Of the various forms of e-commerce fraud, one of the lesser-known yet prevalent kinds is the brushing scam. This scam appears harmless; receivers will simply get a package they never ordered. However, behind every “free gift” is a manipulative operation abusing personal data and online trust.
Description:
The goal behind brushing scams are to generate fake “verified purchase” reviews of items that were sent to random individuals who didn’t order them. These unsolicited orders can come from various platforms like Amazon, eBay or Temu. The scammers will use personal information such as names, addresses, and other publicly available information to send these packages. Once the shipment is shown as delivered the scammers will generate amazing 5-star reviews using their victim’s name to help provide credibility to their review and search rankings.
How It Works:
Threat actors obtain legitimate consumer data though data breaches, leaks or data brokers to begin this attack. After capturing the information, they will create fake buyer accounts to impersonate the victim and order their own products. These products can be a low-value item, or an empty package that is sent to the unsuspecting person to trigger a legitimate tracking event in which the tracker is used.
Once the delivery is complete, the scammer can leave positive “verified purchase” feedback under the victim’s name. This generates a feeling of trust that can deceive future buyers into buying low-quality or counterfeit goods.
Inside some variations of the packages, the victims might find QR codes or links to claim a reward or track the shipment. These will point to phishing sites, credential harvesting, or malware downloads, which extend the risk beyond fake reviews.
Why It’s Dangerous:
While it does not result directly in any loss for the victim, brushing scams are indicative of personal data being leaked or sold. The con validates an address and identity as active, which may encourage other, more targeted fraud afterward. The fake reviews also pollute legitimate e-commerce systems, eroding consumer trust and bad actors who profit through misleading marketing.
Common Signs:
• You are delivered merchandise that you have not ordered and paid for.
• The sender information is missing, obscure, or unfamiliar.
• Their ending contents are cheap, random, or unrelated to any past purchase.
• A QR code or link inside entices you to scan a code or visit a website.
• Your name pops up in reviews online for products you never bought.
Countermeasures:
• Do not scan QR codes or click links included in suspicious packages.
• Report it to the platform it came from, Amazon, eBay, etc. or the U.S. Postal Inspection Service if shipped domestically.
• Check and lock your online accounts: Reset passwords, activate multifactor authentication, and check for recent orders or linked addresses.
• Keep an eye on any unusual activity in the credit reports and consider setting alerts or freezes if one suspects identity misuse.
• Dispose of it safely, or keep it as evidence, but never pay return shipping for unsolicited goods, you don’t have to.
Awareness and Prevention
Unfortunately, these scams take advantage of the lack of identification verification at online markets. Retailers are required to reinforce account verification and review moderation so that trust remains true within e-commerce systems. The scammers obtain the information from publicly available sources, so ensuring your digital footprint that contains information such as your address, name and other identifying details can assist in preventing them from sending these unsolicited packages to your home. Additionally, knowing that unsolicited packages are usually the signs of data misuse, not gifts, stands at the top of self-protection.
Remember that if you get packages that you never ordered, outside of junk mail, it is a sign that your personal data might be exposed and being used online.
Leave a Reply