If you've ever received a package you didn't order from a shopping platform like Amazon, and nobody owns up to having sent it, you might have been caught up in a 'brushing' scam.
Sure, receiving parcels you haven’t paid for may not seem like the worst problem to have, but being a victim of the scam technique isn't ideal.
While it might not affect you financially, it leads to questions about who has your address and personal data.
As many as one million UK households could have been victims of the 'brushing' scam on Amazon alone, as reported by Which? last year.
But there is some confusion about what the scam is and how it could impact the average online shopper.
Yahoo UK spoke to the experts to outline everything you need to know about brushing and other online scams...
What is brushing?
According to David Emm, principal security researcher at Kaspersky, brushing is actually marketing fraud, rather than a scam aimed at the person receiving the unsolicited goods or a scam where the aim is to steal something from the consumer.
"The purpose is for the perpetrator, a seller on Amazon, for example, to boost their ratings by creating ‘fake’ reviews of their products.
"I say ‘fake’ because the reviews are real, but they’re created by the seller."
How does it work?
It works by third-party sellers, on Amazon for example, sending people products they haven’t actually bought.
"While this might sound like a good problem, it’s actually a tactic they use to make certain products appear more popular than they actually are, which can improve their rankings to unsuspecting customers," Vonny Gamot, head of EMEA, at McAfee explains.
"If a seller sends out a parcel to someone’s address, that counts as a ‘legitimate’ purchase, which pushes the product further up Amazon’s algorithm, therefore resulting in more genuine purchases."
Sellers find the names and addresses from publicly available sources – the electoral roll, phone directory etc... or from a leak of data resulting from a hacked provider.
The sellers then order (their own) goods from the fake accounts they have set up and ship the goods to people at their address list.
Finally, they write product reviews from their fake accounts (i.e. the accounts used to pay for the goods) in an effort to boost their ratings.
How does brushing impact online customers?
You might ask why is this a concern for online safety? Gamot says the personal details used in such scams are often found by sellers through publicly available forums, marketing mail out lists or via data obtained through a breach.
"Once they have access to this information, this opens the door to further risks – using the details to guess your passwords, access bank account information or find your social media profile to create a fake identity in your name," he explains.
Of course, as Emm points out, it could also be that sellers have obtained customer details from a criminal who has compromised a website the consumer has an account with or in some other way.
Which? first investigated the practice in 2018, and found that in some cases, the people affected had been victims of data breaches elsewhere, meaning at least some of their personal data was available in unexpected places.
What effect does it have on customers?
The person receiving the goods isn’t actually a victim of cybercrime – they’re simply being used as a cover for a marketing fraud.
Nevertheless, Emm recommends that anyone receiving unsolicited goods should report it to Amazon (or other seller); and – since it might not be clear at the outset if their account has been compromised – change their password and set up two-factor authentication if they haven’t already enabled it.
A spokesperson from Amazon told Yahoo UK: "Third party sellers are prohibited from sending unsolicited packages to customers and we take action on those who violate our policies, including withholding payments, suspending or removing selling privileges, or working with law enforcement."
The dangers of 'brushing' and other online scams
Brushing scams may seem fairly harmless, but Carl Wearn, head of e-crime at Mimecast says if customers' data has been exposed it could be used for less 'victimless' fraud such as 'credential stuffing' (see definition below) which could have more serious consequences.
'Credential stuffing' occurs when a cybercriminal uses stolen usernames and passwords from one organisation (obtained in a breach or purchased from the dark web) to access user accounts at another.
It often occurs because many consumers tend to use the same password for several different accounts.
The best way to protect against credential stuffing attacks is to use unique passwords for each of your digital accounts, ideally by using a password manager.
You can also turn on two-factor authentication when it is available.
Two-factor authentication is an extra layer of security used to make sure that people trying to gain access to an online account are who they say they are.
Once set up, as well as a username and a password, customers will also be required to provide another piece of information to prove their identity.
This second factor could come in the form of a personal identification number (PIN), an answer to a 'secret question' or something you have in your possession – for example, a credit card.
Watch: People are receiving mysterious seeds in the mail
How to protect yourself online
McAfee shares further advice below on how to protect your information online:
Don’t overshare on social media
Oversharing online can help to paint a picture of who we are and our details very quickly. Keep sensitive data such as your date of birth, address, job, or names of family members private. Also, rethink whether you really want your relationship status made public.
Protect your identity
Safeguard yourself and important personal and financial details by using an identity theft protection package. This should also offer recovery tools if your identity is compromised.
Set up unique logins for each app you use
While it might seem like a pain, setting up a different password for each app or account you use is a great way to protect yourself and your data online. If you no longer use a social media account, delete your information and deactivate your account.
Safeguard your devices
Before you connect a new IoT (Internet of Things, aka physical devices that are connected to the internet) device to your network, be sure to change the default username and password to something strong and unique.
Hackers often know the default settings of various IoT devices and share them online for others to expose.
Turn off other manufacturer settings that don’t benefit you, like remote access, which could be used by cybercriminals to access your system.
Hopefully these measures will help prevent you from being the target of a 'brushing' scam, or more serious attacks online.