Site icon Easy Prey Podcast

Brushing Scams with Venkat Margapuri

Easy Prey
“Brushing scams are basically a fraudulent e-commerce scheme where a seller sends out unordered products to random people.” - Dr. Venkat Margapuri Share on X

Scams come in many forms but receiving a freebie from a scammer doesn’t make sense. If something shows up at your door that you didn’t order, should you be worried? Brushing scams are becoming more common and while they may seem harmless at first they can be a gateway to fraud, identity theft and financial loss.

Today we’re diving into how these scams work, why they exist and the real dangers behind them. Our guest is Dr. Venkat Margapuri, an assistant professor of computer science at Villanova University. His research focuses on AI applications in agriculture and healthcare but he’s also spent time studying online fraud and digital security. He’s here to help us understand what’s really going on when scammers send you something for free and most importantly what you should do about it.

“Scammers recover their money by luring people into giving up their financial information. If someone scans a QR code and enters their credit card details, the scammers take those credentials and drain the account—that’s the real… Share on X

Show Notes:

“One of the other behaviors I've noticed with scammers is they always try to rush you into things. They know that time is of the essence because they know at some point the person will realize they’re being scammed.” - Dr. Venkat… Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Venkata, thank you so much for coming on the Easy Prey Podcast today.

Thank you so much for having me.

Can you give me and the audience a little bit of background about who you are and what you do?

Sure. I'm Venkata Margapuri. I'm currently an Assistant Professor in the Department of Computer Science at Villanova University. A lot of my research is focused in the areas of artificial intelligence and image processing, and a little bit of the security aspect as well. I'm currently focused in the domains of agricultural and healthcare research.

I enjoy teaching and that's one of the reasons why I picked this profession. It's not a chance that I got into this profession, but I definitely made the choice to be here. I love our research. I love contributing to the community. That's a little bit about myself.

Based on your background, the topic that we're going to talk about doesn't necessarily seem to be a clear connection. It's not your area of research. How did you come across brushing? I guess the important thing is let's clarify what it is and how you came across it.

I mean, brushing is something that is out there, regardless of whether it's your area of research or not, because scams in general are, are so out there. That's essentially how I got to know about scams in general, and brushing scams these days have been discussed a lot over the holiday period because you see a lot of people receiving products that they've never ordered. And because people tend to order a lot of products over the holiday season, sometimes they don't even notice that they received a product or two that they did not order. This is something that was popular in the news, especially over the holiday season, and that's essentially how I'm privy to brushing scams in general.

What is a brushing scam and how does it typically work? 

A brushing scam is basically a fraudulent e-commerce scheme where a seller sends out unordered products to random people. Some of the reasons behind sellers doing this is so they're able to go ahead and write glorified reviews for their products.

A brushing scam is basically a fraudulent e-commerce scheme where a seller sends out unordered products to random people. -Venkata Margapuri Share on X

Another reason why people do this is they also want to encourage people to buy their product more. For example, let's say they ship a product out, even without the person or the customer ordering the product. Sometimes it tends to happen where the customer or the person receiving the product likes the product and then they go back and order the product more. They've essentially created a sale for the product by giving you out a free offering of it.  These are some of the main reasons why brushing scams are typically around.

To me, we're talking about manipulation of sales statistics, manipulations of reviews, making products look more popular or better quality because the older I get, the more I distrust reviews, primarily because every time I buy something, a little piece of paper in the package that says, “Give us a five-star review and we'll send you $20” or something like that. I'm like, “Oh, great. That's why it was reviewed so well.”

Right. I was just going to expand a little bit about the $20 thing that you mentioned. A lot of the time, if you observe closely, these $20 things are offered to people and they're made to scan some kind of QR codes within the package. Now, these QR codes typically redirect or direct the users on their phone or their laptops to some kind of a website.

Now, a lot of times what happens is people are asked to put their credentials in there. They're asked for their name, their Social Security number, sometimes their credit card information, and whatnot.

Sure, they might receive the $20 coupon in return, but just think about what this person has lost. They've essentially lost their identity, their credentials, their personal information to $20. This is why brushing scams have recently been coupled with phishing scams.

