The U.S. Postal Service is warning Americans about a fast-growing scheme known as a “brushing” scam. Brushing scams involve unsolicited deliveries from third-party online sellers looking to boost their product ratings and visibility. These sellers send cheap, low-value items to real names and addresses, then leave fake “verified” reviews, often posing as the recipient.

It may look like a harmless delivery, like a keychain, some socks, a random kitchen gadget, but it’s often a red flag that cybercriminals have gotten hold of your name and address. Worse, experts say these schemes can be just the beginning of a broader attempt to exploit your identity or financial accounts.

“These scams occur when a customer receives unsolicited packages containing low-cost items like household goods,” U.S. Postal Inspector Kelly McNulty in Albuquerque reported., “These packages are often sent by online retailers or third parties who use compromised personal information to create fake transactions.”

In other words: if you get a package you didn’t order, someone may already have your data, and they’re using it for profit.

If you receive a mystery box in the mail, don’t panic, but do take action. Here’s what the Postal Service and cybersecurity experts recommend:

  • Report it: Go to USPIS.gov and file a report with the U.S. Postal Inspection Service. Reporting these scams helps federal investigators trace the origin and stop future incidents.
  • Audit your accounts: Check your online shopping, banking and credit card accounts for any unusual charges. It’s also smart to request a free credit report from Equifax, Experian or TransUnion to spot any suspicious activity.
  • Update your passwords: Even if you don’t see fraud, it’s a good idea to change your passwords, especially for your email, Amazon, bank and any accounts where financial or personal data is stored.
  • Use a password manager: Password managers generate and store complex, unique passwords for every account, making it harder for hackers to break in if your data has already been exposed.
  • Don’t engage: You are not obligated to return or review the item. In fact, doing so may validate your address to scammers and lead to more unwanted deliveries.

Most importantly, don’t scan any QR codes on the package. These codes can lead to malicious websites that steal personal data, install malware or phish for sensitive information, postal workers say.