A brushing scam is when you receive a package you didn’t order, because a bad actor has gotten your personal information.
Have you ever received a package in the mail that you didn’t order? In 2021, to my surprise, I started receiving lots of random packages. They were addressed to me, with the correct address, but I didn’t order them.
The packages were filled with an assortment of cheap goods like LED lights, iPhone cases, and inexplicably, strawberry-flavored eyelash foam cleaner. My first thought when I opened the packages was that my grandmother had gotten a good deal on some items and had wanted to send them to us. Yet, when I called her she had no idea what I was talking about.
After some digging, I discovered that my old, no longer used email was attached to an Amazon account. Sellers sent packages to me and used my profile to write a verified review.
In short, I was caught up in a brushing scam.
A brushing scam is when you receive a package you didn’t order, because a bad actor has gotten your personal information.
Not every brushing scam will cost you money, in fact some scammers are only interested in posting a verified review on their product, using your account. However, some scammers will use cards on file, or when payment is defaulted– leave you with the bill for items. This is a win-win scenario for brushing scammers, they leverage your name and account for a verified review, and they get your money.
In 2020, many people were victims of brushing scams, in the form of seeds from foreign countries. The USDA warned that these foreign seeds should never be planted, as they posed environmental risks. Seeds are a popular thing for scammers to send because they are lightweight and cost very little to ship.
Some brushing scams also include QR codes, inviting recipients to scan the code. You should never scan a QR code from a package you didn’t order; it’s almost certainly there to install malware or steal more of your personal data.
There have been some viral videos of brushing scam victims sharing their “wealth” at Christmas time in the form of Secret Santa gift exchanges. This can make the scam seem lighthearted or innocent. But, it’s important to remember that the exploitation of your personal information is the basis of a brushing scam.
With data breaches on the rise, your personal information could have made its way onto the dark web without you ever knowing. Luckily, there are several sites that you can use to discover if your email has been breached. I like “Have I been pwned” for its simplicity. By throwing my email into the search bar, I can discover if I’ve been breached, and by whom. The website will also let you know what data has been stolen.
For example, a retailer that I subscribe to was breached in 2024, and the threat actors stole “Dates of birth, Email addresses, Genders, Names, Partial credit card data, Phone numbers, Physical addresses, Purchases, and salutations.”
The first thing you should do is try to regain control of your hacked email and shopping accounts. I’d start with Have I been pwned, and then go down the line with every email I’ve used in the past then I’d check if a package is from Amazon, Walmart, etc., and report the unwanted package to that retailer. You’ll want to act fast, especially if your own personal credit card information is being used.
From there, I’d contact my bank and let them know that my card has been compromised. Even if your card wasn’t used to purchase the unwanted packages, if it’s attached to your account, you can be certain it’s compromised and needs to be cancelled.
You’ll also want to update your passwords and start using two-factor authentication on every account.
See Also: How to Set Strong Passwords Blog
See Also: Two Factor Authentication – Security Beyond Passwords Blog
To be safe, consider initiating a credit freeze through your credit bureau and credit card company. To establish your security freezes, you will need to contact each of the three credit bureaus online:
You’re likely even more stressed if your business information has been compromised by a brushing scam. If business information is compromised, you’ll want to freeze company credit cards, create new passwords for company emails, and report the breach to your IT department.
From there, your IT staff should be able to identify what other sensitive information has been leaked.
If you think your business has experienced a compromise, please contact the SecurityMetrics Forensic team, who will help you get secure.
.svg)