Phishing is where you lure a person to access a fake website where they think they're basically putting in credentials on a legit website, but behind the scenes, what happens is these scammers are essentially getting ahold of their credentials, their information, and they essentially have been victims of identity theft at that point.

Aside from the potential QR code or other activities that you might have, I guess the bigger question is what is the risk to the end consumer who's receiving this package that they didn't order?

Oh, the major risk is identity theft because, I mean, the fact that you were sent the package itself shows that your information has been compromised. -Venkata Margapuri Share on X

Oh, the major risk is identity theft because, I mean, the fact that you were sent the package itself shows that your information has been compromised. Now, couple that with a phishing scam, where you go in and put your credit card information and whatnot, and the scammer gets ahold of it. You've essentially lost, not just where you live, but also your financial credentials to the scammer.

Now, the scammers can then use your financial credentials to make certain purchases. That's more of a spiral effect because these scammers, if they're saying, giving out free stuff to people, it's not really free stuff. They want to make sure they recover their money.

The way they recover their money is by luring people to give their financial information and once somebody scans one of these QR codes and puts in their credit card information, they just take those credentials and they just take the money out of the financial account. That's the bigger risk involved with the brushing scam.

Got you. One of the things that I had read at one point was that it was particularly when they're using Amazon to send these shipments. If they had gotten stolen credit card data, a way for them to validate whether it was an active and current credit card.

If you, me, the listeners, if we're anything alike, we look at our credit card statement, we've probably got a dozen charges for Amazon in the last month, let alone the last six months, if there was an extra $9.99 charge from Amazon on our credit cards, probably 90% of us, we wouldn't give it a second thought. If someone has fraudulently used our credit card on a fake Amazon account, that seems to be a very innocuous, low-risk way to verify whether the card is legitimate or not, particularly because my guess is almost every American has bought from Amazon at some point.

Exactly. Amazon is so prevalent these days that everybody at some point in time makes some kind of a purchase off of Amazon and people don't always go back and look at their financial statements at the end of the month. Even if they did charge $5, $10, or $15, it's so unnoticeable. But for scammers, this is quite an advantage for scammers because they're not getting ahold of just your credit card information; they get ahold of multiple or thousands of people's information.

Just think about this: They’re ripping off $10 off of a thousand different people. For them, it's a lot of money. But for individuals, it might not seem like a lot. In fact, I have to make an interesting observation. One of the main reasons for research shows that people get scammed is overconfidence. A lot of people, especially people who are smart, think scammers cannot scam them because they're so educated. They have a lot of information and all of that, but they're the ones who sometimes fall victim to these scams by sheer overconfidence.

A lot of people, especially people who are smart, think scammers cannot scam them because they're so educated. They have a lot of information and all of that, but they're the ones who sometimes fall victim to these scams by sheer… Share on X

Yeah. It's the Dunning-Kruger effect. What we know absolutely nothing about a topic, where we know we know nothing about a topic. Then at some point, we start to learn a little bit more about the topic. Then we overestimate our knowledge of that topic until we learn more, then we realize, “I really didn't know that much about that, but there's this little mountain of I think I know a whole lot when I really don't know a whole lot,” and I think that's the overconfidence window there.

Absolutely. I definitely agree with that.

I'm kind of curious, do you know where the scammers are getting the physical mailing addresses that they're sending packages to? Are they just randomly choosing them?

If you think about it, there are so many websites on which people's personal information is available. Two people search, for instance. I mean, you could just go on that website and type in a random person's name. You can just type in any name and it'll give you information about every person whose name matches your search. Scammers could just get information from those. That one website probably has information about half of America.

Yeah, it was my experience with brushing as I've received a couple of books that were sent to my PO box. The first time I got it, I thought it was a listener just thought I might be interested in this particular book that was 10 or 15 years old. But it was the book called—I think it was How to Be Invisible, or How to Become Invisible.

I thought someone was just doing it like, “Hey, maybe have this author on,” but there was no note attached to it. There was no explanation. It was just a random used book that showed up at the PO box.

