Some common cyber threats facing the retail industry include ransomware attacks, social engineering, system intrusions and insider threats. The retail sector is often targeted by cybercriminals
A brushing scam occurs when you receive a package containing items you never ordered. The unexpected package will be addressed to you, but it will most likely not have a return address on it. Some scammers send packages through popular third-party sellers, such as Amazon, to make you believe you’ve received a package by mistake. Even though receiving an unexpected package may seem harmless, falling victim to a brushing scam means your private information has likely been leaked, which could lead to scammers targeting you with cyber attacks and attempting to steal your identity.
Continue reading to learn how brushing scams work, why they’re dangerous and what you should do after receiving an unexpected package.
How brushing scams work
Imagine an unexpected package shows up at your front door. Although you might think you got lucky with a free surprise, you should consider unsolicited packages as clear signs of a brushing scam. If the package is not from a company you regularly order from, you may wonder how they knew your name and address. Scammers often gather as much of your Personally Identifiable Information (PII) as possible to send you a mystery package.
Why brushing scams are dangerous
You may be wondering about the downside of receiving a free gift. The purpose of a brushing scam is for scammers to write fake reviews in your name for a product “you” ordered to boost an item’s ratings and company sales. Because most items sent in brushing scams are inexpensive to buy and ship, scammers consider it worthwhile to use your PII to commit these scams and other forms of fraud. Brushing scams rely on as much PII as scammers can gather about you to impersonate you in misleading online reviews, which may impact your overall digital footprint. Having your PII exposed is dangerous because if one scammer can find and use it to commit fraud, other scammers can likely do the same to commit other crimes or identity theft.
Another reason brushing scams are dangerous is if the unexpected package you receive contains a QR code. If you receive an unsolicited package and know you did not order it, you may be tempted to contact the sender to return it. However, if you notice a QR code on the box or inside the package, scanning it can lead to your PII being sent directly to the scammer. QR code scams, also known as quishing, are commonly associated with brushing scams and often encourage you to register your new product or identify the sender by scanning the QR code. If an unexpected package contains a QR code, do not scan it.
What to do if you receive a package you didn’t order
If you receive a package you didn’t order, immediately notify the retailer, decide what to do with the package, update your passwords and check your bank statements for signs of fraud.
Notify the retailer
The first step you should take after receiving an unexpected package is to notify the retailer listed on the package. Many companies want to be informed about fraudulent purchases to help prevent them in the future, so you should report any package you didn’t order to the retailer for security reasons. When communicating with the retailer, request that any reviews on the item published under your name be removed from their website or the website the product is being sold on.
Keep, discard or return the package
Since packages in brushing scams are addressed to you, the Federal Trade Commission (FTC) says you are legally allowed to keep them. Companies are forbidden from sending unordered products and expecting you to pay for them, so you are not obligated to pay a retailer for an item received in a brushing scam. However, just because you can keep an unexpected package as a free gift does not mean you should be less suspicious about using items you receive. Trust your instincts when deciding whether to keep or discard an item from an unexpected package. If you have not opened the package, you can mark it as “Return to Sender,” and it will be sent back at no cost since you never ordered it.
Change your passwords
Because being targeted by a brushing scam implies that your PII has been leaked, you should update your passwords immediately to protect your online accounts. A quick way to change all your passwords is to use a password manager like Keeper®. Once you store all your login credentials in a password manager, you can go into each record and update your password by using Keeper’s built-in password generator, which produces strong, unique passwords. Alternatively, you can create your own strong passwords by making sure they consist of at least 16 characters and a combination of uppercase and lowercase letters, numbers and symbols. After updating your passwords with stronger ones, your online accounts will be more secure, reducing the risks of scammers hacking into your accounts and stealing private information.
Enable Multi-Factor Authentication (MFA)
Another way to secure your accounts beyond updating your passwords is by enabling Multi-Factor Authentication (MFA), which is an extra layer of security that prevents anyone from logging in without verifying your identity. Some types of MFA include a PIN, a code from an authenticator app, an answer to a security question or your biometrics. Without MFA, a scammer who knows your login credentials cannot access your online accounts because they can’t provide the additional form of authentication. If you’ve received a package through a brushing scam and accidentally scanned a QR code, set up MFA on all your accounts immediately to help prevent scammers from stealing your data.
Check your bank statements for signs of fraud
Scammers can also use your PII from brushing scams to commit fraud, so it’s important to keep a close eye on your bank statements and credit reports for signs of fraudulent activity. Monitor your bank accounts and credit card bills for any suspicious activity and unauthorized charges. You should set up notifications for your banking apps to receive immediate alerts about potential fraudulent activity, allowing you to take quick action if necessary.
Consider placing a fraud alert on your credit report
If you’ve received a package you never ordered, consider placing a fraud alert on your credit report, as a scammer may have sensitive PII related to your finances that could be used to commit fraud. A fraud alert requires you to verify your identity before opening a new line of credit or obtaining a loan in your name. Placing a fraud alert can help prevent scammers from using your PII to steal your identity or damage your credit. To place a fraud alert, contact one of the three major credit bureaus (Experian, TransUnion or Equifax).
Conduct a dark web scan
After receiving a mysterious package and suspecting that your PII has been exposed, you should conduct a dark web scan to determine what private information scammers may know. A dark web scan is a tool that scans the dark web and informs you if your personal information has been found. We recommend using Keeper’s free dark web scan, which scans its database for your information and determines whether it’s found on the dark web. If your information is found, you will receive near-immediate results detailing which PII has been compromised.
Be on the lookout for brushing scams
Even though receiving a surprise package may seem exciting at first, you are likely receiving it because you have been targeted by a brushing scam. These scams are dangerous because they may indicate that your personal information has been exposed, making you more vulnerable to other scams. If you receive an unexpected package, notify the retailer, change your passwords, enable MFA and watch your bank statements closely for signs of fraud. Updating your passwords to stronger ones is easy with Keeper Password Manager, which helps you create, update and store your passwords in a secure vault.
Start your free 30-day trial of Keeper Password Manager today to protect your online accounts and private information from scammers.