Brushing, Quishing, and Holiday Scams: What to Know Before You Scan 

As the holiday season ramps up, fulfillment centers are running at full speed. With record order volumes and nonstop shipping activity, warehouses become magnets not only for consumer attention—but also for scammers looking to exploit the surge. 

While phishing and social-engineering attempts are nothing new, a recent alert from the Massachusetts State Police Commonwealth Fusion Center highlights a troubling twist that criminals are now pairing “brushing” scams with QR-code phishing, or “quishing.” What started as a nuisance for individual consumers has evolved into a tactic that could easily find its way into professional environments where packages, labels, and QR codes are part of everyday operations. 

How These Scams Work and Why They Matter to Warehouses 

A brushing scam begins when someone receives an unsolicited package labeled with their name and address, usually containing a low-value item. The goal is to post fake positive reviews under that person’s identity, boosting the sender’s online sales reputation. 

The new variation includes QR codes on or inside the packages, which invites the recipient to “confirm delivery,” “track your order,” or “report an issue.” Scanning those codes can direct users to malicious sites impersonating carriers or retailers, where attackers harvest personal information or install malware. 

For warehouse teams, these scams can slip into legitimate inbound workflows. A mislabeled return, vendor sample, or supplier “gift” can easily make its way into a receiving area. Scanning a rogue QR code on a packing slip or label could compromise a device connected to your network, or worse, open a path to internal systems used for inventory and fulfillment management. 

Why These Scams Work, Even in Professional Settings 

The same conditions that make warehouses efficient also make them vulnerable: 

• High package volume makes it difficult to distinguish legitimate shipments from unsolicited ones. 

• Operational urgency means employees may scan labels or click links without verification. 

• Ubiquitous QR codes are used across modern operations for quality checks, pick confirmations, returns processing, and asset tracking. 

Attackers exploit those habits. During peak, when speed trumps scrutiny, the risk of a “harmless” scan turning into a security incident rises sharply. 

Emerging Variations to Watch 

According to the Commonwealth Fusion Center, attackers are also experimenting with: 

• Fake tracking texts that mimic USPS, FedEx, or other carriers are often received on personal phones used by warehouse associates. 

• Malicious USB drives disguised as promotional gifts or supplier tools, capable of installing ransomware when plugged into shared devices. 

Both highlight a growing theme that the boundary between personal and professional risk is blurring. A threat that starts with an employee’s home package or text message can quickly cross into the workplace. 

Strengthening Warehouse Cyber Hygiene 

Protecting a warehouse today means thinking beyond physical gates and cameras. Data security, device management, and human awareness are just as critical. To reduce exposure: 

• Train teams to verify before scanning. Any unsolicited QR code, package, or email link should raise a flag. 

• Restrict device permissions. Limit which systems can access scanners, tablets, or handhelds connected to your WMS. 

• Ban unknown USB devices. Even one compromised drive can introduce malware into a shared workstation. 

• Encourage direct validation. If a shipment seems odd, confirm through official carrier portals—not embedded links. 

• Report suspicious activity immediately. Whether through your internal security team or the FBI’s IC3.gov portal, quick reporting limits damage. 

Besides being an IT policy, good cyber hygiene is an operational discipline that protects throughput, uptime, and trust. 

The Bigger Picture: Security Starts with Awareness 

What looks like a small “free gift” scam can become a doorway to credential theft or system compromise. It’s a reminder that cybersecurity isn’t confined to servers or dashboards in your warehouse; it can now arrive on pallets, labels, and handheld screens. 

When warehouses embed security awareness into daily operations, they prevent data breaches and preserve the integrity of every pick, scan, and shipment that moves through the building. 

Built-In Trust, from Floor to Cloud 

At Locus Robotics, we take the same approach we advocate, which is security by design. Our Trust Center details the comprehensive safeguards built into every part of our ecosystem, from encrypted communications between robots and cloud systems to rigorous compliance standards, continuous monitoring, and employee training. 

By prioritizing security across hardware, software, and human workflows, we ensure that our customers’ data and operations remain protected through peak season and beyond. Whether you’re scanning a QR code or a tote barcode, the principle remains the same to pause, verify, and trust only what’s proven secure.