Brushing under the carpet

Most e-commerce businesses such as Amazon or eBay sellers, rely on positive reviews and bold sales numbers to build their reputation. Brushing scams are used to game their apparent ratings and sales numbers. The scam itself is not necessarily overly dangerous to you if you receive an unexpected package, but it could also be an early warning that your identity has been compromised and you could become the subject of identity theft.

The user of a Brushing Scam, gets your name and address. Then they set up a fake account in your name and then create the order. You receive the order, but then the scammer posts a fake review, 5-stars of course, in your name. The review is marked as a ‘verified buyer’ because it has your name on it, linked to the fake account. There’s no return address. And they use the ‘sale’ to boost their numbers, which in turn boosts their ranking on the e-commerce site. Unscrupulous sellers repeat this hundreds or thousands of times to drive up review standings and drive real purchases.

There has been a lot of this kind of scam in the US and Canada, but it’s on the rise in the UK. The first brushing scams reported were, slightly bizarrely, when ‘mystery seeds’ started arriving from China in 2015. Whilst it’s not overly dangerous to you directly, it reduces the reliability of product reviews and perhaps more crucially, it reveals how your personal data can be so easily stolen by hackers and used by scammers.

Free eBay package? It’s probably a scam

Sites like eBay and Amazon rate and rank sellers according to the feedback and ratings received from previous customers. More positive reviews can have a huge impact over how people make online purchasing decisions.

Under Amazon's selling rules, sellers aren’t allowed to send packages without a valid order. If sellers are found to have been involved in a scheme to gain fake reviews, they’ll be penalised and potentially removed from the site.

Some sellers get tempted to use brushing scams if they’re struggling for social proof, to falsify sales and give themselves fake positive ratings.

How do brushing scammers get my info?

The real danger of a brushing scam isn’t in receiving something that you didn’t order. The problem is knowing that your private information has fallen into the hands of someone willing to use it in a scam. It could be the tip of the iceberg and worse could follow.

But how do scammers get hold of your personal data? Well, there are several ways it can happen:

• They find you on a public database. Your information may be available in some public directories, such as the electoral roll, or hackers can scrape through social media to build a profile of you. In brushing scams all they need is a name and address and they’re off. Just carrying out a simple Google search for your name could come up with your home address and other personal information
• Your personal data was stolen in a data breach. Hackers have made increasing numbers of data breaches resulting in the loss of millions of personal data records. As a result, your personal data can end up getting sold on the dark web to whoever wants it. For pennies, scammers can acquire your data and then use it in scams, like brushing scams amongst others

There are many ways your data can get out there. It’s amazing how many companies and organisations have your data, often companies that you dealt with only once, perhaps many years ago, but your data continues to slosh around in their databases.

How can brushing scams hurt you?

It doesn’t matter where scammers found your information. What matters is that they can get hold of it so easily. Because if they have your name and address, then they most likely can also find more sensitive data such as your National Insurance number, passwords, banking information, and medical information. All of this could lead to complete identity theft and even clearing out of bank accounts and savings.

It means hackers have stolen your personal information, at least your name and address. With the right information, scammers could open up a credit card in your name, or intercept important documents. A brushing scam could be an early warning.

The more a scam works, the more a scammer will keep using it. These unscrupulous sellers usually send their targets low-cost, lightweight products that don’t cost much to deliver. But on the back of the fake reviews and false sales numbers, the scammers can make big profits when orders start flooding in. It can even work as an SEO (search engine optimisation) cheat, bringing them higher up in search rankings.

On sites like Amazon, the fake reviews and sales figures can push up prices for legitimate buyers. And all these fake reviews make online shopping more risky. Amazon has reported that it is trying to crack down on fake reviews and that they analyse about ten million reviews every week to try and identify fake ones.

What should I do?

If you have received an unexpected package from, for example Amazon, in a brushing scam here’s what to do:

• Contact Amazon customer support. They can tell you whether your real account has been compromised and will cancel the fake account. The same goes for other marketplaces like eBay
• Change your passwords. If they’ve got your name and address there is the chance they have access to your other online accounts. So change the passwords on your email, banking, and other accounts that contain sensitive information. Choose a secure password that combines letters, numbers, symbols, and uncommon phrases
• Consider using a ‘password manager’ which stores all your passwords securely and means you don’t have to worry about remembering them
• Add Two-Factor Authentication to your account. Two-Factor Authentication is an additional security measure where apps and websites send you a special code, that’s different each time, to enter along with your username and password. Some offer to send you the code via SMS but it can be compromised if your phone is stolen. Instead, set up an authenticator app such as Google Authenticator or Okta
• Check your bank accounts and credit cards for unexpected transactions. If you find any transactions that you can't explain, contact your bank or credit card provider and then go through the steps of the fraud victim's checklist
• Report the incident. If you think your National Insurance number, passport, or other personal identification details have been compromised, contact the authorities immediately. Passport theft should be reported to the police.

Can you keep the packages?

According to Citizens' Advice, if an item is addressed to you, there has been no previous contact with the company, and it arrives out of the blue, then you can keep it. But anything which arrives by mistake - either delivered to the wrong address, or a duplicate of some goods you have already received - has to go back. And it’s the right thing to do!

Controlling your data

Given the amount of scams out there and the risk of your data being used against you, it’s good to get control of your data. You can avoid your data being used against you by getting it deleted from any company that doesn’t need it any more. You’d be amazed at how many companies have your data, including many you've never heard of.

Use Rightly Protect to find out who’s got your data and get it deleted, quickly and for free.