Then about a month later, I got another one. The thing that kind of made me maybe a little bit, “Go ahead and send me stuff. I don't care.” But what was weird to me was that it seemed to be very topically relevant to something that I do in my real life. Whereas if it was maybe a cookbook on waffles, it'd be like, “OK, why did this show up?” But because it was a book on a topic that I talk about, there's a little bit of unease surrounding it wondering if it was a coincidence or was it intentional.

You make a really interesting point, because when people think about scammers, they think scammers are illiterate. They have nothing to do. They have nothing better to do and so on and so forth, but that's not true.

Scammers are sometimes really, really smart people who just got into the wrong business. If you perhaps look into research, some of the key qualities that factor into somebody becoming a scammer are narcissism and psychopathy.

Scammers are sometimes really, really smart people who just got into the wrong business. If you perhaps look into research, some of the key qualities that factor into somebody becoming a scammer are narcissism and psychopathy.… Share on X

Being narcissistic and being psychopathic have nothing to do with how smart a person is. Really smart people who possess these qualities who sometimes tend to enjoy the suffering of other people who have a lack of empathy and sometimes tend to get into this business of scamming. One thing about a scam is it's really hard to take care of it after the fact.

In other words, say you got scammed today. Again, scam is totally different from what people would call fraud. A lot of people don't really understand the difference between scam and fraud. With a scam, you're essentially willfully giving your credentials out or sending some money out, which is why scammers tend to ask people to send money via wire transfer or, say, gift cards or whatever. Once you have willfully given out the money, it's not fraud because you as an individual willfully gave out that amount to the scam.

It's really hard to prove that there was any kind of fraud that went on there and sometimes when scammers are not even within the bounds of the United States, it's really hard to get ahold of them. I mean, even if you did get ahold of them, it's really hard to like, set up a lawsuit and make any kind of claims against the scammers.

Yeah, it's unfortunate that as scams apparently have become more and more prevalent, there's still this almost like victim-blaming. It's your fault. You voluntarily did it. That's definitely where that's not the position that the show takes. It is unfortunate that it's often not looked at in the same way that definitionally fraud is. 

In what you've read, have you seen any kind of law enforcement actions, legislation, or regulation to try to limit this sort of behavior in terms of the brushing and whatnot? Or is it just kind of, “Well, if people want to send them free products and manipulate reviews, they can do that. That's up to Amazon to figure out”?

Maybe there is some source of some sense of legislation around it, but I'm not aware of it. I've never really come across any kind of legislation. But anytime I read about scams, it's like prevention is better than cure. They always tell you to prevent a scam from happening just because of the complexity of the legality involved within the scam, because like I said, with a scam, you're willfully providing your information to some random person behind the scenes.

It's really hard to say that there was some kind of fraud when you yourself scanned a QR code and when you yourself took a picture of a gift card or something and sent it over to the scammer.

Yeah. If people are receiving packages of products they didn't order, what should they do? Should they be returning them? Clearly, if it's a QR code in there, don't scan the QR code. But what should people be doing with these packages that they're getting?

My position is to dispose of them ASAP. Because a lot of the time, these packages don't even come with the return label. They don't even give you a return address to return to. Definitely, if there's a QR code in there, don't scan it.

Again, a lot of these products that get shipped to you are not all that valuable. It's not like they're going to ship out a 75-inch flat screen TV, in which case I would recommend that you keep it and use it for as long as you can. But they ship you these invaluable products that may be of no use to you.

And again, once you receive these products, you don't really have to return them. At least as far as I know, I don't think you're legally bound to like text or anything. Although you haven't paid for that product, because the product was shipped to you, you can essentially keep that product, but I would recommend that you dispose of the product just to stay clear of whatever the scammer wants to put you through.

Yeah, and if it's electronics, definitely don't connect it to your computer. 

Oh, yeah, for sure.

“Hey, wow, someone sent me a two-terabyte hard drive. Sweet.” Don't plug it in. Don't do it. 

Do not. Do not plug in any kind of electronics into your computer because you don't know what it contains. Most likely it will contain a virus that will spread through your entire electronic ecosystem at home, or perhaps, I don't know how far it goes.

