A parcel unexpectedly landing on your doorstep once meant it was probably your birthday. Now, it could mean that a scammer and not a loving relative is reaching out. Learn how brushing scams are turning online marketplaces into playgrounds for fraudsters eager to lay their hands on your personal information to boost their sales. Then help protect yourself from online threats with Avira Free Security, so your data and online accounts are less likely to become a gift for hackers.
What is a brushing scam?
The rise of e-commerce has inevitably attracted the attention of those eager to exploit our love of shopping online. Now, they seem to feed our shopping addiction by sending us free, unsolicited parcels. Before you start celebrating and wondering who to thank—don’t. It could be a brushing scam. This is a type of e-commerce fraud that involves scammers sending people packages that they never ordered. But why the sudden generosity? Armed with your name and address, the scammer poses as you to place an order so they can then write a five-star review for their product. E-Commerce sites like Amazon see them as verified buyers and happily publish the review, helping to promote and legitimise the seller’s business.
If brushing scams are repeated thousands of times, they can make a real impact on a product’s online ratings and help a company gain a foothold in the hard-fought e-market space. Particularly if a product is of poor quality, or the seller is unreliable and even dishonest, fake reviews will be their only chance of ‘earning’ five stars. The increase in sales and positive reviews can help the product move up in search rankings on e-commerce platforms, making it more visible to potential buyers. If a customer is misled by the hype and the head of their new toothbrush crumbles, for example, the tide of false positive reviews will drown out their complaint.
Once it was dentists and mothers who extolled the virtues of brushing. Now it’s a buzzword among online security experts as they try to stop scammers from getting their teeth into our confidential data and online accounts. If you’re wondering why it’s called ‘brushing’, there are a few theories. It could refer to the process of giving items an online polish to ‘brush up’ sales results and buff up a company’s reputation. Or it’s based on the idea of ‘brushing aside’ a customer’s suspicions of a poor-quality item.
By understanding brushing scams, we as consumers can be more vigilant and take steps to help protect ourselves from such fraudulent activities. If your finger is hovering over a “buy now” button, first find out more about these scams.
How do brushing scams work?
In a nutshell, a seller sends packages with cheap goods to people who did not order them, by using real names and addresses that they obtained illegally. You can read up here on web tracking and how easily your data and browsing history are harvested by third parties online. Brushing scams generally follow these five simple steps:
Step 1: Finding personal information.
The search is on. The seller hunts for people’s names and addresses online, usually by perusing the dark web for data breaches, buying data from data broker sites, or using people search. Social media profiles can also be a treasure trove of personal details—watch what you share so you’re not a victim of social media hacking.
Step 2: Creating fake accounts.
Scammers use the names and addresses they’ve stolen to open accounts—often hundreds—on e-commerce platforms where they sell their goods. They can also open accounts at their own online stores.
Step 3: Making false purchases.
Now it’s time to start ‘buying’. The scammer uses these fake accounts to place orders for their own products. They either pay for these orders themselves or use stolen credit card information. These fake purchases grant the buyer verified status.
Step 4: Delivering unsolicited packages.
Now the products are delivered to the addresses obtained by the fraudster. The recipients receive unexpected packages delivered to their door.
Step 5: Leaving fake reviews.
As a ‘verified’ buyer, the brush scammer can post glowing reviews for their own products using the names of the unsuspecting recipients of these goods. This helps boost their ratings and increase their visibility on the e-commerce site.
To be effective, scammers repeat this process over and over again. Brushing scams can involve thousands of fake accounts and reviews, making it look as if these products have been purchased repeatedly and used by legions of satisfied customers. In a nutshell: Brushing scams conjure up an illusion of high manufacturing quality and retail success.
The hallmarks of a brushing scam: How to identify one
An unexpected delivery doesn’t necessarily mean it’s a brushing scam. It’s easy to lose track of all the items we order, and a delivery person might accidentally deliver a package meant for someone else (they’re only human after all). Also, friends or family might have surprised you with an online order. You need to look out for a collection of tell-tale signs:
- You receive items you’re sure you didn’t order. (Check your order history online and verify that no friends and family were involved).
- The package resembles legitimate branding but there’s no contact information like a return address.
- Online reviews appear for these products in your name, and you know you didn’t write them.
If you’re confident that a bushing scammer is involved, it’s time to examine the risks and act.
Are brushing scams dangerous? Let’s examine the risks
An unexpected gift might not seem like such a bad thing, but beyond just receiving a product you might not need, there are potentially harmful consequences. What else can a scammer do if they possess enough personal details to act in your name and even steal your identity?
Here we’ve outlined some of the hazards of a brushing scam in case you’re too distracted by the free face cream or micro popcorn maker you’ve just unexpectedly received:
- Your personal data being exposed: If you receive a package and you’re sure you didn’t order it and it’s not a gift, it probably means that your personal information (at least your name and delivery address) has been compromised. This can happen during a data breach, or if one of your online accounts is hacked. There’s also the dark web, which is awash with illegal marketplaces that sell stolen data. (We recommend that you never go there, but if you absolutely must, read up on links to dark websites to arm yourself).
