If you receive a package that is unexpected, it may be a brushing scam that online sellers use to falsely inflate review ratings and may mean your personal data has been compromised.
It involves receiving an unexpected package from, for example, Amazon. You receive an unexpected package on your doorstep.
It’s addressed to you, so you open it and realise this was not something that you ordered. It could be an honest mistake somewhere up the line, but equally, it could be what’s become known as a “Brushing Scam”.
Most e-commerce businesses such as Amazon or eBay sellers, rely on positive reviews and high sales numbers to build their reputation. Brushing scams are used to gain their apparent ratings and sales numbers.
The scam itself is not necessarily overly dangerous to you if you receive an unexpected package, but it could also be an early warning that your identity has been compromised and you could become the subject of identity theft.
The user of a Brushing Scam gets your name and address. Then they set up a fake account in your name and then create the order. You receive the order, but then the criminal posts a fake review, five-stars of course, in your name. The review is marked as a “verified buyer” because it has your name on it, linked to the fake account.
There’s no return address. And they use the “sale” to boost their numbers, which in turn boosts their ranking on the e-commerce site. Unscrupulous sellers repeat this hundreds or thousands of times to drive up review standings and drive real purchases.
There has been a lot of this kind of scam in the US and Canada, but it’s on the rise in the UK. The first brushing scams reported were, slightly bizarrely, when ‘mystery seeds’ started arriving from China in 2015. Whilst it’s not overly dangerous to you directly, it reduces the reliability of product reviews and perhaps more crucially, it reveals how your personal data can be so easily stolen by hackers and used by criminals.
Free eBay package? It’s probably a scam
Sites like eBay and Amazon rate and rank sellers according to the feedback and ratings received from previous customers. More positive reviews can have a huge impact over how people make online purchasing decisions.
Under Amazon’s selling rules, sellers aren’t allowed to send packages without a valid order. If sellers are found to have been involved in a scheme to gain fake reviews, they’ll be penalised and potentially removed from the site.
Some sellers get tempted to use brushing scams if they’re struggling for social influence, to falsify sales and give themselves fake positive ratings.
How do criminals using the brushing scam get my information?
The real danger of a brushing scam isn’t in receiving something that you didn’t order. The problem is knowing that your private information has fallen into the hands of someone willing to use it in a scam. It could be the tip of the iceberg and worse could follow.
But how do criminals get hold of your personal data? Well, there are several ways it can happen:
They find you on a public database: Your information might be available from some public directories, such as the electoral role or criminal hackers may trawl through social media to build a profile of you. In brushing scams all they need is a name and address and they’re off. Just carrying out a simple Google search for your name could come up with your home address and other personal information.
Your personal data was stolen in a data breach: Criminal hackers have made increasing numbers of data breaches resulting in the loss of millions of personal data records. As a result, your personal data can end up getting sold on the dark web to whoever wants it. For pennies, criminals can acquire your data and then use it in scams, like brushing scams amongst others
There are many ways your data can get out there. It’s amazing how many companies and organisations have your data, often companies that you dealt with only once, perhaps many years ago, but your data continues to slosh around in their databases.
How can brushing scams hurt you?
It doesn’t matter where criminals found your information. What matters is that they can get hold of it so easily. Because if they have your name and address, then they most likely can also find more sensitive data such as your National Insurance number, passwords, banking information, and medical information. All of this could lead to complete identity theft and even clearing out of bank accounts and savings.
It means criminal hackers have stolen your personal information, at least your name and address. With the right information, criminals could open up a credit card in your name or intercept important documents. A brushing scam could be an early warning.
The more a scam works, the more a criminal will keep using it. These unscrupulous sellers usually send their targets low-cost, lightweight products that don’t cost much to deliver. But on the back of the fake reviews and false sales numbers, the criminals can make big profits when orders start flooding in. It can even work as an SEO (search engine optimisation) cheat, bringing them higher up in search rankings.
On sites like Amazon, the fake reviews and sales figures can push up prices for legitimate buyers. And all these fake reviews make online shopping more risky. Amazon has reported that it is trying to crack down on fake reviews and that they analyse about ten million reviews every week to try and identify fake ones.
What should I do?
If you have received an unexpected package from, for example Amazon, in a brushing scam here’s what to do:
- Contact Amazon customer support. They can tell you whether your real account has been compromised and will cancel the fake account. The same goes for other marketplaces like eBay
- Change your passwords. If they’ve got your name and address there is the chance they have access to your other online accounts. So change the passwords on your email, banking, and other accounts that contain sensitive information. Choose a secure password that combines letters, numbers, symbols, and uncommon phrases
- Consider using a ‘password manager’ which stores all your passwords securely and means you don’t have to worry about remembering them
- Add Two-Factor Authentication to your account. Two-Factor Authentication is an additional security measure where apps and websites send you a special code, that’s different each time, to enter along with your username and password. Some offer to send you the code via SMS but it can be compromised if your phone is stolen. Instead, set up an authenticator app such as Google Authenticator or Okta
- Check your bank accounts and credit cards for unexpected transactions. If you find any transactions that you can’t explain, contact your bank or credit card provider and then go through the steps of the fraud victim’s checklist
- Report the incident. If you think your National Insurance number, passport, or other personal identification details have been compromised, contact the authorities immediately. Passport theft should be reported to the police
Scambusters Mail bag: answering your scam questions
Question: My son recently got a new phone, he’s only 11. His number has obviously been used before. He gets scam text messages all the time, what can I do about them?
Report it to Action Fraud on 0300 123 2040 or via actionfraud.police.uk. If you’re in Scotland, please report to Police Scotland directly by calling 101 or Advice Direct Scotland on 0808 164 6000.
STOP others being cybercrime victims by reporting scams and suspicious emails. Forward the scam email to report@phishing.gov.uk.
Use Rightly to stop fraudsters from sharing your data and exposing you to scams.
To report a spam text forward the text to 7726. You may get an automated response thanking you for the report and giving you further instructions if needed. You will not be charged for sending texts to 7726.
An easy way to remember ‘7726′ is that they are the numbers on your telephone keypad that spell out the word ‘SPAM’.
Explain to your son that these texts are scams and he needs to show you everyone of them and DO NOT reply. Get him to watch the www.friendsagaisntscams.org.uk training video to give him more information.
Tip of the week: Be wary of unsolicited calls, emails, or texts. Scammers often use these methods to trick you into giving them personal information. Don’t trust caller ID. Scammers can easily spoof the number to make it look like they’re calling from a legitimate company or organisation.
Remember: If you have received a text you think is a scam then you can forward to 7726 or take a screenshot and send it to report@phishing.gov.uk. If you are receiving lots of unwanted phone calls or text messages you can also consider removing your details from data brokers, ensuring that you use a right to object to processing of your data. You can learn more about this on Rightly to stop the sharing of your data exposing you to scams. And you can take a free training course on how to fight against scams on www.friendsagainstscams.org.uk. The more we talk about scams the more we take away the shame.