That was a common international espionage technique, to drop USB drives on the ground outside of three-letter agency headquarters in the hopes that some employee would grab it, and curiosity would overcome their sense of cybersecurity, and they would plug it in and be like, “Oh, it's empty. Oh, OK.” Not knowing that it's just under their machine.

I totally agree.

Aside from definitely not scanning the QR codes, throw away the packages, I did have—on the third time I got that book—there was actually enough information in it for me to contact the shipper of the book, and there was a clear lease coming through an Amazon or through a third-party bookseller was like, “I just happened to have this book, so I was trying to sell it.”

I ended up getting ahold of the person who had fulfilled the order and they had a phone number while they probably shouldn't have given it to me. We both looked it up online and that phone number, if you had Googled it, every post about that, every mention about that phone number was, “I got this weird package, and I don't know why I got it.” It was interesting that someone was using the same phone number, the same account or whatever to send packages to hundreds, if not thousands of people.

I didn't post about it. I'm talking about it on the podcast here, but how many people have a bad experience about a restaurant and never post it? Have a good experience about a restaurant and never post it? But for there to be dozens and dozens of posts about this phone number must have meant that it had been used hundreds or thousands of times and shipping out a random product to people.

I agree. For a scammer, that's not very smart, but it's good that people post this kind of information online because this helps, at least for the ones that look to stay away from being scammed in this fashion.

In fact, one of my recent experiences has been with a scammer sending me an email to purchase Apple gift cards, scratch the number off the gift card, and take a picture of it and send it back to them via email. These things happen and when they actually send out these kinds of emails, or perhaps reach out to you, they reach out to you masquerading themselves as somebody that they could be a family member. They could be colleagues. They could be, I don't know, somebody that is a friend or someone or somebody like that.

They essentially masquerade themselves as people you know, which should tell you that scammers are also privy to your relationships. Be very careful about social media, I'd say, so about what you post on social media. -Venkata… Share on X

They essentially masquerade themselves as people you know, which should tell you that scammers are also privy to your relationships. Be very careful about social media, I'd say, so about what you post on social media. There's a lot of information out there, especially with the era of social media. The amount of information that we post online is just too much these days, and scammers are definitely engineering social media websites to collect information about people that they want to target.

The amount of information that we post online is just too much these days, and scammers are definitely engineering social media websites to collect information about people that they want to target. -Venkata Margapuri Share on X

Anytime that you get any sort of unsolicited contact that seems even the slightest bit out of character for that person, you should assume it's a scam. If your daughter never contacts you on Facebook messenger, and suddenly she does, and it's something important or seemingly urgent—she’s never contacted you on Facebook before—that should be a concern. If they never email you or never text you or whatever the platform is. You knew they were an Android person and they asked you about Apple gift cards.

You're right. In the recent experience that I had, they masqueraded themselves as one of my colleagues who was also very senior to me. I would, in the general sense, be inclined to perhaps respond to this senior colleague of mine out of respect for them. But then when the scammer asks you for your email address to perhaps further the communication, that should ring a bell as to why a colleague might want your personal information, especially when this colleague is so bad.

They're not the kind of person who would want to talk to you on a different platform because that relationship is strictly professional. There's no reason for this colleague to reach out to me on a different platform.

I was just reading a post about a particular scam and the person who had posted said if anyone ever asked you to switch over to WhatsApp, for whatever platform you're on, and they asked you to switch over to WhatsApp, you should never connect with somebody on WhatsApp. One of the responses was that you must live in the United States because everybody outside of the US, WhatsApp is the norm, not the weird thing.

You're right.

I have to be careful not to be so US centric that I say WhatsApp is inherently bad, but it's whatever is out of the norm for you and the people that you normally communicate with.

I completely agree with you because I'm a native of India and when I was in India, a lot of the communication was over WhatsApp because text messaging was not free like it is in the US. That's one of the reasons why social media apps, especially WhatsApp, took a long time to take off in the US but took off, like, real fast and a lot of other countries because data plans were cheaper at the time compared to text messaging plans and people would put a data plan on so that way they'd have access to the Internet and also WhatsApp over which they would be able to communicate.

