In brushing scams, a company or individual will purchase their own items from online retailers and have them sent to people whose addresses they’ve obtained, often illegally, aiming to pose as “verified buyers.” If you’ve been subject to a brushing scam, check your accounts for suspicious activity and change your passwords immediately.
Have you ever received a package you weren’t expecting? It may have been missing a return address or simply listed a large retailer like Amazon. And inside was an item you didn’t order.
If this odd situation has a familiar ring, you were likely the target of a brushing scam.
Scoring free merchandise hardly sounds like a bad thing, but falling victim to a brushing scam means your address, and often your name, is already in the hands of bad actors. They may have even more of your personal details—ones that put you at a heightened risk for identity theft.
Earliest this year, the Better Business Bureau and the United States Postal Inspection Service both issued warnings about this illegal scam. In the worst cases, these mystery packages come with a fake QR code that links to phishing websites designed to steal your personal information, or even malware that can infect your devices.
Suspect you've been targeted? Here's what you should do.
How brushing scams work
Brushing scams are commonly run by third-party sellers based in foreign countries. These crooked companies purchase their own merchandise, often from a large online retailer like Amazon or eBay, and have it sent to a person whose address they’ve obtained.
In doing so, they create a fake customer who has “verified buyer” status on the retailer’s website. The scammers can then leave a phony review praising their product.
Brushing scammers may operate on a very large scale, creating thousands of fraudulent customer accounts so they can deceive shoppers with just as many fake reviews. Some brushing scam targets are flooded with packages of unwanted items.
How is this scam profitable? Often, the goods are lightweight and cheap to ship, like face masks or outlet covers. But even when sending items such as humidifiers and Bluetooth speakers, the scammers know that higher sales numbers and better ratings will lead to more real purchases.
Are brushing scams dangerous?
Brushing scams themselves don’t generally put victims in danger, but being subjected to one is a good indicator that at least some of your personal details have been compromised and shared online without your knowledge
The scammers likely accessed a list of personal information that was exposed through hacking, phishing, data breaches, or other methods. That data may include more sensitive details as well like Social Security numbers, credit card or bank account numbers, or account passwords.
When bad actors have access to this kind of personal information, it puts you at greater risk for identity theft, giving identity thieves the ability to open new accounts in your name, take over existing accounts, commit insurance fraud, file fraudulent tax returns, and carry out other damaging crimes.
QR codes and brushing scams
While the primary goal of a brushing scam is to generate fake reviews, some scammers may take it a step further by including QR codes in their unsolicited packages.
These aren't harmless additions; they're another deceptive tactic designed to compromise your security. Scanning a malicious QR code can expose you to phishing attempts or even malware infections, making an already unsettling situation even more dangerous.
Before you scan a QR code on a package, consider these safety tips:
Read the link. When you hover your camera over a QR code, a URL will likely appear. Make sure it looks like it’s for the business or organization you expected, and check for typos or misspellings. Be extra wary of shortened URLs, which cybercriminals tend to use.
Look for tampering. Before you scan a code posted in a public place, carefully examine it. Could it be a sticker covering a real code or other information? Legitimate businesses often laminate signage that contains QR codes or place them behind glass.
Check the source. If you receive an out-of-the-blue communication from a trusted company encouraging you to follow a QR code to make a payment or enter personal information, reach out to the company directly before taking action (be sure to check the company's official website for the correct contact information). The same goes if you get an unexpected QR code from a friend, as they could have been hacked.
What to do if you receive unsolicited merchandise
The Federal Trade Commission (FTC) says that you never have to pay for unsolicited merchandise, even if the sender reaches out to you.
You also don’t need to return unordered merchandise. If you don’t want the item, you can donate it or throw it away.
Next, secure your identity moving forward.
Notify the retailer. If you’re able to identify the retailer, go to their website and contact customer support so they can investigate the situation. Ask them to check for—and delete—any fraudulent reviews posted in your name.
Review your accounts. It’s possible that the brushing scammers have access to one or more of your accounts. Make sure you don’t see any unfamiliar orders on the retail websites you use and look for charges you don’t recognize on your credit card or bank statements. Continue to review these accounts regularly.
Change your passwords. Immediately select new, strong, unique passwords for your e-commerce, bank, and credit card accounts. Set up two-factor authentication, or 2FA, whenever it’s available.
Check your credit report. Be sure you don’t see any strange activity or changes to your credit report. If you spot activity you don’t recognize, consider contacting the three major credit bureaus and freezing your credit, which prevents lenders from accessing your credit report.
If you’re an Allstate Identity Protection member, you’ll have a lot less legwork to do. If you discover signs of trouble, rest assured that our specialists are available to help 24/7.
