Brushing Scam / Unwanted Package

Received a phone case I didn't order for a phone model I don't own. Seems to be a brushing scam which I learnt about today https://en.m.wikipedia.org/wiki/Brushing_(e-commerce)

No unusual orders on my Temu, Aliexpress, or credit card, so maybe they just bought my address and phone number from dark web. Would like to figure out how they might have got those details, though suppose there's no real point since its already out there.

Since I use a lot of the same sites as you guys wondered if has happened to anyone else?

Comments

  • +1

    check haveibeenpwned . com and see if any of your accounts are part of a data leak

  • +3

    Did the parcel have your name on it as well? Or was it addressed to some random name but with your house address? I suppose it'd have your name, since you mentioned it has your phone number.

    I mean, a freebie is a freebie. It's technically a win-win situation. You get a freebie, they boost their ratings, albeit in an unethical way.

    If you are really concerned, then don't use your real information when signing up to sites, unless absolutely necessary. If you were to buy stuff on e.g. Temu or Aliexpress or whatever, just give a fake name. I presume you don't flat with others and if yes, then it doesn't matter if they ship the parcel to "Bob". You know that's you and it's just you and your family living in your property, so there's no confusion here. Everyone in the household can just have the item be delivered to "Bob".

    Always using a password manager with 2FA and use disposable/burner emails and numbers.

    Sites like Bulc.Club, SimpleLogin etc can provide burner emails that you can dynamically generate on the fly. This helps protect your real email and is especially useful at detecting sites that may have sold your data to a 3rd party. For example, if you use the address trademe@example_username.bulc.club to signup for an account on TradeMe, then the expectation here is that you should only be receiving emails to this address from TradeMe. If you suddenly receive an email from another party that has got nothing to do with TradeMe, then it means that TradeMe has sold your data to some other party, otherwise they wouldn't have got a hold of your information. The other benefit of using Bulc Club is that it uses crowdsourced rating to block malicious domains. So any email that is sent from a dodgy domain will be blocked automatically, but you can still allow them to go through if you want (e.g. false positive).

    Never sign up with your real contact info to random sites. There's no need to provide your birth date and real address. And never re-use the same password across multiple sites. Try to use a different username per site if you can as well, as it's easy for someone to look at your pwned accounts based on the same username and then brute-force the password based on previously leaked passwords. If you use password managers (e.g Bitwarden), then none of these would be a problem.

    And you can always go to haveibeenpwned.com to see if your data got leaked somewhere due to a hack.

    And get a P.O box if you are really paranoid about your home address getting exposed.

    But the truth is, your data and your privacy isn't as important as you think. Everyone thinks they are important and cares about their data, but in reality it doesn't really matter. If you're really that security conscious, you would be off social media completely and be using custom OS on your phone and PC that are privacy centric, etc. But that would mean you'd have to know a good amount of IT knowledge, and unfortunately most users are too dumb (no offense) to even be considered IT capable.

    • Fake name would be an issue if the parcel ends up at the post office and you need matching ID to collect?

      • The chance of that happening is extremely low in my opinion and based on my experience.

        I'm a big spender and I buy stuff regularly. My spend on Aliexpress alone probably total to more than 25K worth of items and this is pretty outdated stats, as I've stopped using Aliexpress since 2022. I've spent way more than that amount if I account for other platforms that I buy from. Anyway, I receive heaps of parcels on a weekly basis and the last time I went to a post office was probably 3 years ago and that was just a one-time thing during that year. The things I buy aren't from the same place either, some are from sites that make it rather difficult to ship to NZ, so those would be more prone to getting stuck in customs etc, but I never had issues.

        You could just use your initials, or just use your first name and the initial of your last name and that way you don't have to give out your full name.

        Not to mention that if you prove you own the account and the order details match exactly what the parcel says, then it's pretty easy to show you are the owner of that parcel.

        And you can always create a company for free and have it shipped to the company's address and the recipient's name can just be the company name, or something like that. Of course, people can look up the company registar and find your details, but that's one extra hoop to jump through and most people that really want to scavenge for user information wouldn't want to waste time doing that, as it's an extra layer of inconvenience.

        I mean, there are ways to make this work, you just got to be creative.

  • Thanks heaps @NovaAlpha for the advice. Didnt know about burner emails, that sounds really useful, and good idea re fake names.

    I have indeed been pwned before (zomato and myfitnesspal) but a long time ago, had changed passwords since, and don't think they had my physical address.

    I guess theres not much anyone can do with just my name, address and phone number, so I am uncomfortable but not overly concerned and nothing I can do about it now. Appreciate the advice

  • Scouring the media brushing does seem to be pretty rare in New Zealand. Could only find 1 article when someone received something they didn't order. Probably made the news because the item was a couple of facemasks. I would say theres a more innocent explanation.

    I've never received anything like this, however I do many many orders. I have had a few items from ali I ordered be sent to the completely wrong person and address, but still within New Zealand. So there is that possibility. Just a mix-up at dispatch. Sellers database or a human inputting or whatever error. These days it seems whenever you start typing something an AI of some kind likes to think it knows what you want to do and starts prefilling stuff.

    As an online seller I have also sent stuff to the wrong person myself. It's actually surprisingly easy to do. For me anyway lol. My worst one was a $1000 item. Unfortunately the incorrect receiver of that one played innocent and reckoned they didn't get it….

    • I got one of these pre-covid, inside was just a bunch of plastic resin pellets. I think it used to be more common when China was massively subsidising the shipping (back in the Aliexpress glory days when all shipping was free and no GST either) which meant the cost to pull the scam was basically nothing.

  • I'd be checking to see what I didn't receive before jumping to "scam." Distribution centres label and relabel a shitload of packages. More likely to be a mistake.

  • It could be a mistake. But Im not waiting on anything and havent ordered anything from Aliexpress or Temu for months. The outside of package also says its a black genuine leather case, but inside is a hot pink plastic case. Could be another mistake, but also pretty consistent with brushing.

Login or Join to leave a comment