It's so interesting that we have to be careful of what looks like a scam to someone in one region of the world that doesn't look like a scam. The concept of this one little thing is a red flag is not always true. In the geographically diverse world that we live in, what looks like a scam to you and I, doesn't look like a scam to someone else because it's not.

I'm sure there's probably a lot of scams going on out there that you and I might not recognize just because we don't live in that part of the world and are privy to those experiences.

We're not being targeted. We're not in Southeast Asia trying to be convinced to do things that are the social norm in Southeast Asia, but they aren't the social norm where we are, in the US or India.

A great example of that would be an advanced fee scam wherein a scammer would reach out to you, offer you a job, a loan, or perhaps a large sum of money, say you've won a lottery or something like that. But then they'd say, “OK, in order to get this job, I want a certain sum of money from you upfront.”

A lot of people out of desperation, especially when they offer you a job and say you've been out of a job for six months or 12 months or whatever, sometimes people out of desperation commits themselves into being victims of scams. Once they receive the money, they disappear and your money's gone.

I assume that in some places around the world, recruiters are probably paid for by the client and not the company.

It is true.

In the US, it just happens to be that the recruiter gets paid for by the company, not by the individual.

But that is not something that everybody knows.

Correct. But if I'm a C-level person, I might hire someone to help me find a job.

We have to be careful about our geographic perceptions.

Right. That's one of the reasons why I say even smart people sometimes get looted in these scams. Sometimes, when life happens to you and you get into a state of desperation, even the smartest of people just become victims of these scams.

Very often, when I've talked to my guests and they have been caught up in a cybersecurity incident or a scam, it was the right thing at the right time that they had just bought something and they got a fake order confirmation. That seems perfect.

I was talking to a guest that he had ordered something that he knew would have to clear customs and at some point, it'd be very likely he'd be contacted on having to do some customs paperwork.

At any other time, he would have gotten an email saying, “Your product is stuck in customs,” he'd be like, “Oh, no, it's a scam.” But because he was expecting something to come through customs, he was like, “Hey, that's my product,” and went to the website and started to enter stuff and went, “Wait, wait, wait,” right before he entered his password. He almost gave it up because it was something that he was expecting. That's almost the worst. 

You're right. There's a FOMO—fear of missing out—mentality where people sometimes just desperately want a certain product to come in and they're willing to be like let a product go through customs or whatever for that reason without really knowing that they're being scammed.

Anytime you're ordering a product, or perhaps anytime you receive an email or something like that seems odd, always stop for a second and reflect upon what's going on. I think reflection is something that really helped prevent a lot of scams.

I've heard of an experience from a friend where they said they received an email or something—I can't recall if it was an email or a phone call—and apparently, the person over the phone said your grandmother is sick in the hospital so we want you to transfer X amount of dollars, and he did it. He did it. That was because his grandmother was in trouble and he did not think twice about sending money out.

But if he had, let's say, called his grandmother or somebody else in his family and then confirmed it, he would have saved himself a lot of money. Just pause for a moment and reflect.

One of the other behaviors I've noticed with scammers is they always try to rush you into things because they know that time is of the essence. Because they know that at some point in time, the person that they're trying to target will realize that they're being scammed so they want to make sure they look at that person as quickly as possible and get out of there.

They want their money as fast as they can get it.

Exactly. It's more of a hit-and-run kind of thing. They're always trying to rush these targets of theirs, if you will, into performing or perhaps being lured into getting scammed.

Absolutely. As we come in for a landing here, any other parting advice of things that people can do to kind of raise their scam detection skills?

Yeah, so anytime you receive anything that you suspect, definitely err on the side of caution and don't do it. If something's too good to be true, it is most likely is stupid to be true. Just exercise caution and yeah, stay safe.

Awesome. Venkata, if people want to find you and connect with you online, how can they find you?

People should be able to reach out to me on LinkedIn. I'm sorry I don't recall my LinkedIn handle.

We'll link it in the show notes for people who want to connect with you. Venkata, thank you so much for coming on the podcast today. I really appreciate your time.

Alright. Thank you so much, Chris.

Exit mobile version