What are brushing scams?

I’ve written a lot about cybersecurity and how to avoid online threats. The threats could vary quite a bit, but they all had one thing in common: you would never want to fall victim to them. Brushing scams aren’t so clear-cut. Not that you necessarily want to be on the receiving end of a brushing scam, but the consequences of falling victim to a brushing scam are usually trivial or non-existent.

I used the word “usually” because, under certain circumstances, a brushing scam could lead to more serious harm, like identity theft – and we’ll discuss that in this post. Still, if you told me I had no choice but to fall victim to an online scam but that I could choose which scam, I would choose a brushing scam.

This post will explain why.

What are brushing scams?

You head out of your house one day and are surprised to find some Amazon boxes at your front door. You’re somewhat confused because you know you didn’t order anything. You tell yourself the delivery person has dropped the parcels off at the wrong address until you see that the parcels are indeed addressed to you at your current residence.

Now your mind starts racing – has your Amazon account been compromised? Has someone gained access to it and made purchases in your name? But, if they did, why would they send the goods to you rather than them?

You access your account and head straight to the “My Orders” page, and everything is fine. There are no unknown purchases.

So you open the boxes and find an electric toothbrush in one box, a smart smoke detector in another, and an industrial flashlight. It’s as random as can be, and you’re understandably confused.

You don’t know it yet, but you’ve fallen victim to a brushing scam.

You’d be forgiven for not knowing what brushing scams are. Brushing is a somewhat new kind of online fraud. And it’s more of a way to manipulate Amazon’s and other online marketplaces’ algorithms to the brushing scammer’s favor.

Why did you get that poorly designed dog brush you never ordered?

Online marketplaces like Amazon are saturated with sellers peddling the same merchandise. These online stores reward sellers who garner higher sales and more positive reviews. Their products will rank higher in searches and are more likely to be recommended to users when browsing for similar items on the site.

And that is the crux of brushing scams. You received the unsolicited goods because the seller sent them to you.

Let’s unpack that a little.

Why would an online marketplace seller send you free goods?

Sellers will purchase their own goods and send them to random people for which they have a name and address. This boosts their sales numbers, and the seller can write a glowing five-star review on the site, too. As for the money they spend on the goods, the overwhelming majority will go straight back into their pocket – they’re the seller.

When sellers do this a sufficient amount of times, it becomes self-fulfilling. Shoppers on the site fall upon this product with high sales numbers (many shopping sites even display a little blurb that states “X amount purchased in the last day!”) and thousands of positive reviews. Shoppers purchase it because it’s pretty compelling when compared to similar products that only have a few hundred ratings and lack a high number of five-star reviews.

If you ever purchased something that had thousands of five-star reviews from an online marketplace only to discover that it’s an undeniable piece of crap nobody would want to own; there’s a good chance those reviews are the result of brushing.

There are other auxiliary reasons sellers perpetrate brushing scams. If the product is of decent quality, it may convert you into a paying customer, and you may even write a positive review. But, overwhelmingly, the goal is to make the listing more appealing to buyers.

Should you be concerned if you’ve been “brushed?”

Brushing is technically fraud, but you (the receiver of unsolicited goods) are not the one being defrauded – the online marketplace is. While not the final word on the issue, odds are, the seller doesn’t want anything from you, nor did they try to hack your account. You received a dog brush, flashlight, or smart smoke detector simply because the seller needed an address to send their brushing merch to. They merely found or bought your name and address online and used it as part of their brushing scam.

You should still check your account’s status to ensure everything is OK. But in 99% of cases, the account is uncompromised.

The bad news

While getting a free toilet brush might make it appear to be a good day, it might not. The seller behind the brushing scam may have zero interest in compromising your accounts or stealing your identity; the bottom line is that your name and address are circulating on the internet. Your information was used for brushing this time, but you might not be so “lucky” next time.

Also, given that your name and address are available online, what other pieces of PII are there? Maybe your financial information is there, too? How about your Social Security number or your medical data?

