Brushing scams: How free stuff becomes a security issue

What is a brushing scam?

A brushing scam occurs when an unethical business sends you a product you didn’t order, which can let them write a fake “verified” review using your name. Fraudsters use brushing scams to plant glowing reviews about their products in order to boost ratings and inflate sales numbers.

A well-known brushing scam example happened in 2020 when people around the U.S. received random packages of seeds shipped from China Post. The Better Business Bureau (BBB) identified it as a potential brushing scam and recommended that anyone who received similar packages not plant the seeds, along with other safety precautions.

How brushing scams work

In brushing scams, criminals trick e-commerce platforms into believing you purchased a product, allowing them to post fake verified reviews under your name. These verified reviews increase the product’s visibility on sites like Amazon or eBay.

Here’s how it works:

1. Information gathering: An unethical business gathers information about you through online sources such as people-search sites, data leaked through breaches, or info bought from an illegal marketplace.
2. Bogus account creation: The business creates an online shopping account with your information.
3. Shipment: They send a package to your address with no return address on the label.
4. Fraudulent review: They write a glowing review in your name for the product they sent you.

If the brushing scam is successful, the e-commerce shop can gain more visibility and sales because others trust the apparently verified purchase.

Packages sent in these scams often contain low-quality products or random items. For example, some users have reported receiving rocks in the mail.

In another variation of this online shopping scam, scammers might include QR codes with the unwanted packages. This is an attempt to pique the interest of targets, while the QR codes might contain spam links or lead to phishing scams. If you receive a mysterious QR code in the mail, don’t scan it.

How do brushing scams hurt people?

Brushing scams can harm you and others through the theft of personal information, the illegitimate boosting of a seller’s reputation, and the provision of misleading information to consumers. Here are a few more details on the impact of these scams:

How brushing scams affect you:

• Your compromised personal information could be further misused.
• The false use of your identity in the scam may result in online store bans.
• It adds to your digital footprint and could damage your reputation.

How brushing scams affect others:

• People may unknowingly buy poor-quality products based on fake reviews.
• The reputation of the unethical business is fraudulently boosted.
• Legitimate store owners may lose customers as a result.

Compared to other cases of identity theft, brushing scams can seem relatively harmless. But ignoring them can encourage scammers, resulting in further harm. If you spot a brushing scam, you need to know how to respond and whom to report it to.

A strong identity protection tool will help you avoid being targeted by brushing scams. Norton™ 360 with LifeLock™ Select has a privacy monitoring feature that scans people-search sites for your info and works with you to have it removed. And if you ever get victimized by identity theft, LifeLock’s dedicated restoration specialists will work with you to help you get your life back on track.

How to spot a brushing scam

The first sign of a brushing scam is if you receive a package you didn’t order that is addressed to you. Another way to spot a brushing scam is by taking a closer look at the shipping label. If you’re the target of a brushing scam, there usually isn’t a return address.

If there is a return address to a seemingly legitimate store, consider if a loved one might have ordered you a gift. Check with friends or family to confirm—especially if your birthday or a celebration is coming up.

Responding to a brushing scam

If you’re suspicious of a package you’ve received, don’t open it. Instead, contact the authorities and follow the USPS Suspicious Mail Process, meaning you should isolate the item and maintain a safe physical distance.

If you think you’re the target of a brushing scam, follow these steps to take immediate action to protect your identity and reputation:

1. Don’t try to return the package: Even if a return address is listed, it’s probably bogus. You have no obligation to return the package, according to the FTC, and you can either keep it or dispose of it.
2. Check for data breaches: The brushing scam is a sign your personal details have been compromised—use a dark web monitoring tool to check to see if your information has been exposed in a data breach and posted on the dark web. 
3. Secure compromised accounts: If you find out your data has been breached, secure any compromised accounts by changing your passwords and adding two-factor authentication.
4. Report the brushing scam: Report the brushing scam so that the e-commerce platform and authorities are aware.

How to report a brushing scam

You should report a brushing scam to help stop the sketchy business profiting from misdeeds, and help authorities track and combat scams more broadly.

Report a brushing scam to:

• The Better Business Bureau (BBB): Reporting it to the BBB lets them work with their partners to investigate it.
• The Federal Trade Commission (FTC): Reporting it to the FTC also lets them share the information with their partners to help with investigations. The FTC will provide you with next steps on how to help protect yourself.
• The e-commerce platform: Reporting it to the e-commerce platform where the package came from will help the website ban these unethical businesses.
• Your local police department: Reporting it to your local police lets them create an official record of the scam, even if they don’t investigate every case.

Since each e-commerce platform has a different reporting process, we’ve collected reporting methods for some of the most popular online stores below:

• Amazon: Use Amazon’s Report Unwanted Packages tool.
• Walmart: Contact Walmart via their help center, or call their customer service line at (800) 925-6278 to report the account.
• Target: Contact Target Guest Relations at (612) 304-6073.
• Shopify: Contact Shopify by submitting a form to report merchants for fraud.
• eBay: Use eBay’s report a concern page to submit scam details.
• Wayfair: Submit a ticket on Wayfair via the company’s account page.

Most e-commerce sites have contact information or a report fraud page. If you're having trouble finding either, try searching for "report fraud" or “contact,” plus the name of the online store on Google.

How to help prevent brushing scams

To help prevent unwanted packages from being sent your way, you need to keep your personal information like your address away from malicious third parties. Here’s how to keep your details more private:

• Double-check your social media privacy settings to be sure you aren’t sharing your information publicly.
• Make sure you maintain strong passwords and use 2FA on all of your accounts that offer it. Use our password manager with a random generator to help create unique passwords.
• Avoid clicking suspicious links that may install keylogging software or other spyware that copies your personal data like your address.
• Avoid oversharing your personal information online, especially with people you do not know.
• Set up a Google Alert that notifies you when your name appears in a new result.

While following these tips will help prevent some attempts, scammers might also get your information from a data leak or breach. Use a dark web monitoring tool to get automatic notifications when your data is discovered so you can mitigate the damage more quickly.

Help protect your online identity

Norton 360 with LifeLock Select is designed to provide you with multiple layers of security for your connected devices as well as powerful protection against identity fraud. Norton 360 with LifeLock will safeguard your device while you surf, bank, socialize, and shop online. Plus, it will help monitor for fraudulent use of your personal information and provide you with the support you need to recover should you ever become a victim of identity fraud.

FAQs about brushing scams

Want to learn more about brushing scams? Check out these question answers below.

Are brushing scams dangerous?

While brushing scams aren’t usually dangerous, there’s no guarantee the contents of the package are safe. These scams also indicate that your data has been compromised, potentially exposing you to financial loss and other types of fraud. And a QR code that comes with an unexpected package could lead to a malicious website.

Why is it called a brushing scam?

It’s called a "brushing scam" because scammers "brush up" their store's ratings by using recipients’ information to post fake positive reviews, making it look like real customers are buying and enjoying their products. Those fake, but seemingly legitimate reviews then boost the seller's ranking on the e-commerce platform.

What if I receive a package I didn’t order?

If you receive a package in your name that you didn’t order, you don’t need to return it. You can keep or dispose of the package as you see fit.

Can I keep an Amazon package I didn’t order?

By law, you can keep unsolicited packages that you didn’t order from Amazon. However, if it has another person’s name or address on it, you’ll need to return it to Amazon. You can only open mail with your name on it.

What's the point of a brushing scam?

A brushing scam helps boost a company’s rating on an e-commerce platform, which can lead to increased sales. The store may be a legitimate business, but this method is considered an illegitimate way to pump up ratings and increase sales.