker bearing a QR code and a small gift icon affixed to the top of the box
Scam AlertsApril 29, 2026- Fannie

USPS Brushing Scams Now Ship With QR Codes. Don't Scan the 'Register Your Gift' Card

A Package You Didn't Order Just Showed Up

Open the box. Inside, a cheap kitchen gadget or a plastic phone case you never bought. Tucked next to it, a small white postcard with a QR code and the words "Register Your Gift." It feels harmless. It is not.

This is the 2026 evolution of the brushing scam, and ScamVerify™ tracks it as a fast spreading hybrid threat that combines physical mail, QR phishing, and identity harvesting in one envelope. The United States Postal Inspection Service (USPIS) has issued a quishing advisory, and police departments across the country, including in St. Louis and several suburban communities, have published warnings in 2025 and 2026 telling residents not to scan QR codes that arrive with unsolicited packages.

What Is a Brushing Scam

A brushing scam happens when an online seller, almost always overseas, ships you a cheap product you never ordered using your real name and address. The seller does this to write themselves a fake "verified purchase" review on a marketplace platform, which boosts their seller ratings and search ranking.

For years, brushing was annoying but not directly dangerous. The recipient got a junk product, the seller got a fake review, and the only personal cost was the queasy realization that a stranger somewhere had your name and address. The Federal Trade Commission has tracked brushing complaints since at least 2018.

The 2026 version is different. The package now ships with a phishing payload inside.

The New QR Twist

The updated brushing playbook adds one component: a small printed card or insert with a QR code and friendly framing language. Common variants include:

  • "REGISTER YOUR GIFT"
  • "Scan to confirm delivery"
  • "Activate your free product warranty"
  • "Claim your bonus reward"

The card looks legitimate at a glance, with a clean layout, simple sans serif type, and no obvious red flags. The QR code itself looks identical to any QR code you have ever scanned before, because all QR codes look identical to humans.

This is intentional. The scam works precisely because the recipient is already mildly disoriented by receiving a package they did not order. The card offers a quick explanation: "ah, this is a gift, I just need to register it." Scanning feels like the natural response.

What Happens When You Scan

The QR code does not lead to a legitimate gift registration page. It leads to a phishing site designed to harvest as much of your identity as possible in one session. The flow typically follows three stages:

  1. A friendly landing page appears claiming to be a delivery confirmation or gift activation portal. It asks you to "verify the recipient address." The page has no recognizable retail brand because the scam is not impersonating any specific store.
  2. A second page asks for personal details under the guise of "shipping verification" or "preventing duplicate gifts." This is where they collect your full name, date of birth, phone number, and sometimes the last four digits of your Social Security number.
  3. A third page requests payment information to "cover a small shipping fee" or "complete the gift registration." Many variants charge between $1.95 and $9.99 to cement the deception, since a tiny charge feels real and discourages the victim from challenging it.

By the end of the flow, the scammer has your full identity bundle plus a working credit card number. The cheap product in the box cost them less than $2 to ship from overseas. The data they capture is worth far more on the resale market.

Why This Works on Older Recipients

The USPS inspection service flags this scam as especially dangerous for older Americans, and the reason is psychological rather than technical. Older recipients are more likely to:

  • Treat physical mail as inherently more trustworthy than digital communication
  • Assume that if a package made it through the postal system, the contents must have been processed and verified
  • Interpret a "free gift" as a real gift rather than a hook
  • Be unaware that QR codes can lead anywhere, including phishing sites

The hybrid format defeats the defenses people have built around digital scams. Someone who would never click a link in a suspicious email may scan a QR code on a card sitting in their kitchen, because the kitchen feels like a safe place and the card looks like it belongs to the package.

What USPIS Actually Says

The official guidance from the United States Postal Inspection Service on quishing and brushing is short and unambiguous:

  • Do not scan any QR code that arrives in a package you did not order.
  • Do not register any unsolicited "free gift" through any link or QR code, regardless of how official the card looks.
  • Keep the package if you can. The shipping label may help investigators.
  • Report the package through USPIS at uspis.gov.

