The U.S. Postal Service is warning consumers about a growing scam called “brushing,” where unsolicited packages are sent to harvested addresses to inflate the reputation of an unscrupulous online retailer.
Brushing scams involve receiving unsolicited packages containing low-cost items, such as household goods, the USPS warns. These packages are often sent by online retailers or third parties who use your personal information to create fake transactions, inflating product reviews or sales rankings.
“By shipping inexpensive or random items to real addresses, scammers can then post reviews under those names, boosting seller reputations and manipulating marketplace algorithms,” explained Armen Najarian, chief marketing officer for Sift, an AI-powered fraud prevention company in San Francisco.
“This tactic can make listings appear more legitimate and trustworthy, driving more sales,” he told the E-Commerce Times.
Brushing can also be a way to skirt U.S. laws, noted Tony Anscombe, chief security evangelist at Eset, an information technology security company headquartered in Slovakia. “Posting fake reviews is an offense in the U.S., and this appears to be a method of circumventing the illegality of the action,” he told the E-Commerce Times.
Variation on Pig Butchering
Table of Contents
Maanas Godugunur, senior director for fraud and identity at LexisNexis Risk Solutions, a global data analytics and services company, noted that scammers rely on not everyone in a household being aware of everything that’s being delivered. “These packages may also have a note asking [recipients] to take an action to win or get more gifts for free,” he told the E-Commerce Times.
“It’s very similar to a phishing or smishing scam,” he continued. “The fraudsters’ goal is to establish trust with a small win and eventually mature a brushing scam to a pig butchering scam.” Pig Butchering scams involve “fattening” a victim with affection and trust, then “slaughtering” them financially.
Packages may include more than gifts, added Chris Hauk, consumer privacy champion at Pixel Privacy, a publisher of online consumer security and privacy guides. “Occasionally, the package will include a QR code that, if scanned, will take victims to scammers’ websites, where they’ll try to gain additional information, including financial info,” he told the E-Commerce Times.
The Better Business Bureau pointed out on its website that the fake online review angle is only one way scammers benefit. By using the brushing scam, they are also increasing their sales numbers. After all, they aren’t purchasing the items since the payment goes right back to them. Increased sales numbers, even though inflated by fake purchases, appear favorable for the offending company and contribute to further sales.
The BBB also explained that there can be a porch piracy angle to brushing. There are instances where thieves use other people’s mailing addresses and accounts, then watch for the delivery of the package so they can steal it from the door before the resident gets it.
Brushing as a Tool for Fake Reviews
Sift’s Najarian noted that brushing scams usually don’t cause direct financial losses to their targets. “In most cases, the unwanted package is just a tool for fake reviews,” he said.
Eva Velasquez, president and CEO of the Identity Theft Resource Center, a nonprofit organization founded to provide assistance to identity theft victims and consumer education, in San Diego, agreed that brushing may not result in direct financial loss for a target.
“The real risk is what could come next,” she told the E-Commerce Times. “It’s the red flag that your data is actively being circulated and used by an unscrupulous actor.”
For the most part, Pixel Privacy’s Hauk said, “Brushing scams only harm the people that purchase the products because of inflated review scores.”
However, a brushing scam can be leveraged into something more malicious. “Brushing scams can lead to data theft, phishing attacks, or even financial fraud,” maintained Rob Shavell, co-founder and CEO of DeleteMe, a privacy service in Boston that helps users remove their personal information from data broker websites.
“If scammers succeed in getting you to interact, whether through a link, QR code, or message, they might trick you into providing payment info, downloading malware, or handing over sensitive data,” he told the E-Commerce Times. “There have already been warnings about people falling victim to this kind of attack.”
Brushing Often Goes Unreported
Although the postal service recommends reporting brushing incidents to them, that recommendation may be ignored. “Scams such as this aren’t likely to be reported as much as other scams, as many people won’t complain about getting free stuff through the mail,” Hauk said. “It’s much tougher to detect these than the use of bots or fake accounts.”
“Brushing scams are effective precisely because they’re so difficult to detect,” said Paul Bischoff, privacy advocate at Comparitech, a website offering reviews, advice, and information for consumer security products.
“After all, a real product was sent to a real person,” he told the E-Commerce Times. “This is much more difficult to detect than your typical bot that creates fake accounts and spams reviews.”
Scams are much harder to detect these days, Shavell added. “Scammers now have access to more personal data than ever before, making their messages more believable,” he said. “Add AI into the mix, and phishing emails or texts no longer contain the typos and broken grammar we used to rely on as red flags.”
“Instead,” he continued, “they sound polished, professional, and eerily convincing, especially when they include your real name, address, or recent purchase details. The combination of personal data and AI-generated communication makes today’s scams feel more legitimate and harder to spot.”
AI Makes Scam Detection Harder
Erich Kron, a security awareness advocate with KnowBe4, a security awareness training provider in Clearwater, Fla., agreed that AI is making scam detection more difficult. “The popularity, ease of use, and low price of using AI tools can make scams much tougher to spot, especially for those unaware,” he told the E-Commerce Times.
“Detecting scams is often a whack-a-mole game, especially on the bleeding edge where new types of scams are tried,” he said. “However, in most cases, scammers use the tried-and-true tricks and scams they’ve been using for years because they still work.”
What can consumers do to protect themselves from brushing scams? “If you find a surprise package at your doorstep, treat it as an early warning sign,” advised Paige Schaffer, CEO of Iris Powered by Generali, a global cybersecurity and identity protection company.
“Don’t scan QR codes, click links or engage with follow-up communications,” she told the E-Commerce Times. “Monitor your identity [activity], check your online accounts for unfamiliar activity, and report the incident to the retailer.”
“It’s also a good time to change your passwords and enable multi-factor authentication,” she added.