The fact that your information was used as part of a brushing scam should raise alarm bells that your information may not be as secure as you think.

What should you do if your information is used in a brushing scam?

Here are the steps you should follow if you suspect your information has been used in a brushing scam:

1. Contact the online marketplace

Both brushing and posting fake reviews go against the marketplace’s policies. You should notify the marketplace of the incident so it can track down the seller and take action against their account. All online marketplaces will have a link to their customer service departments.

2. Check your account for orders you didn’t place

Brushing scammers don’t usually hack your account to send you their goods. They pay for them; you’re simply getting a free ride. Still, if you receive unsolicited merchandise, checking your account to ensure nothing is amiss makes sense.

3. Change your account password

Even though it’s just a brushing scam, it does mean your information is out there. It won’t hurt to change your password on your critical accounts. A password manager usually helps make life easier.

4. Enable two-factor authentication

2FA will add an extra layer of security to your accounts. Even if you don’t fall victim to a brushing scam, you should enable 2FA on all your accounts that support it (most do today).

5. Sign up for an identity protection service

If you’re concerned about protecting your personal information online, you can sign up for an identity protection service like Incogni or Aura. These services automatically search for and remove your PII from the “regular” internet and the dark web.

What should you do with the unsolicited merchandise?

That one’s up to you. You can legally keep the loot if you like. In the United States, no laws state that you need to return unsolicited merchandise – it’s yours to keep.

Remember that brushing merch tends to be in the “low-grade” category; in other words, it’s cheap stuff you may end up wishing you had disposed of rather than kept. But the choice is all yours.

If the goods are food or cosmetics, I’d recommend throwing them out immediately. Do not consume unsolicited random food products you receive in the mail (it feels funny even to write that, but you never know).

General tips to keep you and your accounts safe online

Here are some more general tips to help you stay safe online:

  • Be conservative with your PII online. Don’t sign up for everything. Don’t hand out your details to every site you encounter. Only share your information with sites and services you trust.
  • Use a burner email for frivolous services. You can easily find email alias services that allow you to use burner addresses to sign up for online services. That makes your actual email much less likely to be compromised (and will limit spam, too).
  • Don’t open attachments in emails unless you know who the sender is and you’ve confirmed with that person that they really did send you that email. You should also ensure they know the email contains an attachment and know what the attachment is.
  • Don’t click links (URLs) in emails unless you can confirm who sent you the link and its destination. Contacting the sender through another channel (not email) might also be good to ensure the sender is not impersonated. Also, check the link for incorrect spelling (faceboook instead of facebook or goggle instead of google)? If you can reach the destination without using the link, do that instead.
  • Use a firewall. All major operating systems have built-in incoming firewalls, and all commercial routers on the market provide a built-in NAT firewall. Enable both. You’ll thank me if you click a malicious link.
  • Use an antivirus program – Only purchase genuine and well-reviewed antivirus software from legitimate vendors. Keep your antivirus updated and set it up to run frequent scans and real-time monitoring.
  • Keep your operating system updated – You want the latest OS updates. They contain the latest security patches that will fix any known vulnerabilities. Make sure you install them as soon as they’re available.
  • Never click on pop-ups. Ever. Pop-ups are just bad news—you never know where they will lead you.
  • Don’t give in to “warning fatigue” if your browser displays yet another warning about a website. Web browsers are becoming more secure every day, which tends to raise the number of security prompts they display. Still, you should take those warnings seriously. So, if your browser displays a security prompt about a URL you’re attempting to visit, pay attention to your browser’s warning and get your information elsewhere. That’s especially true if you click a link you received by email or SMS – it could send you to a malicious site. Do not disregard your computer’s warning prompts.

Wrap Up

So that was an overview of brushing scams. While they’re not innocuous, brushing scams can be considered a lesser evil than most. You’re getting free stuff, after all.

But, given that the merch is likely very low quality and that brushing scams may be the symptom of something bigger, you’re still better off avoiding them altogether. Hopefully, the tips in this post will help.

Stay safe.