A plain white envelope arrives in your mailbox with your name on it. It may even include a tracking number, making it appear completely legitimate. But when you open it, it’s empty—no letter, no product, and no explanation. Consumer protection experts say that what looks like a harmless mystery could actually be the first step in a scam designed to exploit your personal information.

Investigators have linked these unexplained deliveries to a scheme known as “brushing,” in which scammers use fake shipments to create fraudulent online purchase records. In some cases, the envelope may also contain a QR code that directs recipients to malicious websites designed to steal personal or financial information.

The real danger begins if the recipient becomes curious enough to scan a QR code, click a link, call a phone number, or provide personal information. What starts as an odd delivery can quickly become an identity theft or financial fraud case.

The empty-envelope tactic is frequently associated with brushing scams. In these schemes, dishonest online sellers mail inexpensive items—or even completely empty envelopes—to real addresses to create shipping records showing that an order was successfully delivered.

Once the shipment is marked as delivered, scammers can use the tracking confirmation to post fake “verified buyer” reviews on online marketplaces, making low-quality products appear more popular and trustworthy than they actually are.

Recent reports indicate that recipients have received small padded envelopes bearing unfamiliar or fictitious sender names. Some have received multiple deliveries, while others found only worthless trinkets, packing material, or nothing at all inside.

Although these deliveries may seem more annoying than dangerous, cybersecurity experts warn that the larger concern is that someone already possesses your name and home address.

Scammers don’t need to send anything valuable. All they require is proof that a package was delivered to a legitimate address. They typically obtain names and addresses through data brokers, public records, data breaches, or information leaked online. Using that information, they create fake purchases and mail inexpensive items or empty envelopes to unsuspecting recipients.

After delivery is confirmed, dishonest sellers can falsely claim that you purchased their product and may even publish fabricated positive reviews using your identity or account information. The scheme not only inflates product ratings but also demonstrates that your personal information is already circulating among scammers.

A newer and more dangerous version of the scam involves including a QR code inside the package. The message may urge recipients to “scan to see who sent this gift” or “scan to verify delivery,” but experts strongly advise against doing so.

Unlike a printed web address, a QR code conceals its destination until it is scanned. Cybercriminals take advantage of natural curiosity, especially when an unexpected package arrives bearing the recipient’s name.

The hidden link may lead to a counterfeit website requesting personal details such as your name, address, phone number, credit card information, bank credentials, shopping account passwords, or one-time verification codes.

Once scammers obtain that information, they may gain access to financial accounts, make unauthorized purchases, or compromise payment applications.

Experts recommend several precautions if you receive an unexpected envelope or package.

First, never scan any QR code included with a mystery delivery. If verification is necessary, visit the retailer’s or shipping company’s official website directly rather than using the code.

Second, avoid calling any phone numbers printed inside the package. Instead, contact companies such as Amazon, Walmart, eBay, USPS, UPS, or FedEx only through their official websites or mobile apps.

Third, review your online shopping accounts for unfamiliar purchases, suspicious reviews, unauthorized address changes, or unknown payment methods.

Fourth, update passwords for your email, shopping, and financial accounts using strong, unique passwords for each service. Security experts also recommend using a password manager.

Fifth, enable two-factor authentication whenever possible. Authentication apps generally provide stronger protection than text-message verification.

Sixth, carefully monitor bank and credit card statements for unfamiliar charges, subscription renewals, or withdrawals, and report suspicious activity immediately.

Seventh, review your credit reports and consider placing a fraud alert or credit freeze with the major credit bureaus if you believe your identity may be at risk.

Finally, report suspicious mailings to the US Postal Inspection Service and the FBI’s Internet Crime Complaint Center. If the shipment appears to be associated with a legitimate retailer, notify that company directly through its official website.

If you have already scanned a suspicious QR code, experts say not to panic—but act quickly. Close the webpage immediately, avoid entering additional personal information, change any passwords that may have been exposed, enable two-factor authentication, monitor financial accounts for unauthorized activity, contact your bank if payment information was submitted, scan your device with reputable security software, remove any applications installed through the QR code, and report the incident to both the FBI and the Federal Trade Commission. If particularly sensitive information, such as your Social Security number or banking credentials, was disclosed, freezing your credit may also be appropriate.

Cybersecurity professionals also recommend installing reliable antivirus and anti-phishing software capable of blocking malicious websites, fraudulent links, and dangerous downloads before they compromise your devices.

Another important protective measure is limiting the amount of personal information available online. Because brushing scams often begin with data purchased from brokers or obtained through leaks, reducing your digital footprint through data removal services can make it more difficult for scammers to target you.

Experts say the biggest takeaway is simple: An empty envelope may seem harmless, but it can be an early warning that your personal information is already in the hands of scammers. Resist the temptation to investigate through QR codes, unfamiliar phone numbers, or suspicious websites. Instead, slow down, verify information only through official sources, and secure your accounts before curiosity turns into a much larger problem.

{Matzav.com}