Have you ever received a parcel addressed to your name and address… that you did not order? This kind of freebie might be exciting — who wouldn’t like surprise goods delivered to their doorstep? However, if the package you received was not ordered by you or someone you know, but was shipped by the retailer themselves without your consent — you should be far from excited.
These unsolicited deliveries are often part of brushing scams, and they’re not as innocent as they might seem. So what are brushing scams, and how do they work? Are they dangerous? And what should you do if you’re a part of one? I’ll answer all these questions and more, so read along.
What is a brushing scam?
A brushing scam is when an online seller sends you something, usually a small item of low value, that you never ordered. It’s a type of e-commerce fraud that uses your actual details to place fake orders to create fake “verified purchase” reviews, illegitimately boosting their product rankings.
This type of shady activity is not only illegal in many places, which is on the retailer, but it also reveals something alarming on your side. While these scammers might not be trying to steal your money, being part of a brushing scam means your personal data has very likely been exposed in a data leak or sold illegally.
How do brushing scams work?
Dishonest sellers partake in brushing scams to manipulate their reviews, inflate visibility and trust, and boost sales on popular marketplaces like Amazon, eBay, or AliExpress. Here’s how brushing scams typically work:
- Scammers obtain your personal information.
They often get details like your name and address online through data breaches and leaks, find them in dark web databases, or buy the info from third parties. - Scammers create a fake buyer account using your personal details.
- They order their own product using many of these fictitious shopping accounts.
- The product is then shipped to your real address at no cost on your side, usually with no return address.
- Once you receive unsolicited merchandise and delivery is confirmed, a fake verified purchase review is posted under your name.
Why do brushing scams happen?
The online marketplaces are very competitive. There are hundreds, if not thousands, of similar or identical listings, making it really hard for the products to stand out. What helps gain trust and visibility on these shopping sites is a history of verified purchases and great reviews. Unfortunately, achieving this organically isn’t easy, and so, some desperate-enough retailers stoop to devious practices.
Brushing scammers’ logic: dropping an unexpected package to a legitimate address and name in return for a fake five-star review is a calculated payoff — sending out a few cheap trinkets at a low shipping fee will generate enough verified reviews, which will boost actual sales in the long run.
Having a bunch of these fake reviews helps them gain more visibility in oversaturated marketplaces, while that “verified buyer” badge next to the review increases seller credibility. So, it kind of all makes sense… if you have questionable morals and are willing to earn that buck in a very shady way.
Are brushing scams dangerous?
At first glance, this practice might seem innocent enough — you get a free gift, while some third-party seller gets to boost their business. Isn’t that a win-win?
Not really. Here are some reasons why brushing scams can be dangerous:
Personal data exposure
Receiving a mystery package should immediately raise some pretty red flags — someone has your address, name, and very likely other personal information. It means that your sensitive info might have been part of a data leak and may already be circulating online at any scammer’s disposal. And there are worse scams than getting unsolicited packages for which your details can be used.
Misleading product reviews
Not a direct danger per se, but a malicious outcome — brushing scams manipulate online marketplaces and can mislead buyers. Fake reviews can boost the credibility of scammy sellers, who can then potentially trick people into buying a cheap, low-quality item at a higher cost.
Safety risks
Often, brushing scam packages come from countries with poor safety regulations and may include potentially dangerous items. For example, you might receive beauty products containing ingredients deemed unsafe by the FDA or perishable products with no expiration date on the package that might already be expired.
Potential phishing attempts
Some scammers might try to kill two birds with one stone — get that fake verified buyer review and phish you out of more sensitive information. Their tactics include adding a QR code to the parcel, either printed on the box, a thank-you card, or a flyer. Scanning that QR code might take you to fake sites, urging you to claim a prize or answer a survey for a chance to win big.
In most cases, these are phishing websites that harvest your personal information, account passwords, and other sensitive data. In a worst-case scenario, scanning such QR codes and visiting malicious sites can install malware on your device, leaving it compromised and giving scammers access to all your information.
What to do if you receive a brushing scam package
Not to be a killjoy, but if an unexpected package lands at your front door, you shouldn’t get too excited. At least not until you know the sender and can confirm that your gift is legit.
So, here’s what you should do if you receive a brushing scam package:
- Make sure it’s not a legitimate gift. Check your inbox for shipping notifications from known services, review your active subscriptions, and ask friends and family if they’re trying to surprise you.
- Don’t use potentially dangerous items — don’t apply unknown cosmetics to your skin, don’t eat any food, and don’t turn on or plug in any electronics.
- Do not scan any QR codes.
- Check your online shopping accounts to confirm there were no unauthorized purchases.
