Back to blog page

What is a brushing scam? How to identify and report brushing

Who doesn’t love getting a package!? But wait – even though it’s addressed to you, you don’t remember ordering anything. And when you open the package, there’s just a single pair of socks and no message. What’s going on?
By Alyssa Schmitt
 
Smiling woman stands in doorway and accepts package from deliveryman
We all love to get a package – but if you never ordered it, it could be a scam.

 
Sometimes it’s an unknown Amazon order, sometimes an unsolicited delivery from the USPS. The package is in your name, so you open it, and inside you find a random item: a pair of gloves, some cosmetics, maybe even Bluetooth headphones. You ask around in your family – but no one sent you a gift.
 
If you’ve ever received an unexplained package you didn’t order, it may be part of a brushing scam.

What is a brushing scam?

A brushing scam is when a seller sends packages to random people containing merchandise that they did not order. This might seem like an odd business practice, but usually, the items are cheap, small, and lightweight, so it is not a major expense for the retailer.
 
However, once there is a record that an order was placed and shipped, this can be used to inflate sales figures and makes it possible for the scammer to write a verified review. The small loss that the seller takes by sending off unsolicited orders is made up for by the boost in visibility and perceived popularity of their store or product.
 
Scammers may also send unsolicited packages in an attempt to steal the recipient’s personal data. In addition to the product, the package will contain a message inviting the recipient to scan a QR code to find out who the sender is – but instead takes them to a phishing site.

Why is it called brushing?

Since the purpose of a brushing scam is to artificially improve a seller’s reputation, “brushing” refers to this attempt to “brush up” their image or their sales numbers – and to use the verified reviews to “brush aside” consumer skepticism or mistrust.

How does a brushing scam work?

In a classic brushing scam aimed at boosting sales and reviews, the scammer will:
  1. Find your name and address, usually through publicly available sources like social media
  2. Create an account in your name on a retail platform
  3. Buy goods and have them shipped to your address, which inflates sales numbers
  4. Leave positive reviews by the “verified buyer”
In most cases, the scammer does not hack your original Amazon account or use your credit card to make the purchase – which means it will not show up in your account history or credit card bill.

What is the new scam using QR codes?

Brushing scams have been around since the last decade, but recently authorities such as the USPIS have warned consumers of a new and dangerous twist: Some unsolicited packages now contain a QR code with a message inviting you to scan and find out who the package is from.
 
Instead of satisfying your natural curiosity, however, this opens a fake site inviting you to click a link or enter your username and password. The goal here is to trick you into revealing your login credentials, like in a classic phishing scam, or into downloading malware such as ransomware, spyware, etc. to your device.
In other words, brushing has been combined with a “quishing” scam designed to steal your data.  
 
Bonus explainer: For a refresher on the dangers of quishing and how you can protect yourself, see our deep dive: What is quishing? QR code phishing explained

What to do if you are a victim of brushing?

Receiving a free gift in the mail may seem like a win – and if the unsolicited package is addressed to you, you have no legal obligation to return it or pay for it. However, as you ponder your next move, you should be aware of the potential downsides for yourself and others:
  • Compromised data: It is most likely that the scammers got your address from public sources, but receiving unsolicited packages could also be a sign that someone has stolen your data, e.g. your Amazon password. There may also be a quishing code in the package designed to trick you into revealing additional information.
  • Identity theft: Getting items you didn’t order may mean that someone has created fake accounts using your name and address. If they are not paying for the packages, it could negatively impact your credit score. In addition, you could be banned from the online platform for seemingly writing fake reviews.
  • Misleading other consumers: The fake reviews made possible by the brushing scam may trick other online shoppers into buying inferior products.
With this in mind, you may be wondering how to stop brushing scams. Here’s what experts advise you that do if you receive a package you didn’t order:
  • DON’T scan QR codes from unknown sources.
  • DON’T be tricked into paying money for the item or for a return.
  • DO check your account for recent orders (e.g., your Amazon account if the package was sent by Amazon), then change your password (make sure to use a strong, unique password ) and set up two-factor authentication if you don’t already have it.
  • DO report the scam to the retailer who sent the package or, if it came by regular mail, to the US Postal Service.

