What is the 'brushing' scam and how can you protect yourself?

·7 min read
Getting an unsolicited package might seem like a nice problem to have, but it could be a 'brushing' scam. (Getty Images)
Getting an unsolicited package might seem like a nice problem to have, but it could be a 'brushing' scam. (Getty Images)

If you've ever received a package you didn't order from a shopping platform, and nobody owns up to having sent it, you might have been caught up in a 'brushing' scam.

While receiving parcels you haven’t paid for might seem like a nice problem to have, it could be you've experienced the latest scam technique.

According to Which? this type of fraud involves third-party sellers of online shopping platforms setting up accounts in a stranger’s name, then sending their products to an unsuspecting recipient.

Watch: People are receiving mysterious seeds in the mail

They then use the account they’ve set up to write fake 'verified' reviews in a bid to improve their seller ratings.

But if you've received a unsolicited package, it could also mean that your data may have been compromised. 

The campaign group first alerted consumers to the practice in 2018, but have recently reiterated their warnings on social media.

This content is not available due to your privacy preferences.
Update your settings here to see it.

So why do you receive an unsolicited package?

According to David Emm, principal security researcher at Kaspersky 'brushing' is often referred to as marketing fraud, rather than a scam aimed at the person receiving the unsolicited goods. 

"The purpose for the perpetrator, a seller on Amazon, for example, is to boost their ratings by creating ‘fake’ reviews of their products. I say ‘fake’ because the reviews are real, but they’re created by the seller," he explains. 

Here’s how it works. The seller sets up a series of fake accounts. They also create a list of names, addresses and phone numbers of real people – these could be from a leak of data resulting from a hacked provider, from the electoral roll, or from the phone directory, etc. 

The seller orders (their own) goods from the fake accounts they have set up and then ships the goods to people at their address list. 

Finally, they write product reviews from their fake accounts (i.e. the accounts used to pay for the goods) in an effort to boost their ratings.

Read more: Why you need to watch out for this 'Royal Mail' scam that went viral on Twitter

People are receiving unsolicited packages in the post. (Getty Images)
People are receiving unsolicited packages in the post. (Getty Images)

What to do if you find yourself a victim of 'brushing'

Though the person receiving the unordered package isn’t a victim of cybercrime as such, they’re simply being used as a cover for a marketing fraud, Raj Samani, chief scientist and McAfee Total Protection adviser, recommends that anyone receiving unsolicited goods should report it to Amazon (or other seller).

"If you do believe you’ve fallen victim to a brushing scam, we’d advise reporting this directly to the online marketplace to ensure that any reviews published for the product are investigated – this will go a long way in ensuring others don’t unknowingly buy a fraudulent product," he explains.  

Additionally, since it might not be clear at the outset if their account has been compromised, Emm suggests changing your password and setting up two factor authentication (more about that later), if you haven’t already enabled it.

A spokesperson from Amazon told Yahoo UK: "Third party sellers are prohibited from sending unsolicited packages to customers and we take action on those who violate our policies, including withholding payments, suspending or removing selling privileges, or working with law enforcement."

If it's a marketing fraud, what's the risk?

When it previously investigated 'brushing', Which? found that in some cases, the people affected had been victims of data breaches elsewhere, meaning at least some of their personal data was available in unexpected places.

"While it does not mean your account has been hacked, it can certainly fuel worry," explains Raj Samani.

"Though there is little evidence to prove that a brushing scam involves hacking an online account, these scams do serve as a reminder of the possible repercussions sharing too much information online can have," Samani continues. 

"Particularly when every day, people leave streams of information about themselves online without considering the risks that their digital footprint can bring."

Watch: Regulate target football fans in campaign to stop pension scams

The dangers of 'brushing' and other online scams

According to Carl Wearn, head of e-crime at cybersecurity specialist, Mimecast, these sorts of scams are usually a sign of a previously compromised account that has allowed personal data to fall into the hands of cybercriminals. 

"It is likely that this would have happened as a result of a data breach, with the leaked information then being sold on the dark web to be used in scams such as this one," he explains.

Brushing scams may seem harmless, but Wearn says the exposed data could be used for less 'victimless' fraud such as credential stuffing, which would have more serious ramifications.

Credential stuffing occurs when a cybercriminal uses stolen usernames and passwords from one organisation (obtained in a breach or purchased from the dark web) to access user accounts at another.

It often occurs because many consumers tend to use the same password for several different accounts.

The best way to protect against credential stuffing attacks is to use unique passwords for each of your digital accounts, ideally by using a password manager. 

You can also turn on two-factor authentication when it is available. 

Two-factor authentication is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are. 

Once set up, as well as a username and a password, customers will also be required to provide another piece of information to prove their identity. 

This second factor could come in the form of a personal identification number (PIN), an answer to a 'secret question' or something you have in your possession - for example, a credit card. 

Wearn says people should also be aware of phishing attacks. 

"A phishing attack involves a cybercriminal sending fraudulent communications that appear to come from a reputable source and deploy a plausible premise to gain credential or personally identifiable information (PII) from individuals," he explains. 

Though it can be conducted via text message, social media or by phone, the term phishing is mainly used to describe attacks that arrive by email.

"Consumers should be wary that these attacks are on the rise and ensure that they are not clicking on suspicious links within emails," Wearn continues. 

"Mimecast’s recent State of Email Security report found that phishing attacks rose 63% in the last 12 months, so it is more important than ever that people are prepared."

Read more: Prime Day 2021: Best UK Amazon deals to shop before midnight

'Brushing' scams are a reminder to stay safe online. (Getty Images)
'Brushing' scams are a reminder to stay safe online. (Getty Images)

Read more: Ring home security cams are the cheapest we've ever seen them

How to protect yourself online

McAfee have put together some further tips and advice for how to protect your information online. 

Don’t overshare on social media.

Oversharing online can paint a picture of us very quickly. "Keep sensitive data such as your date of birth, address, job, or names of family members private," says Samani. "Also, rethink whether you really want your relationship status made public."

Protect your identity

And important personal and financial details using an identity theft protection package. This should also offer recovery tools should your identity be compromised.

Set up unique logins for each app you are using

While it might seem like a pain, setting up a different password for each app or account you use is a great way to protect yourself and your data online. "If you no longer use a social media account, delete your information and deactivate your account," Samani adds. 

Safeguard your devices

Before you connect a new IoT (Internet of Things) device to your network, be sure to change the default username and password to something strong and unique. 

"Hackers often know the default settings of various IoT devices and share them online for others to expose," Samani explains. "Turn off other manufacturer settings that don’t benefit you, like remote access, which could be used by cybercriminals to access your system."

Watch: John Legend warns social media followers about online scam

Our goal is to create a safe and engaging place for users to connect over interests and passions. In order to improve our community experience, we are temporarily suspending article commenting