If you’ve ever received a parcel from a shopping platform that you didn’t order, and nobody you know seems to have bought it for you, you might have been caught up in a “brushing” scam.
It’s an illicit way for sellers to get reviews for their products.
And it doesn’t mean your account has been hacked.
Here’s an example of how it works: let’s say I set myself up as a seller on Amazon, for my product, Kleinman Candles, which cost £2 each.
I then set up a load of fake accounts, and I find random names and addresses either from publicly available information or from a leaked database that’s doing the rounds from a previous data breach.
I order Kleinman Candles from my fake accounts and have them delivered to the addresses I have found, with no information about where they have been sent from.
I then leave positive reviews for Kleinman Candles from each fake account – which has genuinely made a purchase.
This way my candle shop page gets filled with glowing reviews (sorry), my sales figures give me an algorithmic popularity boost as a credible merchant – and nobody knows that the only person buying and reviewing my candles is myself.
It tends to happen with low-cost products, including cheap electronics.
It’s more a case of fake marketing than cyber-crime, but “brushing” and fake reviews are against Amazon’s policies.
Campaign group Which? advises that you inform the platform they are sent by of any unsolicited goods.
It first investigated the practice in 2018, and found that in some cases, the people affected had been victims of data breaches elsewhere, meaning at least some of their personal data was available in unexpected places.
“It’s an old fashioned scam – making people believe in something is a way of getting them to buy,” said Prof Alan Woodward, a cyber-security expert at Surrey University.
“Like it or not, we do all look at the reviews, even though we are getting more savvy about it, and if it says it’s from a verified purchaser, we’re less likely to think twice.”
Can you keep it?
According to Citizens’ Advice, if an item is addressed to you, there has been no previous contact with the company, and it arrives out of the blue, then you can keep it.
However anything which arrives by mistake – either delivered to the wrong address, or a duplicate of some goods you have already received – has to go back.