SouthernWorldwide.com – A plain white envelope arrives in your mailbox, addressed to you and perhaps even bearing a tracking number. The sender is unfamiliar, but the delivery appears legitimate. Upon opening it, you find it’s empty, with no note, product, or explanation.
Such a situation naturally sparks curiosity, which is precisely what scammers may be banking on. Investigators and consumer protection groups have issued warnings that empty envelopes and mystery packages can be linked to a scam known as “brushing.” In a more alarming variation, the package might contain a QR code designed to lead you to a fraudulent website or to steal your personal information.
The greatest risk lies in what these scammers hope you will do next. If they can trick you into scanning a QR code, clicking a link, calling a fake number, or divulging personal information, that mysterious envelope could escalate into a far more significant problem.
QR CODE SCAMS RISE AS 73% OF AMERICANS SCAN WITHOUT CHECKING
The empty envelope scam is frequently associated with brushing. This is a practice where a third-party seller dispatches a low-cost item, or sometimes just an empty envelope, to a real person’s address to create the illusion of a genuine order delivery.
Once the delivery is marked as completed, a dubious seller can leverage this delivery record to post a fake “verified buyer” review on an online marketplace. These fabricated reviews can artificially inflate the perceived popularity of subpar products.
Recent reports detail individuals receiving small, white padded envelopes from unknown or potentially fake sender names. Some people receive these multiple times, while others find cheap trinkets, packing materials, or nothing at all inside.
While this might seem like a peculiar annoyance, a more significant concern is that your name and home address may already be in the hands of malicious actors.
Scammers don’t need to send you anything valuable; they only require a tracking number that confirms a delivery to a legitimate address. Here’s a common way this scam unfolds:
A scammer obtains your name and address through data brokers, public records, past data breaches, or online leaks. They then fabricate an order using your details and mail a cheap item or an empty envelope to your residence.
After the delivery is recorded as complete, the seller can falsely claim that you purchased the product. A fraudulent positive review may then appear under your name or account information, helping unscrupulous sellers boost their ratings and deceive genuine shoppers. This also indicates that your personal information might already be circulating, accessible to scammers.
THE ONE THING SCAMMERS CHECK BEFORE TARGETING YOU ONLINE
Some mystery packages now include a QR code with seemingly innocuous messages like “scan to see who sent this gift” or “scan to verify delivery.” It’s crucial to resist the urge to scan it.
A QR code is essentially a hidden link, and its destination is not readily apparent before your phone deciphers it. Scammers understand that curiosity is a powerful motivator, especially when a package arrives bearing your name.
This QR code could lead you to a counterfeit website that prompts you to enter your name, phone number, address, credit card details, bank login credentials, or shopping account passwords. It might even attempt to trick you into inputting a one-time verification code.
This is where the genuine financial risk begins. If you provide scammers with your login details or banking information, they could potentially gain control of your accounts, make unauthorized purchases, or access your payment applications.
If you receive an unsolicited envelope or package, don’t panic. Treat it as a warning sign and take a few prudent steps to protect yourself.
Even if a card instructs you to scan it to identify the sender, disregard it. Instead, navigate directly to the retailer’s, shipper’s, or official website yourself.
Scammers might include a fake customer service number or website within the package. If you need to contact entities like Amazon, Walmart, eBay, USPS, UPS, or FedEx, type their official website address into your browser or utilize the company’s official application.
Log in directly to your accounts with Amazon, Walmart, eBay, TikTok Shop, and other online retailers. Review your order history for any unrecognized purchases, look for suspicious reviews, check for altered shipping addresses, or note any unfamiliar payment methods.
Begin by scrutinizing your email, shopping, and financial accounts. Employ strong, unique passwords and consider using a password manager for secure generation and storage. Avoid reusing the same password across different platforms. Explore the best expert-reviewed password managers of 2026 at Cyberguy.com
Two-factor authentication, also known as 2FA, adds a secondary layer of security to your login process, meaning a password alone is insufficient. Whenever possible, utilize an authenticator app. This offers superior protection compared to text message codes, making it significantly harder for scammers to access your accounts.
Be vigilant for small test charges, unfamiliar transactions, new subscriptions, or withdrawals you did not authorize. Report any suspicious activity to your bank immediately.
If you suspect your identity may be compromised, review your credit reports. You might also consider placing a fraud alert or a credit freeze with credit bureaus like Equifax, Experian, and TransUnion.
Report suspicious packages to the U.S. Postal Inspection Service at uspis.gov/report. You can also file a scam complaint with the FBI’s Internet Crime Complaint Center at ic3.gov. If a retailer’s name is visible on the label, report the incident directly through that retailer’s official website.
WARNING SIGNS YOUR MAIL HAS BEEN FRAUDULENTLY REDIRECTED
Scanning a QR code doesn’t automatically mean your accounts have been compromised. However, if you have entered information, downloaded an application, or typed in a verification code, you need to act swiftly.
A robust security tool can help block phishing websites, malicious links, and harmful downloads before they can inflict damage. We recommend using strong antivirus software, as it provides protection beyond basic virus detection. This includes safeguarding against phishing, scams, and blocking web threats across Windows, Mac, Android, and iOS devices. Find my top picks for the best 2026 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com
Brushing scams often originate from the fact that your name, home address, phone number, or other personal details are already available online. Data brokers collect and sell this information, which scammers can then exploit to make their fraudulent schemes appear more credible. A data removal service can help reduce your online footprint by requesting the removal of your personal information from broker websites. We advocate for using a reputable data removal service to help scrub your personal information from data broker sites, thereby decreasing the amount of data scammers can leverage against you. Check out my top recommendations for data removal services and get a complimentary scan to determine if your personal information is already exposed online by visiting Cyberguy.com
An empty envelope might seem harmless, but it can signal that your personal information is already being misused. The most critical action you can take is to avoid engaging with any element within the package that attempts to draw you into further steps. Do not scan QR codes from unsolicited packages. Do not call unknown numbers provided on cards. Do not enter personal information on websites accessed through a package you never ordered. Scammers rely on curiosity. Exercise caution, navigate directly to official websites, and secure your accounts before a peculiar envelope evolves into a much larger predicament.
Have you received an empty envelope or a mystery package that you did not order? Please share your experience by writing to us at Cyberguy.com
