What Is Brushing? Avoid Getting Swept Into This Shipping Scam

Have you ever come home to an unexpected package, only to excitedly tear it open and realize it’s not something you ordered? If so, you may have been swept into a scam called “brushing.”

Although getting a free item in the mail might seem harmless, this increasingly common scam uses inexpensive, unexpected shipments to deceive—and potentially harm—the recipients.

Read on to learn how brushing works, why it’s not a victimless crime, and how you can avoid it.

What is a Brushing Scam?

“Brushing” is the practice of shipping unsolicited, inexpensive products to random recipients. It’s a tactic used by unscrupulous internet sellers to artificially inflate their sales, boost their reviews, or even steal data from their victims.

Here’s how it works.

1. Create phony accounts. The seller, who generally retails their products on popular marketplace sites like Amazon or eBay, creates fake accounts using actual customer data—data which was often gathered through leaks or purchased online.
2. Make bogus shipments. Then, using these fake accounts, the seller places orders for their items and uses the ill-gotten delivery addresses for shipping (this makes the orders appear legitimate to the marketplace sites).
3. Post false reviews. Once the order is delivered to the unsuspecting recipient, the seller uses the fake accounts to post glowing—yet fake—reviews of their products.

The scam aims to manipulate the website’s algorithms into believing the seller is shipping more products than they are—and getting plenty of positive reviews. These factors boost the products and the seller in search results, making it more likely that legitimate buyers will make purchases from them.

The Rise of QR-Code-Based Brushing Scams

Like many scams, brushing has evolved into an even more malicious form: QR-code-based brushing scams.

In this variation, the unexpected package comes with a QR code and a note that asks the recipient to scan it to view a gift message or reveal the return address.

Once the recipient scans the fraudulent QR code, they will be prompted to visit a malicious or spoofed website. The website may appear legitimate, and it could ask the recipient to “log in” (exposing sensitive account information in the process) or click a link (potentially allowing the download of malicious software onto their device).

Once the scammers have secured login information or installed malicious software onto the victim’s phone, they may be able to access bank accounts, social media profiles, and other sensitive personal information.

Protecting Yourself from Brushing Scams

If you come home to an unexpected package on your front porch and fear it may be a brushing scam, here’s how to protect yourself.

• Don’t scan QR codes. If the package comes with a QR code, it may be a scam. Scanning it could take you to a spoofed website or prompt you to install legitimate-looking—yet malicious—software.
• Monitor your accounts. Sometimes, the addresses used in brushing scams were gathered during a data breach. Consider investing in ID theft protection or an account monitoring service to help you stay aware of data breaches and protect your personal information.
• Change your passwords. Err on the side of caution by changing your passwords for online banking accounts and shopping sites.
• Report the package. If you can determine which vendor shipped the package, consider reporting it to the site. You can also report the suspected scam to the postal service or carrier that delivered it.

Don’t Get Swept into a Brushing Scam

Brushing is a serious scam that presents the potential for real harm. Unauthorized usage of names and addresses, deceptive practices to manipulate ratings and reviews, and the risk of ID theft via malicious QR codes are just some of the ways this scam can deceive and exploit.

Visit Connexus’ Security and Fraud center or read through the Security and Fraud section of our blog to stay up to date on security news and help keep your accounts safe.