I never ordered this: fraud with delivered packages and letters — brushing and quishing | Kaspersky official blog

I never ordered this: fraud with delivered packages and letters — brushing and quishing | Kaspersky official blog

/in

You get a delivery notification — or simply find a package sitting by your front door. But you didn’t order anything! Of course, everyone loves a free gift, but in this case you should be wary. There are several scams that start with the delivery of a package to your home.

Of course, check with friends and family first — someone might have sent you something without mentioning it. But if nobody steps forward, there’s a good chance you’re facing one of the schemes described below.

Spoiler alert: under no circumstances scan QR codes or call phone numbers printed on the packaging.

Polishing orders

The term brushing scam comes from Chinese e-commerce slang. 刷单 literally means “to polish orders” — effectively referring to a kind of sales-pumping scam. Originally, this “brushing” was relatively harmless: you received a product you didn’t order, and the seller posted a glowing review in your name to boost their sales ranking. To pull this off, unscrupulous sellers buy leaked databases of personal data, then register new marketplace accounts using victims’ names and mailing addresses — but their (the sellers’) own email address and payment method. As such, the victims don’t suffer direct financial loss.

Lucky you; but first — your review

Over time, such relatively gentle “brushing” has evolved into a much rougher sweep up. These days, scammers try to rip off package recipients by luring them to a malicious website. To do this, they include a card or sticker with a QR code with the delivery. The story accompanying the code varies, with common examples including the following:

  • “You’ve received a gift! Scan the code to find out who sent it”
  • “Leave a review of our product and get a $100 gift card!”
  • “Confirm receipt of your free delivered item!”

If the victim scans the QR code to find out who the sender is or claim another gift, the rest follows the classic pattern of quishing (QR phishing): either coaxing the victim into entering their payment data (for example, to “activate” the gift card) or codes from banking/government apps, or urging them to install an app for “confirmation” or “activation” — which, of course, is malware.

What if there’s no product at all?

The above schemes only work when an online store can afford to “give away” products as a promotional tactic. But can scammers still get your data without sending any goods? They can — and do.

Instead of a package, the victim finds a professionally printed postcard at their door: “Unfortunately, our courier service couldn’t deliver your parcel because you weren’t home. A gift valued at $200 can only be handed over in person — please contact us to arrange redelivery.” The postcard includes a QR code, a website address, and sometimes even a phone number to “reschedule” delivery.

Example of a phishing postcard with a website address and QR code

A phishing postcard supposedly from Royal Mail, complete with a website address and QR code, looks highly convincing — the scammers paid great attention to detail. Source

If you call the number or visit the malicious site linked in the QR code, you’ll be tricked into giving payment details, passwords, or one-time codes through one of the common “delivery” scam scenarios:

  • “Choose a delivery time right away so the item won’t be returned to sender”
  • Pay a $2 fee for redelivery”. The goal here is to get your payment data and then charge much larger amounts.
  • “Pay the customs duty”. You’re told a valuable parcel has been sent to you, but you must pay the duty yourself. And these amounts can be quite significant (depending on the supposed item’s value). In some countries, a “courier” may even come in person to collect the fee in cash.

All these schemes can lead to the loss of personal and financial information — but sometimes they escalate into phone fraud with much larger losses. For example, after you pay a fake delivery fee, scammers may call you and claim the parcel cannot be delivered because it contains drugs. This is followed by the psychological pressure of calls from a “police officer”, and attempts to extort a large sum of money to “protect” you from criminal charges.

Cash on delivery

Another popular scam involves products with payment upon delivery. Sometimes scammers advertise a product in advance and send it to the victim with their consent — but there’s also a version where a parcel arrives out of the blue. One day, a courier turns up at your door with a package in your name. Usually, an attractive product name is prominently displayed on the box — for example, a high-end smartphone. But… you have to pay for it. The price is 2–3 times lower than the market rate. The scammers count on greed and urgency (“the courier’s in a hurry, let’s get this done quickly!”) to make the victim pay without checking the item properly. The courier rushes off, and the victim opens the box to find either a cheap knockoff of the claimed product — or just plain garbage.

If the target refuses to pay for the mystery item, the scammers may have a “Plan B” ready — tricking them into giving a one-time verification code for a marketplace or bank, under the pretext of “confirming the order cancellation”.

Targeted attacks

Sometimes, physical delivery scams target specific victims. For example, criminals have attempted to steal cryptocurrency by sending Ledger hardware wallet owners packages claiming to be a free warranty replacement for defective devices. Inside the package was a “new” crypto wallet — actually a USB stick loaded with malware designed to steal the wallet’s seed phrase. Mailing USB sticks has also been used by the FIN7 ransomware gang as part of targeted ransomware attacks on selected organizations.

The hidden threat

Brushing and quishing scams have an unpleasant root cause. If you’re receiving these packages, it means your address and other contact information have been leaked in databases and are circulating on underground forums. These data sets are sold repeatedly, so you may well be targeted by other types of scam too. Be prepared: enable two-factor authentication everywhere, expect scam calls, install to protect yourself from such spam calls, check your bank statements frequently, and be sure to install reliable protection on all your devices.

What to do if you receive an unexpected package?

  • Carefully examine the packaging, labels, and any accompanying documents.
  • Take a photo of the package just in case, but never follow any links from QR codes or printed text. Keep the packaging in case there’s an investigation later.
  • Never call the phone numbers or, again, visit the links printed on the parcel.
  • Never pay any “delivery fees” or “customs duties”, and never provide your payment details.
  • Never connect unexpectedly received digital storage devices to your computer or smartphone.
  • If the package was delivered by a major, well-known courier service (Amazon, eBay, DHL Express, UPS, FedEx, AliExpress, national postal services, etc.), go to the company’s official website, find their contact numbers, online tracking service, or live chat, and check the shipment status and sender information. If the parcel has a tracking number, enter it manually — don’t scan any QR codes on the label.
  • Report the suspicious package to the courier service and the police — even if no money was stolen from you.

Read more on scams involving QR codes, marketplaces, and delivery services:

Kaspersky official blog – ​Read More