- Your name being used illicitly. Having your name associated with products that you didn’t buy and have never used, particularly if they are sensitive in nature, could cause embarrassment and even damage your reputation. And what of other harms, like a parent buying a possibly hazardous toy for their child because they believed ‘your’ review that it’s safe? Beyond just fake reviews, it’s vital to remember that your identity is valuable and a hot commodity. Your name, address and date of birth can provide enough information to create another digital ‘you’ and you could end up losing money or finding it difficult to get loans, credit cards or a mortgage.
- Your online account being suspended. Fake reviews being posted in your name to boost the sales and marketing of fraudulent products could result in your account/profile being investigated by the ecommerce platform. They might end up restricting or suspending your account!
- Being misled as a customer. If a seller’s account is packed with fake positive reviews and their product ratings have been artificially inflated, it’s easy to be misled into buying poor–quality goods. Do you really want to ruin your child’s birthday with a toy fort that collapses or poorly made fakes of his favourite toy characters?
- Facing potential safety hazards. Some goods sent via brushing scams might even pose a risk to the health and safety of the recipient or the bio-health of the local ecosystem (if, for example, you plant the wildflower seeds that turned up out of the blue). Cosmetic products and clothing can contain harsh chemicals that haven’t been approved in your (or any) country. Cheap electrical goods might do more than break quickly—they could cause fires and shocks. And do you want to risk being scalded with hot coffee because the new cupholder in your car falls apart just as you’re negotiating heavy traffic? There’s no end to what could go wrong if you put blind faith in products you know nothing about. Even the most avid wearers of rose-tinted glasses will have to admit it’s unlikely that you’ll get top-quality items for free.
If you love to grab online bargains, make sure to buy them yourself and only use reputable sites. Avira Safe Shopping can help. It’s a browser extension for Chrome, Opera, and Microsoft Edge and helps stop malicious and phishing websites—it can also help you find great (real!) deals on the items you’re shopping for.
Are you a victim of a brushing scam? Find out what to do next
What should you do with your ‘gift’? If you decide to keep it, be very careful when using or consuming it because the quality and origin are unknown. It’s generally safer to dispose of a mystery item—and don’t feel obliged to return it to the sender. This can be costly, and any return address included could be fake. And never call a telephone number if it’s provided! The scammer might use the opportunity to extract more information from you. Also, never pay for unsolicited merchandise. You don’t owe them a penny!
Once you’ve decided what to do with your goods, follow these steps:
- Notify the e-commerce platform, such as Amazon, eBay, or a third-party seller. File a fraud report and ask the company to check for and remove any reviews that may have been submitted in your name.
- Notify local authorities if the package contains anything illegal, harmful, or suspicious.
- Monitor your online and financial accounts for activity you don’t recognise.
- Report identity theft and scams to your relevant local authorities as this can help law enforcement fight these crimes. In the US, contact the FTC which also offers advice around avoiding, reporting, and recovering from these scams. In the UK, allegations of fraud and cybercrime should be reported to Action Fraud.
- Change passwords for your online accounts and set up two-factor or multi-factor authentication (MFA) wherever it’s available. Always remember to use unique and strong passwords for all your online accounts as these help keep your sensitive and personal data safer from others. (Tip: Avira Password Manager, available alone or as part of Avira Free Security, generates and stores complex passwords and comes with a smartphone authenticator so you can also generate secure codes for MFA.)
- Check if your personal information has been exposed in a data breach. (Tip: Avira Password Manager contains an alert feature that warns you if your passwords have been hacked or websites you’re registered with have suffered a data breach.)
How to report a brushing scam
Whatever your e–commerce platform, log into your account and submit a report there. You’ll usually find the link to the report form in the help and customer support section or the FAQs.
Here’s how to report a brushing scam on Amazon:
Any brushing scams that take place via Amazon should be reported directly to Amazon. They will investigate the case and if they agree that the seller is behaving dishonestly, may ban them from using the website. You won’t have to return the item. Follow these steps:
- Log in to your Amazon account and click on this (UK) link to report an unsolicited package.
- Tick the relevant boxes with information about the package, provide the tracking ID from the shipment label, and click “Submit report.”
- The next window will confirm that your submission has been received. Click “Return to shopping” if you’d like to close the window and proceed with your online shopping.
Please note that Amazon may require up to 10 days to investigate your case and take the action it considers appropriate. The Amazon support team should contact you via email or send a notification to your Amazon account with further information and any next steps. If your Amazon account has been hacked, take these steps to help secure and recover it.
Help ‘brush’ away online threats with Avira Free Security—and stay informed
Knowledge really is power! Staying informed about the latest scams can help protect you from becoming a victim. Read up on phishing attacks and how these can lead to identity theft. And remember that even the mightiest online platforms aren’t immune to scammers—here’s how to identify and avoid PayPal scams. Practising safe online habits is also essential. Don’t click on links or open attachments from people you don’t know.
Don’t stop there! Pair safe, savvy online behaviour with reputable online security technology. Avira Free Security combines multiple tools for online protection, privacy and performance—including a Password Manager, Software Updater, VPN, and more.