- Report the brushing scam to the platform. If you can verify the seller, report them as well.
- Update your passwords for the marketplace account and the linked email. If you reuse the same password across other accounts, update them as well.
- Enable 2FA (Two-factor Authentication) to prevent unauthorized access.
- Monitor your bank accounts and credit report, especially if you scanned a QR code and provided any relevant information on a malicious website.
How to reduce your exposure to brushing scams
Scammers get your information from various sources. Those include hacked websites, data leaks, public records, and people search sites. Here’s what you can do to reduce the risk of your info ending up in the wrong hands and falling victim to brushing and other kinds of scams:
- Limit the amount of personal data you share online. If possible, try keeping your full name, date of birth, and address private;
- Avoid unnecessary sign-ups. If you can access services without signing up, don’t. Especially be wary of shady, little-known platforms and try sticking to trusted, reliable services. If you really need to sign up, use online masking services like Alternative ID;
- Monitor data breaches. Staying in the know will help you take quick action — if you see that a provider you’ve signed up with has experienced a security breach, chances are your details were compromised and leaked. So the sooner you find out, the faster you can take steps to minimize the fallout. Using monitoring tools like Alert can take this trouble off your mind by letting you know when your data appears on the dark web;
- Practice safer online habits. First, use strong, unique passwords for all your accounts, and update them frequently — you can generate and store them in a password manager. Set 2FA on all important accounts. Have an alternative online persona to protect your personal information. Use data removal services to get your information off data broker sites.
How Alternative ID fits into a safer on line experience
Many online services require you to provide unnecessary personal information when signing up. And the more sites that have your details, the harder it is to clean up.
Tools like Alternative ID let you create an online persona with alternate details, such as name, surname, birthdate, and home and email addresses.
When signing up for one-time-use websites, newsletters, or discount codes, you can provide these generated details. This helps prevent your actual personal data from being exposed, reused for shady marketing tactics, or falling into scammers’ hands. It is an excellent privacy tool that helps limit the spread of your real identity online.
Example: using Alternative ID for everyday sign-ups
Let’s say you want to sign up for a trial of a trendy fitness app. However, the service is asking you to provide all your sensitive data: full name, home address, and email. This immediately raises a red flag, so instead of providing your real details to this new, low-trust app, you generate an Alternative ID.
If you use this approach over time, your real-world identity isn’t scattered across hundreds of minor databases. If one of the services is ever breached, sells its client info to third parties, or its site gets scraped by data brokers, all that gets revealed is your alias. And, if a brushing scammer tries to buy a list of targets, your actual name and home address aren’t on it.
In the long run, this drastically reduces data exposure — even if one account is compromised, your private life and physical mailbox remain secure.
The bottom line on brushing scams
Ultimately, brushing scams are primarily an e-commerce review manipulation tactic, not a direct attempt to steal your financial information. However, finding a mystery package on your doorstep is a perfect reminder of just how widely your personal data can circulate across the open web.
Every time you hand over your information for a minor sign-up, you increase the risk that it will be compromised, sold, and exploited. But you can take control of your digital footprint with data removal services and privacy tools like Alternative ID. By proactively reducing unnecessary data sharing, you can limit your exposure over time and keep your identity out of scammers’ hands.
Don’t let a mystery package be your wake-up call
Shield your personal information today using Alternative ID
Get SurfsharkFAQ
Should I be worried about brushing scams?
While receiving a free gift might seem harmless, a brushing scam means a third-party seller has your name and address and is using your identity to post fake verified reviews. While you aren’t being billed, it indicates your personal data has been leaked or sold on the dark web. You should change your account passwords and monitor your credit reports for more suspicious activity.
Why am I receiving a package I didn’t order?
If the package isn’t a gift from a friend, it is likely part of a brushing scam designed to boost an e-commerce seller’s ratings illegally. In some cases, it could also be a phishing attempt to steal more of your data or infect your devices with malware via QR codes. On a rare occasion, it can even be a scammer sending a low-value item to see if you’re home before attempting a more significant theft.
What are 5 of the most current scams?
- AI voice cloning: scammers use a short clip of a loved one’s voice to call you and demand emergency funds.
- Pig butchering: a long-term investment scam where fraudsters build a romantic or friendly relationship before “slaughtering” the victim’s savings via fake crypto apps.
- Quishing (QR code phishing): malicious QR codes, often placed over real ones, to steal sensitive data (like ones on parking meters designed to steal payment info).
- Package delivery text scams: fake “unpaid customs fee” or “missed delivery” text message scams with links designed to harvest credit card details.
- Grandparent scams: using social media data to impersonate a grandchild in legal or medical trouble.
