Have you ever received a package you never ordered? It could be a warning sign that your data has been compromised, with more fraud to follow.
Global e-commerce sales are predicted to exceed $6.4 trillion in 2025. And a large share of these will come via marketplaces. But while they ostensibly offer convenience and safety for consumers and expanded reach for businesses, there is a darker side to the industry. In 2024, Amazon alone proactively blocked over 275 million suspected fake reviews, and took “enforcement actions” against thousands of individuals.
This underground industry has grown to the point where everyday consumers might find themselves unwittingly conscripted into the creation of fake reviews. The bottom line is this: if an item turns up at your door that you have no memory of ordering, don’t ignore it. Read on to find out what it could mean.
What’s a brushing scam?
Brushing scams are a type of e-commerce fraud where a seller sends a package to an apparently random person’s address. The item is usually of low value and is not intended as a show of altruism. Rather, it’s an attempt by the seller to fraudulently inflate the product’s rating on e-commerce marketplaces.
It works like this:
- A scammer gets hold of a list of names and mailing addresses — typically listed on cybercrime forums after data breaches, or via people search sites. They may even scrape this info from publicly available sources.
- The fraudster creates a fake buyer account on an e-commerce platform or marketplace where they sell their products.
- The fraudster uses the account to “buy” their product on that platform and ships the product to the victim’s address.
- The scammer uses the fake account to post a 5-star review, boosting (or “brushing up”) the item’s reputation and visibility.
The first the victim usually hears about the scam is when they receive the unsolicited parcel.
What could it mean?
Why would anyone mind receiving free goods through the post, even if they are cheap and lightweight? It’s not as harmless a scam as it seems. For one thing, the fact that you’re being targeted in a brushing scheme at all could mean that your personal data is being shared on the cybercrime underground. For another, the scammers might be testing your details are correct, in order to move onto a second stage, which involves more serious identity fraud.
There are also more malign versions of the scheme where a QR code is included inside the package you receive. Scanning it will most likely take you to a malicious/phishing site designed to install malware or trick you into sharing more personal information.
Finally, there’s an indirect cost related to such scams. They slowly and insidiously erode the trust consumers place in marketplace/e-commerce review systems.
How do I know if I’ve been victimized?
It shouldn’t take too much effort to work out if you’ve been singled out by brushing scammers. If you receive a low-value, poor quality item in the post that you have no memory of purchasing, this should be an immediate red flag. A vague or missing return address, and a possible QR code inside the package, are also warning signs.
To double check, review your emails and any accounts you have with e-commerce/online marketplace platforms, to look for recently purchased goods. It’s worth also checking your bank accounts and credit reports for suspicious activity, as the scammers may have already moved on to the next stage of the scheme.
What should I do if I receive a package?
If you receive something in the post that you can’t remember ordering, minimize risk by taking the following steps.
- Double check it’s not a gift by asking your household/friends/family if they’ve ordered anything in your name recently.
- Don’t scan any QR codes that may be dispatched inside the parcel
- Check no money has left your bank account and/or new credit lines haven’t been opened in your name
- Ensure you have multi-factor authentication (MFA) set up on your online banking/credit card accounts
- Enable MFA on all online shopping and email accounts
- Report the fraud to the relevant marketplace (eg Amazon). Most should have a dedicated place to report brushing fraud
- Don’t bother trying to return the item to sender. It’s yours to keep, if you want to
How do I stay safe from brushing scams?
There are steps you can also take to stop brushing scams from even targeting you. It all goes back to what personal data of yours is available to the fraudsters.
Granted, there’s not much you can do if an organization you do business with gets breached, spilling your details. But there are identity protection services you can use which scan the dark web for potentially compromised information. Some of them are available as part of a general home security package. If you find that any accounts have been compromised, change your passwords immediately. It’s also worth putting a credit freeze in place to block any attempts to use your name in order to run up debt on new cards.
As scammers also harvest data from the public web, it’s important to get into good privacy habits. That means minimizing what you share on social media, locking your accounts down so only friends can view your posts, and remove any personal details like home addresses, birthdates and phone numbers.
Finally, reduce the likelihood of scammers getting your details from data brokers, by opting out on “people finder” sites like BeenVerified, Spokeo, and TruthFinder. It will require a bit of work, and you will likely need to revisit these sites every few months to repeat the process, but is worth the extra effort.
Brushing scams are just one of many ways fraudsters weaponize your personal information against you. Unfortunately, mitigating this risk is not a case of “one and done”. You’ll need to maintain continuous vigilance over your digital world. Ultimately, it’s the price we pay for access to the services we love.
