You walk up to your porch and there it is. A package. Your name is on it, your address is correct, but you definitely did not order anything. Maybe it’s a weird little Bluetooth speaker, a handful of plastic rings, or a bag of mystery seeds. Your first instinct is probably to shrug, open it, and move on with your day. But that package is trying to tell you something, and you should listen.
This is almost certainly a brushing scam. And while the item inside might seem harmless, the fact that it showed up at all means someone out there already has your personal information. Here is exactly what you need to do, ranked from the absolute worst response to the smartest move you can make.
7. The Worst Response: Scan the QR Code or Contact the Sender
If your mystery package came with a little card, a note, or a QR code urging you to “find out who sent this,” do not scan it. Do not visit the website. Do not call the number. This is the single worst thing you can do. According to Maps Credit Union, a growing variation of the brushing scam involves what security experts call “quishing,” which is QR code phishing. Those codes can send you straight to fake websites designed to harvest your login credentials, credit card numbers, or other personal data. In some cases, scanning the code can even trigger malware downloads that give hackers access to your phone.
And if you search for the sender online and try to contact them? The FTC warns that anyone who responds will likely try to extract even more sensitive information from you. You’re basically confirming that your address is active and that you’re willing to engage. That makes you a bigger target, not a smaller one.
6. Almost as Bad: Pay for It or Return It Because Someone Asked You To
Here is a scenario that catches more people than you’d think. You get the mystery package, and then you get a follow-up email, letter, or even a phone call claiming you owe customs fees, shipping charges, or a restocking fee. Some of these messages look incredibly official.
Do not pay a single cent. Under federal law (Title 39, United States Code, Section 3009), if you receive unsolicited merchandise, you may legally treat it as a free gift. You owe nothing. No company can force you to return it or bill you for it. They cannot send your “account” to a collections agency because there was no legitimate transaction in the first place.
As Thodex.com notes, once a scammer knows your address is active, they sometimes follow up with fake invoices demanding “customs fees.” Legitimate law enforcement and companies like Amazon will never ask you to pay a fine via gift cards, cryptocurrency, or wire transfer. If you get that kind of request, hang up immediately.
5. Not Great: Just Ignore It Completely
A lot of people open the mystery package, see some cheap trinket, toss it in a drawer, and forget about it. That’s understandable. But simply ignoring the situation is a missed opportunity to protect yourself.
The reason this ranks in the middle of the list is that while you’re not making things worse, you’re not making them better either. That package is a signal flare. According to LifeLock/Norton, the scammers who sent it likely found your personal details through people-search sites, data brokers, or leaked information from data breaches on the dark web. They created fake buyer accounts using your information on online marketplaces. Your name and address are floating around, and doing nothing means you’re leaving yourself exposed for whatever comes next.
Ignoring the package is better than scanning a QR code, sure. But it’s far from the smartest play.
4. Decent: Check Whether It’s Actually a Gift
Before you go into full alert mode, take 30 seconds to think. Did your mom order something for you? Did a friend send a surprise? Is your birthday coming up? Both Amazon and Maps Credit Union recommend verifying that the package isn’t simply a gift before assuming the worst. A quick text to a few family members can save you a lot of unnecessary worry.
That said, if nobody claims it, treat it as suspicious and move on to the higher-ranked steps below. And here’s an important distinction from GovFacts: if the package is addressed to YOU and you didn’t order it, that’s unsolicited merchandise and it’s yours to keep. But if it’s addressed to someone else entirely, that’s a misdelivery, and it belongs to the intended recipient. Those are two very different situations.
3. Smart: Change Your Passwords and Enable Two-Factor Authentication
Now we’re getting into the moves that actually protect you. The FTC, USPS, Amazon, and basically every cybersecurity expert all agree on this one: change your passwords immediately. Start with your online shopping accounts (Amazon, Walmart, eBay, Temu, AliExpress) and your email. If you use the same password across multiple sites, change all of them.
McAfee specifically recommends enabling two-factor authentication (2FA) on every account that offers it. This adds a second layer of security so that even if someone has your password, they can’t log in without a code sent to your phone or email.
Also, check your accounts for any orders you didn’t place. In rare cases, Maps Credit Union warns, scammers may gain access to your actual online shopping account, place an order using your saved payment method, and leave a fake review in your name. At that point, your financial information is compromised and you need to act fast.
2. Smarter: Monitor Your Credit and Bank Accounts
A brushing scam is not technically identity theft. But it does mean someone had access to your personal data, and that’s the first domino. The FTC recommends checking your credit report weekly for free at AnnualCreditReport.com. Look for accounts you didn’t open, inquiries you didn’t authorize, or any activity that doesn’t look right.
While you’re at it, scan your bank and credit card statements for unusual charges. McAfee’s cybersecurity team flags this as an essential step, especially during the holiday season and peak shopping periods when brushing scams tend to spike. A small, unfamiliar charge is sometimes a test to see if your card is active before a bigger purchase gets made.
This step ranks near the top because it’s proactive. You’re not just reacting to the package. You’re auditing your entire financial footprint to make sure nothing else has been compromised.
1. The Best Response: Report It to Every Relevant Platform and Agency
This is the gold standard. Reporting the package does more than just protect you. It helps shut down the sellers running these operations and protects other people from getting targeted next.
Here is your full reporting checklist, pulled from multiple official sources:
If it came from Amazon: Go to the Report Unwanted Package form on Amazon’s website. Provide the number of unwanted packages, a tracking number from at least one package (found on the shipping label), and any additional details. You can also call Amazon Customer Service at (888) 280-4331. Amazon investigates all reports and may suspend or remove selling privileges, withhold payments, and work with law enforcement.
If it came via USPS: File a complaint with the Postal Inspection Service online at USPIS.gov or call 1-877-876-2455. The USPS notes that the Postal Inspection Service is the federal law enforcement agency with jurisdiction over mail-related crimes, making them the right people to handle this.
Report to the FTC: Go to ReportFraud.ftc.gov. The FTC tracks patterns across thousands of reports, which helps them identify and take action against large-scale operations.
Other platforms: LifeLock/Norton lists reporting channels for Temu’s Support Center, eBay’s Security Center, and Walmart’s Report Seller Activity form.
If it contains seeds: This is a special case and it matters. The Texas Department of Agriculture collected over 1,100 mystery seed packages sent to more than 100 locations across the state since February 2025. Do not open the seed packets. Do not plant them. Do not throw them away (improperly disposed seeds can still spread in landfills). Keep them sealed in their original packaging and contact your state department of agriculture. You can also report suspected smuggling to the USDA by emailing SITC@usda.gov.
The Bottom Line
A mystery package feels like a weird little bonus from the universe. Free stuff, right? But the real cost is that someone out there has your name, your address, and possibly a lot more. The package itself is almost always worthless junk, cheap jewelry, random gadgets, things that cost pennies to manufacture. The real product in a brushing scam is the fake five-star review that gets posted in your name.
So here’s the quick version. Do not scan QR codes. Do not contact the sender. Do not pay anyone. Do change your passwords. Do check your bank statements and credit report. And absolutely do report it, because reporting is what actually shuts these operations down. You’re under no obligation to return the package or pay for it. Federal law is clear on that. But treating that mystery box as a warning sign rather than a windfall could save you a lot of trouble down the line.
