Brushing scams are a type of e-commerce fraud in which a seller sends a package to a seemingly random person's address. The item is usually of low value, and it's not an altruistic gesture. It's actually an attempt by the seller to fraudulently inflate the product's rating on online sales platforms. Here's how it works:

• The scammer obtains a list of names and postal addresses. They can get these from cybercrime forums or through people search sites. They can even gather this information from public sources.

• They create a fake buyer account on an e-commerce platform where they sell their products. With this account, they "buy" their own product and send the item to the victim's address.

• Using the fake account, they post a 5-star review, boosting (or "brushing up") the product's reputation and visibility. The victim usually first becomes aware of the fraud when they receive the unsolicited package.

Why would anyone care about receiving free products in the mail, even if they're cheap and lightweight?

On the one hand, being targeted by a brushing scam could indicate that your personal data is being shared in the world of cybercrime.

On the other hand, scammers might be verifying your data to move on to a second phase, which involves more serious identity fraud.
There are also more dangerous versions that include a QR code inside the package you receive. Scanning it will likely take you to a malicious or phishing site designed to install malware or trick you into sharing more personal information.

Finally, there's an indirect cost associated with these scams: they slowly and silently erode the trust consumers place in e-commerce platform review systems.

How can you tell if you've been a victim?

It shouldn't be too difficult to figure out if you've been targeted by a brushing scam. If you receive a low-value, poor-quality item in the mail that you don't remember buying, that's an immediate red flag. A vague or missing return address, and the presence of a possible QR code inside the package, are also red flags.

To be sure, check your emails and accounts on e-commerce platforms or marketplaces, looking for recent purchases. It's also worth checking your bank accounts and credit reports for suspicious activity, as scammers may have moved on to the next stage of the fraud.

What to do if you receive a package?

If you receive something in the mail that you don't remember ordering, minimize the risk by following these steps:

• Confirm that it's not a gift by asking family, friends, or other people in your household if they've ordered anything in your name recently.
• Do not scan any QR codes that may be inside the package.
• Check that no money has been withdrawn from your bank account and that no new lines of credits have been opened in your name.
• Activate multi-factor authentication (MFA) on your bank and credit card accounts.
• Enable MFA on all your online shopping accounts and email.
• Report the fraud to the relevant platform (e.g., Amazon). Most have a specific section for reporting brushing scams.
• Don't try to return the item to the sender. It's yours to keep, if you want.

How to protect yourself from brushing scams?

There are steps you can take to reduce the likelihood of becoming a target of this type of fraud. It all comes down to what personal data is accessible to scammers.

It's true that there's little you can do if a company you interact with suffers a data breach and exposes your information. However, there are identity protection services that scan the dark web for potentially compromised data.

Since scammers also obtain data from the public web, it's important to adopt good privacy habits:

• Minimize what you share on social media.
• Configure your accounts so that only your contacts can see your posts.
• Remove personal data such as address, date of birth, and phone number. 

Finally, reduce the possibility of your data being obtained through information brokers by unsubscribing from sites like BeenVerified, Spokeo, and TruthFinder. It requires some effort, and you'll need to repeat the process every few months, but it's worth it. Mitigating this risk isn't a one-time task; it demands continuous vigilance over your digital world. Ultimately, it's the price we pay for access to the services we enjoy.