Brushing Scams: What are they?
Brushing scams occur when someone receives unordered packages in the mail from an online marketplace, such as Amazon. At first sight, this may seem harmless – what’s the problem with receiving a few free products?
Unsolicited packages may indicate you’ve been targeted in a brushing scam: an online e-commerce scam that can threaten your privacy and personal data.
How do they work?
One person’s scam is another’s marketing campaign. Brushing scams are basically used to boost sales of a product that is available online–specifically by increasing an item’s sale rank and making it possible to write reviews. Fake accounts are created using compromised data from breaches or harvested from phishing emails. Your name and address are used to create a fake shopper account. The scammer makes a purchase using their own funds, and it is delivered to your door. This verifies you as an official buyer, and grants access to the seller to write rave reviews of the product–in your name.
This may seem like an excessive approach to marketing–let alone that it’s solely aimed at racking up fake five-star reviews. But the merchandise gifted is usually cheap, lightweight, and low-cost to ship, making it a profitable scam for a seller in the long-run.
Fake reviews on your behalf are discomforting, but the stakes of being caught in this scam are higher.
If brushing scammers have access to your name and address, they may have access to more valuable personal data as well, including possibly your Social Security number, your bank account information or even your online passwords.
The bigger risk is that the scammer could breach your bank accounts, take over existing financial accounts, apply for loans or new credit cards, or create fake social media accounts subsequently deployed to ensnare your friends and family. Even if a brushing scammer does not use your data in the pursuit of other cybercrimes, you have to assume that your information is for sale on the dark web and that it can be used in a myriad of cyberattacks by other hackers.
What should you do about it?
If you’ve been targeted in a brushing scam, you’re legally allowed to keep the unsolicited merchandise (a win if the items happen to be useful to you: hair ties, cleaning products, and Bluetooth speakers are commonly reported items).
But take heed. Brushing is an alarm bell that your personal information may be in the possession of digital criminals. And take action.
- Change your passwords on commonly used accounts (even if they are not shopping related)
- Set up two-factor authentications.
- Monitor your banking and credit accounts.
- Report the scam to the third-party e-tailer and ask them to remove fake reviews in your name.
While brushing scams have been around for a while, they increased during the COVID-19 pandemic. Companies are more dependent on online sales, and at-home shoppers in lockdown have become more dependent on reading reviews.
Remember that it’s less the gifted products that should be of concern, but rather the data breach that got them there. Watch out for unordered packages with no return address, secure your accounts, and when making your next third-party purchase – think twice before trusting the reviews.