Proton
Subscribe by RSS
The cover image for a Proton Pass blog about brushing scams, which shows a package with a warning sign above it

Received an unexplained package? It could be a brushing scam

Kate Menzies

Share this page

If you receive a package in the mail that you didn’t order, it could be a sign you’re being targeted by a brushing scam and that you’ve already been affected by a data breach. In this article, we’ll explain what brushing scams are, what to do if you’re affected by one, and how to avoid them.

What is a brushing scam?

A brushing scam is a way for scammers to improve the reviews and trustworthiness of an online store, as well as phishing for personal information to commit identity fraud. There are a few origins for the name brushing scam online, but the general consensus is that it refers to the way scammers use your data to “brush up” their online store reviews.

Once you’ve received a package, scammers will use multiple methods to convince you to give away personal data. But the important thing to note is that if you’ve received a package as part of a brushing scam, some of your personal data is already exposed somewhere. At a minimum, the scammers have found your name and address through a data breach or on a public database, and they’re using it to target you in a phishing scam.

Here’s how scammers execute brushing scams:

  1. They create a new user account with their own e-commerce business using your name and address.
  2. They then purchase their own product and ship it to your address.
  3. They leave a positive review under your name to boost the credibility of their business.
  4. They then ask you for additional personal information to potentially steal your identity.
  5. This process is repeated with many other people to grow their reach.

Why do scammers use brushing scams?

It might not seem like a big deal to receive a package you didn’t order: You might get some free headphones or an iPhone case out of it. But as we outlined above, it could indicate that your data has leaked from some other service.

Apart from bolstering their online business with fake reviews, there could be other ways for the attacker to take the scam further. Think of the package as bait that draws you in to a large, elaborate scam. Scammers are hoping that you’ll:

  • Provide them with more personal data by asking you to leave a review or register the item you received on a website they’ve designed to harvest data
  • Provide them with credit card information by following through on a sale or promotion shared to you by email, text, or QR code
  • Provide them with your existing login credentials for existing retail websites such as Amazon by cloning those websites and tricking you into trying to log in
  • Find them new people to target by sharing the item you receive on social media or with friends and family

Scammers will use tactics such as malware(new window), phishing, and the lesser know quishing(new window), to try and exploit you.

What to do if you’re a victim of a brushing scam

First of all, if you receive a package in the mail that you weren’t expecting, do not scan any QR codes on the package or create any new accounts with new retailers. QR codes are especially dangerous, because they’ll direct you to a website created by the scammers. You’ll be encouraged to create an account, or register your item, or provide a review, but don’t scan anything. The scammers are counting on you trusting them enough to take those next steps.

Instead, focus on finding out how compromised your personal data is and mitigating the damage. For example, if the parcel you received came from Amazon, notify their customer service team(new window). You should also change your Amazon account password and the password for your online banking if you use it.

If the parcel didn’t come from a large e-commerce platform, change your account passwords for online shopping services that you do use. We’d recommend changing your online banking password as well: This is an opportunity to protect all of your accounts by creating new, secure passwords.

Check your bank statements for any irregular transactions, and continue to monitor for several weeks after you’ve received the package. It’s possible you might need to notify your bank if there are any unauthorized purchases or charges. You can also report the seller to the FTC(new window), which will help platforms weed out inauthentic sellers and prevent the online market from being flooded with scams.

How do scammers find your data?

There are a lot of surprisingly easy ways to find personal data, both legally and illegally. Whitepages(new window) is a legal database where it’s possible to find cell phone numbers, addresses, legal names, and financial records. The data is collected through public records and data brokers, and it’s very useful to both advertisers and scammers. Whitepages is just one of many data brokers(new window) around the world. It’s a lucrative industry, and data is growing more valuable every year thanks to its value both to data brokers and AI companies(new window).

Your personal data can also be collected through data breaches. More than 1 billion records were stolen from companies(new window) in 2024 alone through data breaches. In a breach, your passwords could be leaked without any indication of which websites they’re used for, or your credit card information could be leaked. That’s why it’s so important to act quickly if you’re ever notified that you’ve been affected by a data breach.

Every piece of your personal data that ends up in the hands of a bad actor creates a risk for your privacy. If you’ve been affected by a brushing scam, or if you’ve ever received a notification that you’ve been affected by a data breach, it’s time to take control of your data.

How to protect your personal data

The easiest way to prevent your personal data from appearing online is to protect your passwords and also your email address. Proton Pass is a password manager that helps you protect your online identity: Not only can you create, store, and autofill your passwords securely, you can use hide-my-email aliases to keep your email address private.

One of the easiest ways for data brokers and scammers to find information about you is by using your email address. It’s tied to just about everything you do online, and it’s also what you use to log in to many of your online accounts: It’s basically your online passport. That means you need to use it the same way you use your real passport. Don’t share it with online retailers, or use it to sign up to newsletters. Instead, create one-off email aliases to direct emails to your personal inbox and shield your email address. This simple act prevents data brokers and others from creating a detailed profile about you and your online activity.

Along with creating email aliases, Proton Pass can proactively scan the dark web for your personal information through Pass Monitor. This advanced security program informs you if any of your information appears online and also monitors your account for any unauthorized login attempts. Scams are evolving every year, so it’s time to take control of your online life.

Create a Proton Pass account today to prevent more of your personal data falling into the hands of scammers.

Protect your passwords
Create a free account

Related articles

An encryption lock breaking
Apple turned off its end-to-end encryption in the UK in response to a government notice. We look at what this means and how people in the UK can protect their data.
Image showing Google, Apple, and Meta as apps that allow surveillance
Big Tech companies - Apple, Google, and Meta - have built a mass surveillance machine that the government can easily tap into.
Proton symbol for protecting user privacy after Apple disabled ADP in the UK
Apple dropped ADP for UK users, leaving data unprotected by end-to-end encryption. See why E2EE matters and how to keep your data safe.
The cover image for a Proton Pass blog about how to find your saved passwords on Android, which shows a phone screen, an Android icon, and three password fields
If you're using an Android device, here's how you can find the saved passwords on your phone and how Proton Pass can help you organize them more securely.
Email verification: How to check whether an email address is legit
Find out how to verify an email address to ensure it’s legitimate, protect your communications, and avoid scams or phishing attempts.
The cover image for a Proton Pass blog announcing that single sign-on is now available, the image shows a sign in screen on top of the Proton Pass logo
Our business password manager with Single Sign-On (SSO) can help keep your company secure and save employees time.