What Is a Brushing Scam? Why You Receive Strange Packages

Share this:

Gaetano DiNardi

Head of Content at Aura

In this article:

    Identity theft and fraud protection for your finances, personal info, and devices.

    See pricing
    Share this:

    A Mystery Amazon Package Just Arrived. What Do You Do?

    Unfortunately, unordered merchandise on your doorstep isn’t a random act of kindness. Instead, you might be the unsuspecting pawn in a brushing scam.

    E-commerce businesses — especially Amazon sellers — depend on positive reviews and sales numbers to build their reputation. Brushing scams, where they ship you a random item is one of the ways they’ve learned to game the system. 

    But what’s the problem? You get a free item and the store gets a “sale”. 

    Brushing scams themselves aren’t overly dangerous. But they’re a warning sign of identity theft. So what should you do to protect yourself if you think you’re the victim of a brushing scam? 

    What Is a Brushing Scam? And Is It Serious?

    A brushing scam is a technique used by unethical e-commerce businesses to generate fake orders and boost their seller rating.

    Third-party sellers on Amazon and eBay send you mystery parcels without a return address. These boxes contain inexpensive items like headphones, screen protectors, candles, or bluetooth speakers.

    Then, they use these "verified" sales to write fake reviews (in your name) and boost their store's reputation.

    Early reports of brushing schemes first appeared with “mystery seeds” arriving from China in 2015. Since then, the phenomenon has become more common in the United States and Canada with thousands of people a year receiving packages they didn’t order.

    Compared to other  fraud, brushing might not seem dangerous. But not only do they make online reviews less trustworthy, they also show how easily hackers can steal your personal information.

    How Do Brushing Scams Work?

    1. A seller creates a fake account using your name and address.
    2. Brushing scam vendors then use this account to purchase their own product and send it to your address.
    3. Once the package is delivered, the scammer uses the fake account to post a glowing five-star review. 
    4. The review will be labeled as a "verified buyer" because the actual purchase is legitimate and under a real name (i.e., your name).
    5. Sellers can repeat this process with hundreds and thousands of fake accounts, using fake reviews to drive real purchases.

    Why Would a Business Send You Their Products for Free?

    Sites like Amazon rate and rank sellers according to the feedback and ratings received from previous customers. More positive reviews wield powerful influence over people’s purchasing decisions online. 

    Amazon sellers aren’t allowed to send packages without a valid order. They’ll be penalized and potentially removed from the platform if they participate in a scheme to gain fake reviews. 

    If a company is struggling for social proof, it can use a brushing scam to falsify sales and give itself fraudulent positive ratings. 

    How Do Brushing Scammers Steal Your Name and Address?

    The real danger of a brushing scam isn’t in receiving a product you didn’t order. It’s knowing that your private information was easily found online.

    So how do scammers get access to your private information? Here are a few ways that brushing scammers get your data:

    • They find you on a public database. Your information may be available in the Whitepages or on social media. Even doing a simple Google search for your name could come up with your home address and other sensitive information.
    • Your personal data was stolen in a breach. Due to the number of data breaches in recent years, there’s a good chance your personal information is available on the Dark Web
    • They shoulder surf your sensitive information. While less likely, scammers can use a technique known as shoulder surfing to watch you enter your sensitive information in public. 

    In the end, it doesn’t matter where scammers found your information. What matters is that it was available to them. Because if they have your name and address, then they most likely can also find more sensitive data such as your Social Security number, passwords, banking information, and medical data (which could lead to medical identity theft).

    Be especially careful with your SSN as it's not always possible to change your Social Security number – even after identity theft.

    If you want to see what hackers can find out about you, try Aura’s Identity Guard Dark Web Scanner.

    Aura Identity Guard Dark Web Scanner

    4 Ways Brushing Scams Cost You Money

    Brushing scams aren’t a victimless crime. While you might enjoy the idea of receiving free Amazon packages, these scams ultimately put you at risk.  

    Here are four reasons why you should care about brushing scams:

    1. It shows that hackers have already stolen your personal information

    If you’re part of a brushing scam, it means a bad actor knows your name and address. They could also have access to sensitive data such as your account passwords and banking information. 

    Criminals can exploit this information in many ways, from opening a credit card account in your name to changing your mailing address and intercepting important documents. 

    If you start receiving strange packages – or any other strange mail – you might be the victim of identity theft

    2. Scammers make more money (and keep on scamming)

    These insincere sellers often send their targets low-cost, lightweight products that don’t cost much to ship. However, the scammers can make a hefty profit when orders start pouring in. 

    According to the Better Business Bureau (BBB), a large-scale brushing scam can boost sales numbers since unsuspecting consumers are more likely to trust “verified” reviews. Plus, online marketplaces usually give more exposure to products with higher sales. 

    The padded social proof can even work as a search engine optimization (SEO) cheat. Suddenly, these shady businesses show up higher on Google than legitimate companies. 

