Brushing Scams

How much do you know about brushing scams and phishing scams? What should you do?

A few days ago, this fashionable women’s hairpiece arrived at my address. I never placed any such online order. Before this, I received three more parcels that I never ordered. It’s not like I had to pay anything—these were all free. Two of them were somewhat useful: a robot vacuum cleaner plus mop, and a rechargeable drill with a car lug‑nut removal attachment. I also received a cap, and now this hairpiece. I have absolutely no use for this fashionable women’s hair. So I’m thinking of marking it as “never used” and leaving it by the roadside—if someone finds it useful, they can take it.

In today’s online world and the booming era of e‑commerce, a new term has entered the tech dictionary—“Brushing Scam.” A brushing scam is a type of fraud where third‑party e‑commerce sellers send unwanted, low‑value items (such as seeds, phone cases, toys, or other small things—sometimes useful, sometimes not) to your address so they can create fake “verified buyer” reviews and boost their product ratings. These items are usually harmless, and you may keep them if you want, but such scams indicate that your personal information (name, address) has likely been stolen through some data leak. Perhaps your address leaked from another order. Not all sellers in the world are honest, and the business of selling people’s data is now a billion‑dollar market.

In Bangladesh, a gentleman once ran for a BASIS election whose main business involved collecting your email from job fairs, trade fairs, and syndicated emails—basically wherever you hand over your business card or information. They built a massive email database and later sold it for various promotional schemes. You’ve surely received promotional emails about flats, land, or cosmetics. All of this comes from leaked information. These data sets are sold for thousands of taka. That gentleman used to flood people’s inboxes with emails to the point of harassment.

Brushing scams work in a similar way, using people’s addresses. On platforms like Amazon, eBay, Temu, AliExpress—sellers send you a free product. Meanwhile, they maintain a fake account in your name. Since “verified purchase” is required for reviews, they can show that the purchase was verified. Then, from that fake account, they leave a five‑star review with some flattering comments about the product. For example, they might write on my behalf that this hairpiece is wonderful, it makes me look gorgeous, and all my friends are impressed. Yet I have no use for this hairpiece, nor do I have anyone to gift it to.

Again, a person receives packages containing various items—things they never ordered or wanted. Although the package is addressed to them, it may not have a return address, or it may list some random retailer. These items are usually sent by international third‑party sellers who find target addresses online. Their goal is to create the impression that the recipient is a “verified buyer” who has written a positive online review—meaning they write fake reviews in your name. These fake reviews artificially boost product ratings and sales numbers, which the sellers hope will increase their real sales over time. Since these items are usually very cheap and shipping costs are low, scammers see this as a profitable tactic.

Recently, a new twist has appeared in brushing scams, involving “quishing.” Quishing—short for QR‑code phishing—uses a QR code that, when scanned, takes you to a fake website. These websites look completely authentic, resembling official sites of banks, government agencies, or other institutions. But they are fraudulent sites designed to steal your personally identifiable information (PII). Now, as part of brushing scams, packages include cards with QR codes. The QR code is presented as something you must scan to learn who sent the gift or to get more information about the company. Previously, this was done through email or mobile text—and perhaps still is. This is called a phishing attack. Through such attacks, people can lose access to their bank accounts, email, Facebook, or other valuable online accounts.

A phishing scam is a type of online fraud where attackers impersonate trusted institutions—your bank, email service, or social media platform—to trick you into giving sensitive information. They usually send emails, text messages, or pop‑ups that look completely real and prompt you to “verify your account,” “reset your password,” or “fix a security issue.” The links in these messages take you to fake websites where your login credentials, bank details, or personal information are stolen—these sites look identical to the real ones. Once scammers obtain this information, they can access your accounts, steal money, or commit further fraud in your name; they may even use your private Facebook chats or photos to extort money.

To protect your bank, email, and Facebook accounts from phishing, you must stay alert to any unexpected messages or links. Never click suspicious links—type the official website address directly into your browser instead. Enable two‑factor authentication (2FA) on all important accounts so that even if someone gets your password, they still can’t log in. Carefully check the sender’s email address, look for spelling mistakes, and avoid downloading unknown attachments; always verify the website address in your browser. Change your passwords regularly and monitor your accounts for unusual activity. If any message seems suspicious, avoid using the link provided—contact the institution directly through their official website or customer service.

As people’s lives become increasingly online—shopping through e‑commerce and banking from home—awareness and digital literacy are essential. Brushing scams may seem harmless at first glance, but behind the free items, QR codes can lead you to malicious websites that steal your information. And phishing scams, as explained, are even more dangerous. So stay alert—scammers are always waiting for an opportunity to exploit you.