Brushing Scam (Parcels You Never Ordered)

By the Scampilot team · Last updated 14 June 2026

Brushing is when a seller sends you cheap goods you never ordered so they can register a sale to your name and address and then post a glowing "verified purchase" review in your name. The package itself is usually harmless and free to keep, but it is a signal that your name and address - and possibly more of your personal data - are circulating where a stranger can use them. The real harm is the fake reviews that mislead other shoppers and the fact that someone has enough of your details to set up the shipment.

How it works

A seller wants more positive reviews than honest customers will give them. They create order records using real names and addresses they have bought or scraped, then ship a cheap, lightweight item to each one so the purchase shows as completed and shipped.

With a delivery on record, the platform counts any review they post under your name as a verified purchase. You receive an unexpected parcel with no invoice and no clear sender, and somewhere online a five-star review now carries your name.

Why it works and who is targeted

Anyone whose name and address have leaked in a data breach or been sold on can become a target, so it is rarely something you did wrong. The scam works because a free gift feels like good luck rather than a warning, and because the cost of shipping a cheap item is tiny compared with the value of fake credibility.

The people genuinely harmed are other shoppers who trust the inflated ratings, and you indirectly, because the same leaked data can be reused for other fraud later.

Red flags in detail

The clearest sign is a parcel you genuinely did not order arriving with no invoice, no gift note, and often no readable sender. The contents tend to be low-value and random: phone cases, seeds, small gadgets, costume jewellery.

Be especially cautious if the package includes a QR code or a slip inviting you to scan it to find out who sent it. That code can lead to a phishing site, so the harmless parcel can be a doorway to a second, data-stealing stage.

What to do and how to stay safe

You are allowed to keep an unsolicited item and are under no obligation to pay or return it - never pay any fee demanded for it. Do not scan any QR code in the box; instead check whether reviews have been posted under your name and report them to the marketplace.

Change the password of the shopping account linked to your address, turn on two-factor login, and watch your accounts for any orders you did not place. If goods keep arriving, report it to the retailer and to consumer protection.

Warning signs

A parcel arrives that you definitely did not order
There is no invoice, gift note, or identifiable sender
The contents are cheap and random, like seeds or a phone case
A QR code or slip invites you to scan to find the sender
Reviews appear under your name for products you never bought

Example

A small padded envelope arrives addressed to you with a pair of cheap earbuds inside. There is no invoice and no sender name, just a card reading: "Thanks for your order! Scan this QR code to see who sent your gift and leave a review."

Made-up example - not a real message.

How to protect yourself

01Never pay a fee or charge for a parcel you did not order
02Do not scan QR codes included in unexpected packages
03Check for and report reviews posted in your name
04Secure linked shopping accounts with a new password and two-factor login

Already caught out?

01Keep the item but pay nothing and scan no enclosed QR code
02Find and report any fake reviews posted under your name
03Reset passwords and enable two-factor login on linked shops

Sources

Unsure about a specific message?

Paste it in - Scampilot checks text, links and numbers and explains the verdict.

Check it now