If You Get a Package You Never Ordered, Do This

You open the front door and there is a box sitting on the mat with your name on the label. Problem is, you did not order anything. Maybe it is a cheap phone case, a plastic bracelet, a pack of socks, some seeds, or a random gadget you have zero memory of buying. Your first thought is probably something like “free stuff, cool.” Pump the brakes on that. A surprise package you never ordered is almost never a lucky mistake, and it is definitely not a gift from a secret admirer. Nine times out of ten, it is a signal that your personal information is floating around somewhere it should not be.

The U.S. Postal Service put out a consumer alert about this in August 2025, and the FTC has been sounding the same alarm. There is a name for what is happening, and how you react in the first few minutes actually matters. Here is exactly what to do, step by step.

First, Understand Why It Landed on Your Porch

This little trick is called a “brushing” operation, and once you know how it works, the mystery box stops feeling flattering and starts feeling creepy. A third-party seller, very often based overseas, gets hold of your name and mailing address, usually pulled from a data leak or bought off a shady database. Then they “order” their own product and ship it to you for free. The second the tracking shows delivered, they log in and post a glowing five-star review under your name as a “verified buyer.” That fake review shoves their junk product higher in search results, which drives more real sales to actual shoppers who get burned.

The scale here is wild. According to Security.org, Amazon yanked more than 275 million reviews in 2024 over suspicions they were faked, and in 2025 the company sued 75 different outfits that were selling fake reviews. Americans reported losing more than $12.5 billion to fraud in 2024. So no, this is not a harmless clerical error. It is a piece of a much bigger machine.

Do Not Scan Any QR Code That Came With It

This is the single most important rule, so I am putting it near the top. The newer, nastier version of this scheme comes with a little card, flyer, or insert printed with a QR code and a friendly note like “Scan here to find out who sent your gift!” Do not scan it. Ever.

Cybersecurity folks call this “quishing,” short for QR code phishing. As Avast explains, that code can send you to a fake login page built to steal your username and password, a phony payment portal that grabs your card number, or worse, it can trigger a malware download that hands a stranger access to your phone. Scamicide notes the QR twist is exactly how the scam has “evolved” from an annoying prank into something that can drain your accounts. The curiosity is the trap. Toss the card, ignore any phone numbers printed on the packaging, and do not reply to any texts or emails asking you to “confirm” the delivery.

Make Sure It Really Was Not a Gift

Before you go full detective mode, do the boring but necessary thing and rule out the obvious. Text your mom, your partner, your best friend, and anyone else who might have sent you a surprise. Check whether it is a preorder you forgot about or something a family member shipped to your place. Amazon’s own guidance puts this as step one for a reason. Most of the time you will confirm nobody you know sent it, but it takes two minutes and saves you the embarrassment of reporting your aunt’s birthday present as fraud.

Change Your Passwords Right Now

If you have confirmed nobody ordered this thing for you, assume your info is out there and act like it. Go change the passwords on your online shopping accounts, and change your email password too, since that is the master key to everything else. The FTC recommends updating passwords on all your shopping accounts in case any were compromised.

Two extra moves that take five minutes and are absolutely worth it: turn on two-factor authentication everywhere you can, and stop reusing the same password across sites. Maps Credit Union points out that most brushing runs on fake profiles and stolen shipping info, but in rare cases a scammer actually gets into your real account, places an order with your saved card, and reviews it in your name. If you use one password for everything, you are basically leaving the front door propped open.

Report the Package to the Marketplace

The company whose logo is on the box wants to know about this, because these fake reviews poison their whole platform. If it came from Amazon, fill out the Report Unwanted Package form. You will need the number of packages you got and a tracking number from at least one shipping label. Amazon says it investigates these reports and can suspend sellers, withhold their payments, and even loop in law enforcement. It may take the company up to 10 days to work through a case.

Not an Amazon box? LifeLock/Norton breaks down the reporting path by platform: Temu has a Support Center in its app and website, eBay has a Security Center for suspicious sellers and fake reviews, and Walmart uses a Report Seller Activity form. Take 60 seconds to file it. You are not just protecting yourself, you are making it harder for that seller to fool the next shopper.

Keep the Stuff, It Is Legally Yours

Here is the one genuinely good part of this whole mess. You get to keep the item, guilt free, and you never owe anyone a dime for it. Under the Mail, Internet, or Telephone Order Merchandise Rule, spelled out by the FTC, any merchandise mailed to you that you did not order can be treated as a gift. You have the right to “retain, use, discard, or dispose of it” however you want, with no obligation to the sender whatsoever. A company legally cannot ship you unordered goods and then send you a bill for them.

If the item leaves you uneasy and it arrived unopened with a return address on it, you have an easy out. McAfee notes you can simply mark it “Return to Sender,” and USPS will send it back at no cost to you. And if a seller ever claims you owe postage, tell them flat out that you never placed the order. You do not pay for things you did not ask for.

A Special Note on Seeds

Seeds deserve their own warning, because this exact thing has happened at scale. Back in 2020, people across the U.S., Canada, and the U.K. reported getting mystery seed packets mailed from China, which set off a small storm of conspiracy theories before officials confirmed it was a brushing operation. More recently, LifeLock reports that people in Alabama, Texas, and New Mexico received unordered seeds. Do not plant them and do not just chuck them in the yard. Unknown seeds can sprout into invasive species that wreck local ecosystems. Report them to the USDA or your state agriculture office and let them handle it.

Keep an Eye on Your Accounts and Credit

A brushing package is basically a smoke alarm for your personal data. Someone had enough of your details to ship a box to your exact address, so it is smart to watch for what else they might do with that info. Comb through your bank and credit card statements for charges you do not recognize, and check your shopping accounts for orders or login attempts that were not you.

You can also pull your credit report for free every week at AnnualCreditReport.com, which the FTC recommends for spotting early signs of identity trouble. If you want an extra layer, Security.org suggests placing a fraud alert on your credit. With more than 3,300 major data leaks hitting over 343 million people in the U.S. in a single recent stretch, keeping half an eye on your accounts is just good habit now.

Whatever You Do, Do Not Contact the Sender

It is tempting to track down whoever shipped this and demand answers. Resist that urge. The FTC and the Postal Service both warn that reaching out to the sender only confirms your address is live and active, which invites more junk and more targeted attempts to squeeze information out of you. Anyone who responds is going to fish for more sensitive details, not apologize. Silence is your friend here.

Report It to the FTC and the Postal Inspectors

Finish strong by putting it on the record with the folks who build cases against these operations. File a report with the FTC at ReportFraud.ftc.gov. If the package came through the mail, the Postal Inspection Service wants to hear about it too. And if a QR code or a follow-up message was involved, the FBI recommends reporting it to the Internet Crime Complaint Center at ic3.gov. Your report might seem like a drop in the bucket, but it helps investigators spot patterns and warn your neighbors before they scan the wrong code.

Bottom line: a package you never ordered is not a windfall, it is a heads-up. Keep the socks, skip the QR code, lock down your passwords, and report it. Then get back to your day knowing you handled it the right way.

Mike O'Leary
Mike O'Leary
Mike O'Leary is the creator of ThingsYouDidntKnow.com, a fun and popular site where he shares fascinating facts. With a knack for turning everyday topics into exciting stories, Mike's engaging style and curiosity about the world have won over many readers. His articles are a favorite for those who love discovering surprising and interesting things they never knew.

Must Read

Related Articles