Threat Intelligence
brushing scam
ecommerce fraud
fake reviews

Brushing Scam: What It Is and How to Protect Yourself

What the brushing scam is: fake sellers ship unsolicited packages to post fake verified reviews using leaked PII. How to detect and defend.

SecraJuly 6, 202610 min read

The brushing scam is an eCommerce fraud in which a dishonest seller inflates the sales and ratings of its products by shipping unsolicited packages to real addresses harvested from leaked or scraped data. If you have ever received a parcel that nobody in your household ordered, there is almost always review manipulation behind it and, more important from a security standpoint, a clear signal that your personal data is circulating. This article treats brushing strictly as fraud, not to be confused with the hairdressing sense of the word that shares the same search results.

Key points

  • Brushing is a marketplace manipulation technique: a seller creates fake buyer accounts, "buys" its own cheap products and ships them to real people to generate verified purchases and positive reviews.
  • The physical package is the proof the marketplace requires to flag the review as a "verified purchase", which lifts the product's ranking.
  • Receiving a package you never ordered is a data-exposure red flag: your name and address (and sometimes more information) are in the hands of a third party.
  • Some recent campaigns add a QR code to the package, a bridge to quishing and credential theft.
  • Defence combines personal-data hygiene, checking the marketplace account for account takeover and, on the legitimate seller side, detection of fake reviews and brand abuse.

What the brushing scam is

Brushing means fabricating fake commercial activity around a product to deceive both the marketplace algorithm and the shopper. The seller opens or buys fictitious buyer accounts, places orders for its own items (usually light, very cheap products: seeds, costume jewellery, phone cases, face masks) and ships them to real addresses. Because the transaction completes with a verifiable delivery, the platform counts it as a legitimate sale and lets that account publish a review carrying the verified-purchase badge.

The trick is that the recipient of the package has bought nothing and, often, is not even listed as the author of the review. The victim is only the physical link that lends credibility to the fraud: an address to send something to so the purchase looks real.

Why it works: rankings and verified reviews

Marketplaces rank their results using signals such as sales volume and velocity, average rating and the share of verified reviews. Brushing attacks all three at once. Every shipment adds a sale, every fake account adds a five-star review and the verified-purchase badge gives those opinions disproportionate weight over reviews with no confirmed purchase.

The result is a product that climbs the rankings artificially, wins the buy box against honest competitors and projects a trust it has not earned. For the real shopper who later lands on that listing, the harm is indirect but real: they make a decision based on manipulated signals.

How a brushing campaign works step by step

The mechanics are repeatable and cheap, which is why they scale so well:

  1. Address acquisition. The seller assembles a list of real names and addresses. The usual sources are data breaches, lists bought on underground forums and data scraped from social networks or poorly protected sites.
  2. Creation of fake buyers. It registers or acquires buyer accounts, sometimes tied to those same leaked identities to increase credibility.
  3. Order and shipment. It buys its own products, kept very cheap to minimize cost, and sends them to the addresses on the list.
  4. Verified review. Once the delivery is recorded, the fake account posts a positive rating that the platform marks as a verified purchase.
  5. Ranking boost. The accumulation of sales and reviews pushes the product upward, attracting genuine purchases that consolidate the effect.

The unit cost for the scammer is minimal because the product is symbolic and often does not even arrive complete: what matters is not what is inside the box but the delivery record.

An unsolicited package is a data-exposure signal

This is the point a security team must not overlook. A package you did not order is not a lucky gift: it is confirmation that your personal information sits in a dataset a third party controls. At a minimum, someone knows your name and postal address. In the worst cases, that data comes bundled with your email, phone number or even credentials, which opens the door to more serious fraud.

That origin connects brushing to the rest of the cybercrime supply chain. A large share of address lists comes from the same underground economy that fuels credential theft through infostealers and that is traded in the markets we track with dark web monitoring. When your personal data starts circulating, brushing is usually the most visible symptom, but rarely the only one.

There is also an account-takeover scenario. If, on receiving the package, you find a review published in your name that you never wrote, or orders you do not recognize, your marketplace account has probably been compromised and is being used to post fake ratings. In that case brushing overlaps with outright identity fraud, a pattern that also appears in the relationship scams we analyze in catfishing.

The QR code: brushing 2.0 and quishing

A worrying evolution adds a QR code to the package, sometimes with a message along the lines of "scan to find out who sent this" or "discover your gift". Scanning it can lead to a phishing page requesting payment details or credentials, or straight to the download of a malicious app. It is the fusion of brushing and quishing (phishing through QR codes). The rule is simple: never scan a code printed on a package whose sender you do not know.

