){kind=icon}
Ever opened the front door one morning to find an unexpected package with your name and address on it? While this might seem like a harmless surprise, you could be the victim of what’s known as a brushing scam. Here’s how it works.
What is a brushing scam?
Just like malicious links, fake websites, and gift card scams, brushing scams have emerged alongside the growth of online shopping and review culture.
Online marketplaces like Amazon show customers reviews to help them decide what to buy. Reviews marked as coming from a “verified buyer” often carry more weight. Brushing scams take advantage of this.
In these scams, a vendor obtains your personal details from a data leak or other compromised source, then uses your name and address to place an order and have a product shipped to you. Once the item is delivered, they qualify as a verified buyer, allowing them to leave a positive review that can boost their reputation and sales.
This is where the term “brushing” comes from — vendors are essentially brushing up their own ratings.
The product itself is legally yours to keep under US law. The real concern lies in how your information was accessed in the first place.
Why are brushing scams dangerous?
At first glance, brushing scams may appear harmless: you receive a free product, and someone boosts their seller rating. However, the presence of your name, address, and delivery confirmation often points to a deeper issue — your personal data is circulating where it shouldn’t be.
This typically happens in one of two ways:
Your information was exposed in a data leak and sold online
Someone gained unauthorized access to your device or accounts
Either situation means that your data is now vulnerable and it could potentially be used for other types of fraud.
The best and easiest way to avoid this happening in the first place is to have a 360 cyber security solution in place such as F-Secure Total, which rigorously protects everything you do online.
However, if your data has already been compromised, there are two main dangers you face.
Identity theft risks
If your personal data is somehow compromised, you run the risk of having your identity stolen. The FTC estimates that there has been a four-fold increase since 2020 in reports from older adults who say they have lost tens of thousands of dollars to scammers pretending to be from trusted government agencies or businesses.
And identity theft is far more sinister than just getting targeted with brushing scams. With access to your personal details, criminals may be able to:
Commit fraud or crimes in your name
Impersonate you to scam friends or family
Attempt to blackmail you using personal or sensitive information
Use your healthcare or insurance information for their own benefit
Identity theft can affect both finances and wellbeing, and it can take a lot of time and effort to resolve.
Financial and security concerns
Financial fraud is one of the most common outcomes of stolen personal data. Criminals may:
Open or max out credit cards in your name
Take out loans using your details
Transfer or redirect bills to your account
Attempt property-related fraud, often targeting older individuals or second homeowners
Recovering from these situations can be complex and time-consuming. Brushing scams are often an early sign that your information has been exposed, so it’s important to act quickly.
What should I do if I think I am the victim of a brushing scam?
If you receive a package you didn’t order, try not to panic. Brushing scams can be unsettling, but taking a few straightforward steps can help you protect your information and reduce any risk.
Here’s what to do when you think you’re the victim of a brushing scam:
If you didn’t order it, don’t pay for it. Some scams rely on payment on delivery — simply refuse or return the package.
Check with friends or family to make sure it isn’t a genuine gift. If no one claims it, treat it as if it’s part of a scam.
Avoid contacting the seller. Responding can confirm your details and leave you open to further scams. If you don’t want the product, throw it away or donate it.
Do not scan any QR codes included with the package. These can link to malicious websites or install harmful software on your device.
Check your bank accounts or credit card statements for any unusual transactions. Consider requesting new cards and updating your online banking passwords.
Change the passwords on the online marketplace the package came from, as well as the ones you use for your email account. Use our free password generator to ensure your new passwords are strong and unique.
Report the incident to the online marketplace. Include the name of the vendor so that they can investigate.
Once you’ve taken these steps, it’s likely that the danger has passed, but it’s a good idea to monitor your accounts for the new few weeks to make sure that nothing further has happened.
There’s no such thing as a free package
While brushing scams may seem minor, they can be a sign that your personal information is circulating online. Acting quickly reduces the risk of further issues.
Being aware of the signs is important, but even the most careful person can miss something. These scams are effective because they rely on normal reactions and everyday behavior. It’s not realistic to monitor every data breach or threat yourself — which is why combining awareness with automatic protection offers more reliable long-term security. Security tools that continuously check for identity leaks and block suspicious activity can provide extra protection and peace of mind.
)