TL;DR You come home after a long day, check your mailbox, and find a package you never ordered. Maybe it’s a cheap phone case, a random kitchen gadget, or some low-cost item with no explanation attached. At first, it feels harmless, maybe even funny. But in many cases, it’s actually part of something called a brushing scam.
This type of e-commerce fraud has been growing quietly in the background of online shopping platforms. The scam works like this: a seller sends unsolicited items to real addresses to generate a legitimate tracking number. Once the package is marked “delivered,” they use that proof to post fake “verified purchase” reviews and artificially boost their product ratings.
Companies, often operating overseas, purchase items and have them shipped to random recipients so the seller can then write a favourable review on the product. The shipments typically include light-weight, low-cost items.
The unsettling part? Someone obtained your name and address via a phishing scam to arrange the brushing.
Brushing up on Phishing scams
Cybercriminals use phishing emails to lure unsuspecting victims into taking actions that can impact their lives, such as sending money, sharing passwords, downloading malware, sharing addresses or revealing sensitive data. The primary intent behind a phishing attack is to steal your money, data or both.
Financial theft — The most common aim of a phishing attempt is to steal your money. Scammers employ various tactics, including business email compromise (BEC), to carry out fraudulent fund transfers or ransomware attacks to extort money.
Data theft — For cybercriminals, your data, such as usernames and passwords, identity information (e.g., Social Security numbers), financial data (e.g., credit card numbers or bank account information), and home addresses (which leads to brushing), is as good as gold. They can use your login credentials to commit financial theft or send you unsolicited packages.
Be vigilant
- If an email asks you to click on a link, be wary. Scammers send phishing emails with links that install malicious software that can steal your data and personal information.
- If an email directs you to a website, it could be a malicious website that can steal your personal information, such as your login credentials.
- If it contains an attachment, please be aware. Malicious extensions disguised as a document, invoice, or voicemail can infect your computer and steal your personal information.
Good News
The good news is that even if you’ve fallen victim to a phishing scam and received one of these brushing packages, you are generally not obligated to return it or pay for it in the US or Canada. You can keep it, donate it, or throw it away. What you shouldn’t do is interact with the sender directly. Instead, report the incident through the platform involved, whether that’s Amazon, USPS, or another retailer.
It’s also a good reminder to review your digital security habits. Change passwords on shopping accounts, enable multi-factor authentication where possible, and keep an eye on your credit activity for anything unusual.
One final thing to watch for: QR codes or flyers included in the package. Scammers are increasingly using these as an additional layer of deception, trying to lure people to fake websites designed to steal login credentials or payment information.
Sometimes, cybersecurity doesn’t arrive with flashing warning signs. Sometimes it just shows up in a small cardboard box on your doorstep.
Stay informed, protected, and one step ahead of fraudsters with Fraudster, the ultimate mobile app. Download now and receive real-time push notifications, stay updated on the latest frauds and scams, and gain valuable tips on safeguarding yourself. Available for iOS and Android, Fraudster is your trusted ally in the fight against fraud. Don’t wait! Visit http://www.FraudsterApp.com to learn more about our mission and start securing your digital world for free.