Brushing on Amazon and other marketplaces

Brushing is not exclusive to any single platform, but it is associated above all with the large marketplaces because of their volume and the weight of the verified-purchase badge. Amazon expressly prohibits incentivized and fake reviews, has sued brokers that sell them and has strengthened detection of anomalous patterns, yet the scale of the catalogue means the problem persists.

If you are the recipient of an unsolicited package on Amazon or any other marketplace, the platform provides a channel to report it. It is worth doing: beyond protecting yourself, you help the system identify the fraudulent seller. An illustrative episode was the wave of unsolicited seed packets received in several countries in 2020, which authorities largely linked to brushing schemes.

Detection and defence

The right response depends on whether you are the consumer receiving the package or the legitimate brand whose products and reputation are being manipulated.

For consumers

  • Do not pay or hand over data. Unsolicited merchandise is legally yours and you owe nobody anything for it. No legitimate shipment demands a later payment or the entry of data to "release" a parcel.
  • Do not scan QR codes printed on the package or follow links that accompany it.
  • Review your marketplace account. Look for orders you do not recognize, reviews posted in your name and changes to addresses or payment methods. Any of these points to account takeover.
  • Harden authentication. Change the password of the affected account, enable multi-factor authentication and check whether your email appears in known breaches.
  • Report the shipment to the platform and, if you spot unauthorized charges or logins, to your bank.
  • Watch your finances over the following weeks, because the same leak that enabled the brushing may feed other frauds.

For brands and marketplaces

From the legitimate seller and platform side, brushing is a problem of catalogue integrity and brand abuse. The most useful lines of defence are:

  • Velocity anomaly analysis: spikes in sales and reviews inconsistent with the product's history or its geographic distribution.
  • Account graph detection: clustering fake buyers by reused addresses, devices, registration patterns or time windows.
  • Purchase-review correlation: verified reviews concentrated in narrow time windows and using repetitive language.
  • Bot and credential-stuffing protection on registration and login, to curb the mass creation of accounts and the takeover of legitimate ones.
  • Brand registry and reporting through the programmes platforms offer to rights holders, to take down fraudulent listings and reviews.

These measures fit into the broader security framework for online retail, which we cover alongside PCI DSS compliance in our guide to retail and eCommerce cybersecurity. A fraud and brand-abuse detection programme is as necessary as protecting cardholder data.

In the European Union, Directive 2011/83 on consumer rights prohibits inertia selling and frees the recipient from any obligation to pay for unsolicited goods. In Spain, the consolidated General Law for the Defence of Consumers and Users enshrines that protection. In the United States, the unordered-merchandise rule lets the recipient keep the product as a gift with no obligation.

In parallel, brushing has a data-protection dimension. The fact that a seller holds your name and address to send you a package implies the processing of personal data with no legitimate basis, which can ground a complaint before the competent supervisory authority and reinforces the need to investigate the origin of the leak.

Frequently asked questions

What is the brushing scam in eCommerce?

It is a fraud in which a seller artificially inflates the sales and reviews of its products by shipping unsolicited packages to real addresses obtained from leaked data. Each delivery generates a verified purchase that enables a positive fake review and raises the product's ranking on the marketplace.

Why did I receive an Amazon package I never ordered?

Most likely you are the physical address in a brushing campaign: someone is using your data to simulate a real delivery and publish a verified review. You owe nothing, but you should read it as a signal that your personal information is circulating and check your account in case it has been compromised.

Is it dangerous to receive a brushing package?

The package itself is usually harmless, but it is a warning of data exposure. The real risk lies in what may follow: fraud attempts, account takeover and, if the shipment includes a QR code or a link, phishing. Never scan or follow those links.

What do I do if I find a review posted in my name that I did not write?

It is a sign that your marketplace account has been compromised. Change the password immediately, enable multi-factor authentication, review orders and addresses, remove the fraudulent reviews if you can and report the incident to the platform.

How does brushing differ from the QR-code package scam?

Classic brushing only seeks the verified review, and the package is symbolic. The QR-code variant adds a phishing vector: it uses the package to lure you into scanning a code that leads to a fraudulent page or a malware download. It is brushing combined with quishing.

Brushing protection with Secra

At Secra we help organizations detect early the data exposure that makes brushing and related frauds possible: brand and dark web monitoring to locate listings, reviews and personal data in circulation, analysis of abuse patterns on marketplaces and hardening of authentication against account takeover. We integrate it into our dark web monitoring service, designed to anticipate fraud before it becomes a reputational incident.

Request an initial assessment and let us plan together the defence against brushing and data exposure for your organization.

About the author

Secra Solutions team

Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

Share article