The Postal Inspection Service does not contact recipients to register packages, and no real shipping company asks you to scan a QR code to confirm delivery of a package that has already been delivered.

Red Flags Inside an Unsolicited Package

If you receive a package you did not order and any of the following are true, treat it as a brushing scam by default:

  • A printed card or insert asking you to scan a QR code
  • Language about "registering," "activating," "claiming," or "confirming" a gift
  • A small "shipping fee" or "verification fee" mentioned anywhere
  • The product inside is cheap, generic, and unbranded
  • The shipping label has a warehouse return address you do not recognize, often overseas
  • The package is addressed to your name correctly but you have no record of ordering it

What to Do If You Got One

Step by step:

  1. Do not scan the QR code. Do not visit any URL printed on the card. Do not call any phone number printed on the card.
  2. Do not throw the package away yet. Take a photo of the contents, the card, and the shipping label.
  3. Check your accounts on the major marketplaces (Amazon, Walmart, Target, eBay) for unauthorized orders or new third party seller reviews posted in your name. If your name is being used to post fake reviews, contact the marketplace and report the account.
  4. Change the password on any marketplace account that uses the same email address as the shipping label. Brushing operations often acquire your name and address from older data breaches, and the same data set may include passwords.
  5. Report the package to the United States Postal Inspection Service at uspis.gov. The agency tracks brushing campaigns and uses the data to disrupt them.
  6. Report any phishing site you encountered to the Federal Trade Commission at ReportFraud.ftc.gov. If the site impersonated a specific brand, also report it to that brand's fraud team.

How to Verify a Suspicious QR Code Before Scanning

If you absolutely must understand where a QR code leads before deciding what to do with the package, never scan it directly with your camera app. Instead:

  • Long press the QR code with your phone in a way that previews the destination URL without opening it. On most modern phones, opening the camera and hovering over the QR will show the URL as a banner before you tap. Read the URL.
  • Paste the URL into ScamVerify at our URL checker. We check the destination against 162,000 known malicious domains in our threat database and run AI analysis on the page content.
  • If the URL is not from a recognizable brand or government domain, it is a scam.

For a deeper explanation of how QR phishing campaigns are built and why they bypass traditional defenses, see our QR code scams explained guide. For the parallel SMS-based version of this same tactic that hit 10 US states in April 2026, see our coverage of the traffic violation QR text scam.

FAQ

Is the cheap product inside the package safe to use?

Probably yes from a physical safety standpoint, but the broader question is whether you want it. The product was shipped to you to enable a fraud (a fake review or an identity harvest), and using it does not stop the scam. Most consumer protection organizations recommend keeping the product as evidence if you intend to report the package, then discarding it. Do not return it to the address on the label, since that confirms your address is active.

Can the scammer charge me just because they have my address?

The address alone is not enough to charge you. The danger is downstream: if you scan the QR code and enter card information, the scammer has both your card and a confirmed shipping address, which makes any subsequent fraud harder for you to dispute. The mere arrival of the package does not give them payment access.

How did they get my address in the first place?

Brushing operations buy or scrape consumer name and address lists from data breaches, leaked marketing databases, and underground forums. Your address being used in a brushing scam does not necessarily mean any of your accounts were compromised recently. It usually means your name and address were exposed in a breach years ago and are now circulating among low cost fraud operations. You can check whether your email has been in a known breach at sites like haveibeenpwned.com.

Photo by ScamVerify on Unsplash

Related Articles

Person at a kitchen counter holding a printed Notice of Default traffic violation document while scanning a QR code on it with a smartphone
Scam Alerts

Traffic Violation Text Scam Hits 10 States. Here's Why Scammers Switched to QR Codes

April 29, 2026 - Leo

Wall covered with grid of QR codes
Scam Types

QR Code Scams Explained: How Quishing Attacks Work in 2026

March 19, 2026 - Leo

Single parking meter against colorful wall
Scam Alerts

Parking Meter QR Code Scams: How Fake Stickers Steal Your Card

March 20, 2026 - Fannie

Check any phone number, website, text, email, document, or QR code for free.

Instant AI analysis backed by millions of federal records and real-time threat data.

Check Now