How online scam ‘brushing’ works and why COVID-19 is to blame for its resurgence
Have you recently received a mysterious parcel in the mail that you didn’t order and that wasn’t a gift?
Maybe it was hair ties, toothbrushes, cleaning products, or even seeds.
Chances are you may have been caught up in an online e-commerce scam called “brushing”.
While getting free stuff sounds great, it comes at the cost of your privacy and personal data.
What is brushing?
Brushing is when people receive cheap, unsolicited packages in the mail from an online marketplace, such as Amazon.
But the actual seller – the individual or company that sent you the item – is usually a third party that uses those websites to sell its products.
The seller effectively makes a fake shopper account using your name and address, buys the product from itself, and then sends it to you.
Americans have recently reported getting sent bluetooth speakers, hair ties, car cleaning products, torches, empty jewellery bags and smart phone repair kits, to name a few.
More recently, it’s been tiny seeds.
The US Department of Agriculture is investigating, but it believes the seeds are coming from China as part of a brushing scam.
Australians have started getting unwanted seeds too.
The Department of Agriculture has confirmed 46 reports of unsolicited seeds arriving in the country over the past five weeks from China, Malaysia, Taiwan, Uzbekistan and Pakistan.
It suspects these are cases of brushing.
“Seeds are often used because they are light and cheap to send through the mail,” a department spokesperson said.
Why are online sellers sending me free stuff?
To boost their presence – and therefore their sales – online.
To achieve this, the third-party seller writes a fake, five-star review of the product it has just “sold” and sent to you, using your name as the author.
Using an actual person’s name makes the review seem more legitimate and helps a seller’s items appear more popular and in demand, according to Damien Manuel, the director of Deakin University’s Cyber Security Research and Innovation Centre.
“You are more likely to buy from somebody who has sold a lot of items and has a good reputation or review,” he said.
“They are distorting the market to make people believe they are a big shipper of a lot of these products, or produce a higher quality item.
“Studies overseas show between 70 and 84 per cent of people make a purchasing decision based on reviews they are reading.”
In a statement, eBay told the ABC it “hadn’t seen any evidence of [brushing taking place”, but said it took “every step to be vigilant against activity that breaks or rules.”
“We encourage our community of buyers and sellers to keep a lookout and report anything suspicious,” the company said.
“This helps ensure eBay remains a safe and fair marketplace.
“eBay’s global teams work around the clock to safeguard our site and where necessary, take action to block accounts.”
Amazon has not responded to the ABC’s request for comment.
The ABC has contacted Kogan for comment.
So the stuff I get sent is free? Cool!
Not quite. It comes at a cost.
Your personal data, stolen from a data breach, has been used in the process — including your name and address.
Personal data is valuable to scammers.
They can can use it to access your bank accounts or set up a new ones, take out loans and steal superannuation, or create fake accounts on social media to attack others.
Getting free stuff in the mail is comparatively harmless, although it does indicate your personal information could be in the hands of digital criminals.
How did they get my personal information?
Every time you use an online service where you enter your personal details to create an account, you are vulnerable to attacks or data breaches.
Think about all the social media platforms or shopping websites you have signed up to. They add up fast.
Data breaches may be accidental, but in other cases they can be deliberate, where criminals target a company to steal data.
Once that data is out there, online criminals can collect it and sell it to others, particularly on the dark web.
In the case of brushing, criminals sell your personal details to these third-party retailers, who then send you the packages.
“Nefarious individuals will use those details they acquired and set up fake profiles on websites,” Mr Manuel said.
“You are a legitimate person with an address who received the product.
“But the person writing the review is someone who has stolen your identity and created a fake account.”
Your data may have also been stolen through document theft, the hacking of your personal devices, or through phishing, when a scammer fools you into handing over your personal information.
Is brushing a new thing?
No. It has been around for a few years, but it has remerged this year due to the outbreak of COVID-19, along with a rise in other cyber-related scams and crimes.
“It is becoming more prevalent as companies become more dependent on online sales,” Mr Manuel said.
“People are trapped at home in lockdowns or have restricted access to go to shops, so they are really dependent on reading reviews.”
The Australian Competition and Consumer Commission (ACCC) said there was a this year, compared to the same time last year.
The ACCC said 24,000 people had reported their personal information stolen.
Australians lost more than $22 million, combined, as a result.
Can anything be done to stop brushing?
Not really. If your personal details are out there then they can be used for years, according to the ACCC.
Your data could even be sold multiple times.
Victims of brushing should report it to the marketplace they received the parcel through, such as Amazon.
You can also report it to the company that made the product — but sometimes that can also be who sent it to you.
“You could be reporting it back to the seller itself,” Ms Manuel said.
“There are two culprits in brushing — either the manufacturer or the seller, or the two are in cahoots with each other.
“If you report it to them you might stop receiving packages and they will just switch to somebody else.”
Organic items like seeds present a biosecurity risk, and anyone who receives them unsolicited in the mail is asked to report it to the Department of Agriculture, Water and Environment on 1800 798 636.
If you think a scammer has your account details, passport, tax file number, licence, Medicare number or other personal identification details, the ACCC says to contact your bank, financial institution, or other relevant agencies.