Featured Posts

Brushing Scams and QR Codes: What you need to know
February 5, 2025
Read Post
Data Privacy: Safeguarding Your Organisation’s Most Valuable Asset
January 23, 2025
Read Post
How to Start a Cybersecurity Awareness Program
January 15, 2025
Read Post

A brushing scam involves receiving unexpected packages containing items you didn’t order. The goal? Fraudulent sellers use your name and address to generate fake reviews, boosting their products’ visibility and ratings on e-commerce platforms.  While these scams might seem harmless at first, they often exploit personal information and can lead to financial and reputational harm. These parcels can also have a QR code inside for you to review the product, or to register the product. Human curiosity, especially when you’ve received a mysterious parcel, will tend to get the better of us.

Here’s how Brushing works:  

1. Scammers buy and send low-cost items to you by setting up an account (on popular online retailers) with your name and address.  

2. Now a 'verified purchaser' - They create fake buyer profiles under your name to leave glowing reviews for their products, or they include a QR code leading to the review page, register the product or for FAQs to get more of your information.

3. The potential false reviews influence real buyers, leveraging the power of social proof to boost sales.  

4. OR That QR code leads to a credential capture site which means you've just leaked even more information.

While receiving free items might sound like a victimless crime, the reality is far more sinister. Brushing scams typically rely on using your stolen personal data, such as your name and address, which could have been acquired through data breaches or other malicious means. It's a symptom of a larger problem.

The risks don’t stop there: your identity could be used for fraudulent activities, not just fake reviews – it can lead to more serious crimes such as money laundering or identity theft by sending address verification to your mail to open bank or credit card accounts.

The Rise of Quishing  

QR codes, which have been incredibly convenient for sharing information quickly, have become a vector for cyber attacks. A QR code scam, or quishing, uses QR codes maliciously, to direct victims to phishing websites, fake payment portals, or malware downloads.  

Common Examples of Quishing:

- Parking meters: Scammers replace legitimate QR codes with fake ones, tricking users into entering payment details (Sadly, you’ll likely end up with a parking fine on top of it).

- Restaurant menus: Replaced codes direct diners to phishing sites similar to the venue’s menu asking for credit card information to pre pay.

- Delivery notices: Scammers use QR codes in fake delivery messages to collect personal data or payment information to release parcels from customs, or to complete the delivery.

It’s important to note that QR codes themselves don’t (usually) automatically download malware. These scams typically require user interaction, such as clicking a link or entering sensitive information once the scammer’s website asks for it, making phishing awareness crucial.

Why it matters (Can't I just enjoy freebies?)

Brushing scams and quishing not only compromise personal data but also pose risks to businesses. For organisations, a compromised employee could expose company credentials or sensitive information, leading to further breaches.  

With studies showing that up to 84% of people rely on online reviews when making purchasing decisions, the rise of fake reviews through brushing scams undermines consumer trust. The widespread use of QR codes in workplaces and public spaces makes vigilance essential, especially since they are now seen as a normal mode of accessing data.  

An employee receiving a parcel at the workplace with the promise of a discount on the next item may be tempted to scan the QR code in an effort to save the company money, or to use the discount for themself.

How to stay safe  

- Report suspicious packages: If you receive an unsolicited package, report it to the ACCC or the e-commerce platform itself.

- Monitor your accounts: Use tools like Have I Been Pwned to check if your personal information has been exposed.  

- Be cautious of unsolicited mail: Avoid engaging with unknown senders or clicking links in emails related to unexpected deliveries.  

QR code safety tips  

- Verify the source: If you encounter a QR code in public, ask staff to confirm its legitimacy. Be wary of stickers placed over original codes.  

- Avoid unsolicited codes: Don’t scan QR codes in emails, messages, or packages from unknown senders.  

- Use a scanner app: Apps that preview a QR code’s link before opening it can add an extra layer of protection.  

What organisations can do

  • Implement policies for verifying incoming packages and emails.  

To find our more about QR codes and how they can compromise your organisation's data, set up a demo today of our full platform and see how we can help reduce the human-risk associated with cyber security today.

Subscribe to Phriendly Phishing Updates
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
COMPANY
About UsBlogFAQContact UsPartner Information
SOLUTIONS
Phishing Awareness TrainingSecurity Awareness TrainingEnterprise Security AwarenessSMB Security AwarenessUSB Drop Testing & ReportingPhish Focus Email Triage
RESOURCES
Case StudiesTraining Buyer's GuideCourse CatalogueOnline Knowledge BaseAccount LoginCyber Security Awareness MonthWebinarsPodcasts

Phriendly Phishing Copyright © 2025

Privacy Policy | Terms and Conditions