If a mystery package shows up at your door, don’t assume it’s a free gift — it could be a red flag that your personal information has been exposed.
The U.S. Postal Service is warning Americans about a fast-growing scam called “brushing.” While it might seem harmless — maybe it’s a pair of socks, a keychain, or some cheap gadget — experts say it’s often a sign that your name, address, or other personal data has fallen into the wrong hands.
Worse, it could be just the beginning of attempts to exploit your identity or financial accounts.
What Is a Brushing Scam?
Brushing scams involve third-party online sellers shipping unsolicited packages to real people. These sellers then leave fake, five-star “verified” reviews — often using your name — to boost their product rankings.
“These scams happen when customers receive unexpected packages with cheap items,” explained U.S. Postal Inspector Kelly McNulty. “They’re usually sent by online retailers or sellers who use stolen personal information to create fake purchases.”
If you receive something you never ordered, it likely means your personal data has already been used — and possibly sold.
Why It’s a Bigger Deal Than Just a Free Item
A mystery package may not seem like a cause for concern. But in reality, brushing scams often indicate that your personal details — including your name, address, phone number, or even partial payment info — have been exposed.
That information can be used for phishing attacks, identity theft, credit fraud, or even to get around security features like two-factor authentication.
“This is more than just about a package,” McNulty said. “Think of your personal information like cash. Guard it.”
A Sign of a Larger Issue
The warning about brushing scams comes as part of the USPS’s broader “Project Safe Delivery” initiative, launched in 2023 to fight mail-related crime. So far, it has led to nearly 2,800 arrests, including over 1,200 in 2025 alone for crimes ranging from mail theft to attacks on postal workers.
With scams becoming more personalized and harder to detect, USPS is urging Americans to stay alert.
What To Do If You Get a Package You Didn’t Order
If a surprise delivery shows up, don’t panic — but do take it seriously. Here’s what experts recommend:
- Report it: Visit USPIS.gov and report the suspicious delivery to the U.S. Postal Inspection Service.
- Review your accounts: Check your bank, shopping, and credit card accounts for any unfamiliar activity. You can also request a free credit report from Equifax, Experian, or TransUnion.
- Change your passwords: Even if nothing looks wrong, update your login credentials for your email, shopping, and banking accounts — especially if you use similar passwords across sites.
- Use a password manager: These tools create and store strong, unique passwords for each account, making it harder for hackers to access your data.
- Don’t engage: Don’t return or review the item. Doing so could confirm to scammers that your address is valid — and lead to more unwanted packages.
- Avoid QR codes: Don’t scan any QR codes included in the packaging. Scammers use them to direct victims to malicious websites or steal more information.
Beware of Fake Stamps, Too
In addition to brushing scams, USPS is also warning about a surge in counterfeit postage.
“If you’re seeing stamps sold at 40% or 50% off — especially online — it’s probably a scam,” McNulty warned. Counterfeit stamps can result in your mail being rejected or fines. Always buy stamps from USPS directly or authorized retailers.
Final Thoughts
Brushing scams and fake postage aren’t just nuisances — they could be early warning signs that your personal data is at risk. Don’t ignore that strange package or tempting online deal.
Treat your personal information — like your address, account logins, and passwords — the same way you would treat your bank card or Social Security number: carefully, and with caution.
As McNulty summed it up: “Think before you send — or open — anything.”