Report brushing scams

If you received a package you did not order from Amazon or another online retail platform, you should be able to report it on their website. If you have an account with that retailer, first log in and double-check that the package was not ordered from your account. Then, check the Help section for a page called “Report scam” or similar – there should be a form for you to submit the details.
 
For example, here’s how to report brushing on Amazon:

How do I report an unwanted package on Amazon?

If you believe you received an Amazon package as part of a brushing scam, follow these steps to report it:
  1. Log in to your Amazon account
  2. Go to Help > Report Something Suspicious > Report a scam
  3. Click Report Unsolicited Packages or Brushing Scams
  4. Click the Report Unwanted Package form and fill in the details
  5. Click Submit report

What do I do about a USPS brushing scam?

Brushing packages delivered through the regular mail, i.e., delivered by the United States Postal Service (USPS), are a form of mail fraud and can be reported to the U.S. Postal Inspection Service. Simply fill out and submit the online mail fraud complaint form.
 
Good to know: If you have received an unsolicited package through the USPS, you can always send it back to the sender free of charge as long as you haven’t opened it by marking it “Return to sender.”

How do I report a scam to the authorities?

In the United States, scams and fraud can be reported to the Federal Trade Commission (FTC) using their dedicated website, ReportFraud.ftc.gov.
 

FAQ: What is brushing scam?

  1. What is a brushing scam on Amazon?

    An Amazon brushing scam is when third-party sellers on the platform send people packages containing items that they never ordered. The recipient's name and address are used without their consent to make it look like they purchased the product. This lets the seller boost their product ratings by creating fake verified reviews. Amazon prohibits this practice and asks affected customers to report such scams immediately.

  2. What is the point of a brushing scam?

    The main aim of a brushing scam is to artificially inflate a product or retailer's ratings and reviews. By sending out unsolicited packages and then posting fake "verified" reviews, sellers hope to improve their product's credibility on online retail platforms. In addition, brushing scams can be a form of phishing: Some unsolicited packages contain QR codes that, when scanned, open fraudulent sites designed to steal user data.

  3. What to do if you receive a package you didn’t order?

    If you receive a package you didn't order, you can report it to the retailer or platform it came from. If you have an account with the retailer, check your order history and change your password to make sure it has not been compromised.

  4. Can I keep a package I didn’t order?

    Under US federal law, it is illegal for a company to send you something you didn't order and then charge you for it. So, if you receive an unsolicited package that is addressed to you, feel free to keep it as a gift, throw it away, etc. (Readers outside the US should check their local laws before keeping an unsolicited package.)

  5. Why did I get an unsolicited package from China?

    An unsolicited package from China may be part of brushing scams, in which sellers ship low-cost items to random addresses. This allows them to create fake verified reviews to boost their ratings and sales. Your address might have been obtained through publicly available sources, like social media or real estate platforms, or through a data breach.


 We hope this post helps you get to the bottom of that mystery package and stay safe from brushing scams. We look forward to your feedback below!
 
And if you don't have a mail.com account, why not create your free email address here?
 
Image: 1&1/iStock
 

Posted in

Phishing Security Trends

59 people found this article helpful.

Related articles

Can email tracking invade your privacy? And how to stop it

Email tracking gathers information about your interactions with emails, i.e. when you open them or click links. Learn how email tracking works and 5 steps to protect your privacy. more

How hackers steal passwords - and ways you can protect yours

Hackers have many ways to steal passwords, like spyware and phishing, Discover the most common methods of password theft so that you can protect yourself. more

How to make digital habits more sustainable & cut carbon footprint

Learn how your digital habits affect the environment and get practical tips for adopting more sustainable practices to reduce your carbon footprint online. more