What is a brushing scam and what to do about it

Getting an unexpected delivery is not always a pleasant surprise. In some cases, it means you’ve been targeted in a brushing scam so that some online seller can use your name to get a positive yet fake review.

Unfortunately, this type of scam is a common tactic used by ill-reputed retailers to exploit people’s identities and their marketplace ratings. They do so by mailing unsolicited packages to random addresses and posting fake reviews on behalf of these recipients, as if these reviews were legitimate. 

If you ever find yourself getting an unexpected package and suspecting a brushing scheme, or want to avoid falling victim to one, here’s a guide to understanding brushing scams and protecting yourself effectively.

What is a brushing scam?

Brushing is an increasingly common type of cyber retail scam that involves an unsolicited package delivery in someone’s name with the purpose of leaving a fake review on an online marketplace for this “verified” purchase. Even though such unsolicited deliveries are generally harmless, they might still reveal a deeper problem of exposed personal data or unauthorized access to it for the scammers’ gain.

Why is it called brushing? The term comes from the translation of a Chinese slang phrase known in e-commerce fraud, describing “brushing” or “sweeping up” fake online orders. This practice originated on Chinese online marketplaces, where retailers would create numerous fake orders, sometimes using real shipping labels, to boost their rankings and visibility. While on paper this might appear to be a booming business, in reality it’s simply a manipulation to “brush up” the retailer’s credibility and search positioning.

How does a brushing scam work?

You didn’t request or order anything and yet it landed on your doorstep. So how does a brushing scam work exactly?

First, scammers obtain people’s full names and home addresses wherever they can: via data brokers, data breaches, public records, the dark web, phishing scams, or as simply as by googling. 

Then, scammers set up fake buyer profiles using this information and place fake orders in real people’s names. This allows them to send unsolicited packages to these addresses without the recipients’ knowledge or consent. It doesn’t matter what’s in the box as long as the online marketplace qualifies it as a purchase. That’s why fraudulent retailers send low-price items like rubber bands, pieces of plastic, or even empty boxes. 

Finally, once the item is delivered, bad actors can go on and leave a glowing 5-star review to boost the product’s reputation and inflate the seller’s ratings. This way, fake reviews created using illegitimately obtained personal data pave the way for more purchases from real buyers who are unaware of the underlying fraud.

Why do scammers send packages you didn’t order?

Scammers can send packages that were never ordered because they exploit a loophole in the online marketplace system, where they can still imitate “verified” reviews using fake buyer profiles but those using real names and addresses. 

While purchase verification was initially introduced to prevent fake reviews and make it impossible to inflate a store’s performance, it turns out that just having someone’s name and home address is enough to pull off the scheme. 

These brushing scams run rampant on numerous marketplaces, including Amazon, Alibaba, eBay, and Etsy. Online marketplaces don’t intentionally endorse brushing, but loopholes still exist:

• Verified purchases equal tracked deliveries, so scammers can imitate real purchases by sending rubbish with a legit tracking number.
• There’s often no identity verification for buyers.
• There’s minimal oversight for new seller accounts.
• Fraud detection is slow and cumbersome, leaving scammers enough time to profit from their activities.

While online marketplaces do what they can to spot and prevent fake buyer profiles and fake reviews, these schemes are still possible, leaving unaware consumers at risk of having their identity exploited for fraudulent purposes.

Are brushing scams dangerous?

Brushing scams are said to be victimless, but their biggest danger is that scammers obtain your personal information without your consent and impersonate you for their financial gain. 

These are common risks of being targeted in a brushing scam:

• Personal data leak: Fraudsters have access to your personal information, be it on a dark web marketplace, data broker site, or sourced through a phishing attack. Knowing this, it’s wise to to take extra steps to check if your data is online and protect it from further exploitation.
  
• Potential targeting in other scams: If scammers know your name and address, they may target you in other exploits, like phishing, account takeover or further personal data misuse unless you remove all publicly available information about you and exercise extra caution to spot cyberthreats.
  
• Fake reviews encourage real purchases: Without your active participation or knowledge, your name might come up in fake reviews, prompting real purchases from fraudulent sellers and helping them generate profit. This may damage your online reputation and result in your genuine buyer profiles being banned from associated marketplaces.

Adding insult to injury, there’s often a phishing scam layered on top of the brushing one. In some cases, unsolicited packages contain promotional QR codes inviting recipients to scan them to find out  who sent the package. In reality, these QR codes take users to fraudulent websites devised to scoop more personal details or install malware on user devices.