    The more a scam works, the more scammers will keep using it.

    3. You end up paying more for poor quality merchandise

    Amazon is notorious for repeatedly changing prices in response to demand and other variables. Therefore, consumers may end up paying extra for a fraudulent product due to the fake demand that brushing scams create.

    4. Fake reviews make online shopping more risky

    Customers are nearly three times more likely to favor a product if it has a rating between 4.2 and 4.7. 

    For this reason, Amazon has cracked down hard on brushing scams and fake review schemes. The company says they analyze roughly 10 million reviews every week to identify fake ones. 

    But the dangers of online shopping keep increasing – especially as the COVID-19 pandemic boosts online shopping. As scammers flood Amazon and other sites with fake customer reviews, it makes it harder to find products that are good value. 

    Victim of a Brushing Scam? Follow These Steps ASAP

    1. Contact Amazon. An Amazon customer support representative can tell you whether your real account has been compromised. Amazon will also cancel the fake account. The same goes for other marketplaces like eBay. 
    2. Change your passwords. The scammers may have access to your other online accounts. Change the passwords on your email, banking, and other accounts that contain sensitive information. Choose a secure password that combines letters, numbers, symbols, and uncommon phrases.
    3. Set up a password manager. This stores all your passwords securely so you don’t have to worry about forgetting them. 
    Aura password manager
    [Source: Aura Password Manager]
    1. Add Two-Factor Authentication (2FA) to your account – but not SMS. 2FA is an additional security measure where sites send you a special code to enter along with your username and password. But don’t use SMS as it can be compromised if your phone is stolen. Instead, try an authenticator app like Google or Okta. 
    2. Check your bank accounts and credit cards for fraud. Log in to your accounts and look for suspicious withdrawals or charges. If you find any transactions that you can't explain, contact your bank or credit card provider and then go through the steps of the fraud victim's checklist. You can also check your credit reports for free using AnnualCreditReport.com.
    3. Set up credit monitoring and fraud alerts. If a hacker has access to your financial information, they could commit all different types of financial fraud. A credit monitoring service will automatically flag suspicious activity so you can shut down scammers before they do too much harm. 
    Aura fraud and credit monitoring
    [Source: Aura Credit Monitoring and Fraud Alerts]
    1. Check for data breaches on the Dark Web. Use Aura’s free Dark Web Scanner to see if your information has been stolen and is available to hackers. If you see any familiar accounts, change those passwords immediately. 
    2. Report the incident. In the case a brushing scam leads to any type of identity theft, file a complaint on ftc.gov. If you have reason to believe your Social Security number, passport, or other personal identification details have been compromised, contact law enforcement immediately. 

    Sometimes, scammers are persistent and will continue to send packages to your address. In that case, get in touch with your local post office and ask them to stop the deliveries while you formulate a more permanent solution. 

    The $1 Million Question: Can You Keep the Items?

    The short answer is yes. 

    The FTC (Federal Trade Commission) says you’re allowed to keep unordered packages that are addressed to you. According to the FTC, the seller can’t charge you for the items. 

    However, remember that honest online sellers make genuine mistakes. If there’s a return address on the package and you haven’t received unsolicited packages before, consider sending it back. 

    Brushing Scams Are a Warning Sign of Identity Theft

    A brushing scam may seem harmless at first. But if you’re involved in one, your personal information could be a risk. 

    If you have no idea what to do if your identity is stolen, consider signing up for Aura.

    With Aura, you get identity theft and fraud protection that covers all your devices. And if the worst happens, you have access to 24/7 support and a $1 million insurance policy for eligible losses due to identity theft. 

    Ready for ironclad identity theft protection? Try Aura 14-Days Free!

    Related Articles

    how to protect your privacy online
    Internet Security

    How to Protect Your Privacy Online (With 10 Examples)

    More of your personal information is available online than you think. Here’s how to regain control of your online privacy.

    Read More
    April 22, 2022
    Illustration of man looking at a dating profile on his phone

    The Unexpected Dangers of Online Dating [11 Scams To Know]

    Millions of people have found love through online dating. But millions more have been the victims of scammers. Here’s how to stay safe while dating online.

    Read More
    April 19, 2022

    Try Aura—14 Days Free

    Start your free trial today**

    This is some text inside of a div block.

    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

    1. Financial identity theft and fraud
    2. Medical identity theft
    3. Child identity theft
    4. Elder fraud and estate identity theft
    5. “Friendly” or familial identity theft
    6. Employment identity theft
    7. Criminal identity theft
    8. Tax identity theft
    9. Unemployment and government benefits identity theft
    10. Synthetic identity theft
    11. Identity cloning
    12. Account takeovers (social media, email, etc.)
    13. Social Security number identity theft
    14. Biometric ID theft
    15. Crypto account takeovers