Brushing Scams: What Are They and How Do They Work?

What is a brushing scam?

Brushing scams are a kind of e-commerce fraud where sellers send products to random addresses to improve their online presence within the marketplace they’re using, usually by leaving fake reviews after the item has been marked as received.

A typical brushing scam might involve someone receiving a product, such as a hair tie or plastic toy, with no return address. Because a real item was shipped out to a real person, these orders can appear legitimate to online marketplaces like eBay or Amazon, allowing the seller to leave a “verified” review.

You might be thinking to yourself that getting free items in the mail is not the worst thing in the world. Maybe you were in the market for a cheap plastic phone case anyway!

But, the fact that the fraudulent seller was able to find your name and address in the first place indicates that your personal information may have been exposed — on the dark web, legal data broker sites, or in public sources — and it’s being used by scammers. Worse, in a new take on brushing scams, some fraudsters are attaching malicious QR codes to these packages in order to attempt to steal recipients’ personal information.

How do brushing scams work?

Brushing scams work because orders that have a confirmed delivery are seen by marketplaces as “verified.” In brushing scams, only cheap items are sent (although the reviewed item may be a luxury good). The cost of sending the item can be seen as an investment, since a large number of positive verified reviews can help the seller’s storefront gain a more advantageous position in the marketplace’s algorithm.

Here’s the step-by-step process of how a brushing scam works from start to finish:

Brushing scams with fake QR codes

One way cybercriminals are evolving brushing scams is by attaching malicious QR codes to the packages. This type of attack is known as quishing, or QR-code phishing. A curious recipient of an unsolicited package may scan the link hoping to find out where the mystery gift originated or how to send it back.

But, the link embedded in these quishing codes can lead to a malicious website that uses social engineering tricks to fool victims. The page may prompt you to interact with a fake login page, revealing your credentials, enter card details into a fake payment portal, or download infostealing malware.

The FBI warns that while these brushing-quishing hybrid attacks are not as widespread as some other types of scams, they are still a serious threat, and victims should report any incidents to the Internet Crime Complaint Center (IC3).

Why are brushing scams harmful?

Although the item you receive may be counterfeit, most brushing scams are not directly harmful to you. You won’t be held responsible for receiving a counterfeit item in a brushing scam.

But, brushing scams aren’t totally benign, and can even be a symptom of a larger problem: data exposure. If you’ve fallen victim to a brushing scam, it means that your personally identifiable information (PII) is circulating somewhere on the internet and is available to scammers.

Let’s dig a bit further into the risks of brushing scams:

Data exposure

Brushing scams rely on real names and addresses, which means some of your personal information has likely been collected, sold, or exposed on the dark web or data broker sites. If your data was exposed after a data breach, you may see an uptick in scam attempts, including brushing scams.

Exposure of your name and address alone may not put you at direct risk of serious fraud like identity theft, but it can increase your exposure to targeted scams (aka spear phishing). These can ultimately lead to identity theft and financial loss if the scammer — already armed with some of your personal details — tricks you into revealing even more sensitive information.

And, if your real name and address have been leaked, other, more sensitive information may be exposed, too. Monitoring tools like Avast BreachGuard can help you determine how much of your personal information is circulating on the dark web, so you can take action to protect your accounts and identity.

Fake reviews posted in your name

Scammers may use your name to post “verified purchase” reviews tied to the items they ship. This isn’t directly harmful to you, but it’s less than ideal: your identity is being used without your consent to support deceptive practices.

Unsafe or counterfeit products

Items sent in brushing scams are often low-quality, counterfeit, or unregulated. Receiving them won’t get you in trouble, but these products may not meet safety standards, especially if they’re electronics, cosmetics, or consumable goods. We recommend not using the product if you think you received it as part of a brushing scam.

Follow-up scams

In some cases, scammers may try to contact you about the package, posing as customer support, delivery services, or sellers. If anyone reaches out asking for information or payment related to an unexpected delivery, it’s safest to ignore the message.

Unfair selling practices

Brushing scams are used to artificially boost product ratings and rankings with fake “verified” reviews. This undermines trust in online marketplaces and puts legitimate sellers at a disadvantage, making it harder for shoppers to rely on reviews when making purchases.

Quishing scams

Some brushing packages include QR codes that prompt you to scan for more information about the product or delivery. These codes can lead to phishing sites designed to steal personal or login information. Avoid scanning QR codes from unexpected packages, especially if they ask you to enter sensitive details.

What to do if you receive an unsolicited package

If you receive an unsolicited package, it’s best to simply ignore it. If the package contains consumables, electronics, or cosmetics, dispose of it safely. Don’t scan any attached QR codes, don’t call any numbers that might come with the package, and don’t respond to messages claiming to be from the seller or customer service. These are probably follow-up scams.

Check for any labels that might indicate which marketplace the seller could be attempting to manipulate results on, as these could come in handy when reporting the brushing scam.

Finally, use a data breach monitoring tool or run a dark web scan to help suss out whether more of your sensitive data than just your name and address is circulating on the dark web. If it is, you may need to change your passwords, enable two-factor authentication, or even freeze your credit to help protect against account takeovers or fraud.

Keep an eye on credit reports and bank statements for any unauthorized “test” charges that can follow a data breach and might indicate more serious charges to your account in the near future.

Do I need to return unsolicited packages?

No. The U.S. Postal Inspection Service reassures consumers that by law, unsolicited packages are yours to keep. FTC guidelines also reiterate that you can keep any merchandise you receive.

How to report a brushing scam

Reporting brushing scams can help digital marketplaces and regulators deal with fraud. Here’s how to report a brushing scam.

1. If possible, report the information to the marketplace where the seller is trying to brush up their reputation, such as Amazon, eBay, or Temu. You might be able to garner this information from the package you received in the mail by looking for any logos you recognize.

2. Report the fraud to the Federal Trade Commission (FTC).

3. If the package was sent by mail and you suspect it may be dangerous, you can report the incident to the United State Postal Inspection Service.

Protect your personal information today

Keeping your data safe works best with a layered approach. Avast helps you stay protected by checking for breached information, warning you about scam websites as you browse, and blocking known malicious links and attachments before they can do harm.