What to do if you receive a package you didn’t order

What to do if you are a victim of brushing? Here is your checklist of the steps you should take to handle the package safely and protect your personal information:

• Check your active marketplace accounts and payment cards for unauthorized transactions. This step is necessary to ensure your financial information and user accounts were not compromised. 
  
• Don’t pay for the package. You’re not obligated to pay for unsolicited deliveries.
  
• Return the package if possible. If you haven’t yet opened the parcel and there’s a return address, mark the package as “return to sender”—some national postal service providers, such as USPS, can do this at no charge to you. 
  
• Don’t consume the contents. By law, you can keep unsolicited merchandise sent to you. But be careful: the package can still hide dangerous or suspicious items, including counterfeits, spoiled food, illegal pharmaceuticals, or tampered goods. If it’s safe to do so, you can simply throw out the item. But if it’s suspicious, organic (like seeds or food), of unknown origin, or potentially risky, inform specialized authorities, such as the United States Postal Inspection Service. 
  
• Check for reviews posted in your name. Search popular marketplaces for fake reviews in your name and report them if found.
  
• Check your personal data security. The key thing to understand here is that your personal data has already been misused and may still be circulating, available to other scammers. Subscribe to a dark web monitoring tool that comes with identity protection services to get notified about your unauthorized personal data disclosure.
  
• Remove your personal records from the internet. Use Onerep to remove your personal information from 200+ websites, including data brokers selling data to third parties.
  
• Report the scam to the marketplace. Report your fake buyer profile and review(s) to the respective online platform and ask that they be removed. Many online marketplaces, such as Amazon, have strict policies prohibiting any kind of manipulation with customer reviews and will take action to remove the fraudulent seller’s account and associated listings and reviews.
  
• Report the scam to the Federal Trade Commission. If you have enough details about the scam, report it to the FTC. Brushing is illegal under the Federal Trade Commission Act and reporting it may result in legal action against the scammers.

Real-life examples of Amazon brushing scams and more

As one of the world’s top online marketplaces, with 3 billion shoppers visiting monthly, Amazon has been notoriously popular with brushers. 

People report receiving unsolicited deliveries from Amazon containing wireless headphones, hair ties, flashlights and empty jewelry pouches, among other items. 

Amazon claims to have “zero tolerance” for fake reviews and bans any accounts associated with the forging and manipulation of buyer reviews. The digital commerce giant also has a history of filing lawsuits against fake review brokers. Find more information on Amazon’s brushing reporting policy. If you received a package and suspect brushing, report an unwanted package to Amazon here.

There are cases where it’s difficult to identify the marketplace the package came from, as there’s often no indication of the seller or the return address. In other instances of suspected brushing scams, people have reported receiving all sorts of mail, including Ethernet switches, PlayStation video games, cheap jewellery, rocks, and even a bag of dirt from Slovakia sent as a scented candle. And of course, there are mystery seeds from China that made quite a few headlines in 2020 and involved an investigation by the U.S. Department of Agriculture.

How to protect yourself from brushing scams

To avoid being targeted in a brushing scam, start with essential digital security hygiene—checking what personally identifiable information (PII) is available about you online and where, and making sure to remove it.

Other best practices to secure your digital profiles and minimize your chances of becoming a scam target include:

• Securing your profiles on online marketplaces (if any) with two-factor authentication and strong unique passwords.
  
• Regularly reviewing your order history on Amazon and other marketplaces where you’re registered.
  
• Setting up dark web alerts to get timely notifications about your PII being posted on the dark web.
  
• Learning to spot key signs of online scams and never interacting with scammers if targeted.

Remember that keeping your digital footprint to a minimum is important to secure your identity, on and off the internet. Unsolicited access to your home address may seem like a minor threat, but coupled with your other personal details, it can pose a bigger risk to your privacy and financial security going forward.

FAQs

What if I received a package with my name on it that I didn’t order?

If there’s no order on your marketplace account and you’re sure it’s not a gift from someone you know, it’s most likely a brushing scam, a scheme where a scammer sends you an unsolicited item to leave a fake review on the marketplace in your name.  

Can scammers steal my identity with my name and address?

Not entirely, but they can use this information to target you further and try to obtain more sensitive details like your Social Security Number or credit card data. That additional information could allow them to commit identity theft. 

Is it safe to keep unsolicited packages?

It’s highly recommended to report any unsolicited mail to your postal service provider and the marketplace in question, as suspicious packages may contain hazardous or tampered items.

Why is it called brushing?

The term “brushing” comes from a Chinese phrase meaning to “brush up” or “sweep up” online orders to artificially inflate an online seller’s reputation.