00:00All of this started with a text message. A package was due to be delivered to my home
00:05that day and I was intrigued because I wasn't expecting anything to arrive.
00:11The text was an official Australia Post message with a link to track the journey of this so-called
00:17alleged package. But when I clicked the link it told me this package, the one due to be delivered
00:23to my home at any minute, was not traceable. When I returned home from work there was a small
00:29soft package sitting inside my mailbox. It had been sent by China Post, obviously from a dropshipping
00:36company somewhere, and according to the packing label on the package it weighed just 0.018 kilograms
00:45and was valued at less than one US dollar. Even while just looking at the package I was pretty
00:52sure it was nothing I had ordered and when I opened it I was certain of that fact. Inside were
00:58two
00:58literal rags. Nothing else. No indication on where it came from or why it was sent to me.
01:05So I did what any self-respecting millennial would do. I turned to the internet. I asked Google and
01:12I asked Reddit and I quickly figured out I was not even close to alone in this odd experience.
01:19According to my fellow internet users, I had been a victim of an apparent brushing scam.
01:25What is a brushing scam? Excellent question and I'm glad you asked.
01:30Actually, it's not so much a scam as it is fraud. It's essentially when online retailers send unsolicited
01:37items to real addresses to boost their online presence. Dodgy companies operating on platforms
01:44like eBay and Amazon will buy a low value item from their own stores and send it out to a
01:52real person.
01:53The sale will then be registered on the host website as a real purchase, helping the retailer
01:59create the illusion that they are selling a lot of products. This then makes the store look more
02:05credible and trustworthy to potential future customers because after all they've sold heaps of products.
02:11They must be legitimate. In most cases, and certainly in my case,
02:16the package was relatively harmless and entirely useless. Most of the advice on Reddit and otherwise
02:23recommended to simply ignore and discard the unwanted package. But the whole saga
02:29speaks to something far more sinister than the useless rags cluttering my mailbox.
02:34The packing label on the package included my full name, my address, and my phone number.
02:41So somewhere along the line, my details have been leaked to a nefarious company sending out
02:47the dodgy packages. To figure out where my details have been leaked, I first consulted the data breach
02:53tracker haveibeenpwned.com. I found multiple breaches spanning from 2014 to 2025, which gave me some clues on
03:03where my data might have been exposed and where I needed to boost my personal online security,
03:09which passwords needed to be changed, and which long forgotten dormant accounts needed to be completely removed.
03:18If you think your personal data may have been leaked, the Australian Government's Office of the
03:23Australian Information Commission and National Identity Cyber Support Service, known as ID Care, recommends you
03:31to change your passwords and PINs, monitor your account statements, and check your credit report for any
03:37unauthorised loans or applications. To avoid falling victim to online scams of any kind, the Australian
03:45Competition and Consumer Commission recommends you use secure payment methods such as PayPal and Apple Pay,
03:52rather than providing credit card details direct to the seller.
03:56And to spot a dodgy, dealing retailer who might be using brushing scams in order to boost their online
04:03sales figures, the ACCC recommends searching for independent reviews on the seller on sites like
04:09Trustpilot or scamadvisor.com. Never rely solely on the reviews presented on the seller's own website.
04:21Trustpilot or
Comments