If you receive a package in the mail that you didn’t order, it could be a sign you’re being targeted by a brushing scam and that you’ve already been affected by a data breach. In this article, we’ll explain what brushing scams are, what to do if you’re affected by one, and how to avoid them.
What is a brushing scam?
A brushing scam is a way for scammers to improve the reviews and trustworthiness of an online store, as well as phishing for personal information to commit identity fraud. There are a few origins for the name brushing scam online, but the general consensus is that it refers to the way scammers use your data to “brush up” their online store reviews.
Once you’ve received a package, scammers will use multiple methods to convince you to give away personal data. But the important thing to note is that if you’ve received a package as part of a brushing scam, some of your personal data is already exposed somewhere. At a minimum, the scammers have found your name and address through a data breach or on a public database, and they’re using it to target you in a phishing scam.
Here’s how scammers execute brushing scams:
- They create a new user account with their own e-commerce business using your name and address.
- They then purchase their own product and ship it to your address.
- They leave a positive review under your name to boost the credibility of their business.
- They then ask you for additional personal information to potentially steal your identity.
- This process is repeated with many other people to grow their reach.
Why do scammers use brushing scams?
It might not seem like a big deal to receive a package you didn’t order: You might get some free headphones or an iPhone case out of it. But as we outlined above, it could indicate that your data has leaked from some other service.
Apart from bolstering their online business with fake reviews, there could be other ways for the attacker to take the scam further. Think of the package as bait that draws you in to a large, elaborate scam. Scammers are hoping that you’ll:
- Provide them with more personal data by asking you to leave a review or register the item you received on a website they’ve designed to harvest data
- Provide them with credit card information by following through on a sale or promotion shared to you by email, text, or QR code
- Provide them with your existing login credentials for existing retail websites such as Amazon by cloning those websites and tricking you into trying to log in
- Find them new people to target by sharing the item you receive on social media or with friends and family
Scammers will use tactics such as malware(nieuw venster), phishing, and the lesser know quishing(nieuw venster), to try and exploit you.
What to do if you’re a victim of a brushing scam
First of all, if you receive a package in the mail that you weren’t expecting, do not scan any QR codes on the package or create any new accounts with new retailers. QR codes are especially dangerous, because they’ll direct you to a website created by the scammers. You’ll be encouraged to create an account, or register your item, or provide a review, but don’t scan anything. The scammers are counting on you trusting them enough to take those next steps.
Instead, focus on finding out how compromised your personal data is and mitigating the damage. For example, if the parcel you received came from Amazon, notify their customer service team(nieuw venster). You should also change your Amazon account password and the password for your online banking if you use it.
If the parcel didn’t come from a large e-commerce platform, change your account passwords for online shopping services that you do use. We’d recommend changing your online banking password as well: This is an opportunity to protect all of your accounts by creating new, secure passwords.
Check your bank statements for any irregular transactions, and continue to monitor for several weeks after you’ve received the package. It’s possible you might need to notify your bank if there are any unauthorized purchases or charges. You can also report the seller to the FTC(nieuw venster), which will help platforms weed out inauthentic sellers and prevent the online market from being flooded with scams.
How do scammers find your data?
There are a lot of surprisingly easy ways to find personal data, both legally and illegally. Whitepages(nieuw venster) is a legal database where it’s possible to find cell phone numbers, addresses, legal names, and financial records. The data is collected through public records and data brokers, and it’s very useful to both advertisers and scammers. Whitepages is just one of many data brokers(nieuw venster) around the world. It’s a lucrative industry, and data is growing more valuable every year thanks to its value both to data brokers and AI companies(nieuw venster).
Your personal data can also be collected through data breaches. More than 1 billion records were stolen from companies(nieuw venster) in 2024 alone through data breaches. In a breach, your passwords could be leaked without any indication of which websites they’re used for, or your credit card information could be leaked. That’s why it’s so important to act quickly if you’re ever notified that you’ve been affected by a data breach.
Every piece of your personal data that ends up in the hands of a bad actor creates a risk for your privacy. If you’ve been affected by a brushing scam, or if you’ve ever received a notification that you’ve been affected by a data breach, it’s time to take control of your data.
How to protect your personal data
The easiest way to prevent your personal data from appearing online is to protect your passwords and also your email address. Proton Pass is a password manager that helps you protect your online identity: Not only can you create, store, and autofill your passwords securely, you can use hide-my-email aliases to keep your email address private.
One of the easiest ways for data brokers and scammers to find information about you is by using your email address. It’s tied to just about everything you do online, and it’s also what you use to log in to many of your online accounts: It’s basically your online passport. That means you need to use it the same way you use your real passport. Don’t share it with online retailers, or use it to sign up to newsletters. Instead, create one-off email aliases to direct emails to your personal inbox and shield your email address. This simple act prevents data brokers and others from creating a detailed profile about you and your online activity.
Along with creating email aliases, Proton Pass can proactively scan the dark web for your personal information through Pass Monitor. This advanced security program informs you if any of your information appears online and also monitors your account for any unauthorized login attempts. Scams are evolving every year, so it’s time to take control of your online life.
Create a Proton Pass account today to prevent more of your personal data falling into the hands of scammers.
