E-COMMERCE AND ADVERTISING CYBERCRIME

Understanding the landscape of digital fraud and protecting yourself in an interconnected world

Expose the Scams

Over the past three decades, the advertising and commercial landscape has undergone a transformation, shifting from traditional marketing methods to digital and Internet-based platforms. The ability to target particular user groups and deliver important information or items in a tailored and beneficial manner to a wider audience has been made possible by this digital trend. This shift, while boosting economic potential, has also made the digital world dangerous and a prime target for cybercriminals. Online scams, fraud, and crimes have become prevalent, affecting individuals and businesses globally (Kolupuri et al., 2025).

Because of its high level of popularity and profitability, it has also become a target for unethical parties such as fraudsters or scammers, who want to transmit malware, steal user privacy, and receive a portion of online advertising earnings (Kolupuri et al., 2025). On this site, we will discuss some main types of e-commerce and advertising cybercrimes, which are already affecting a plethora of individuals worldwide with great financial losses.

Scams

Scams consist of unsolicited bulk messages, such as malicious short URLs, trending hashtags, images with concealed links, videos, ransomware, stock market fraud, deceptive advertising, fake reviews, and false information, utilized by spammers to generate income. Scam attacks are popularly perpetrated through different digital platforms with a large electronic audience. Fraudulent practitioners can create various forms of fraud and significantly drain the advertiser's budget. Further, they perform unlawful activities such as fake accounts, crowdsourcing approaches, and automated bots instead of legitimate accounts to disseminate these fraudulent activities (Alkhalil et al., 2021).

Digital scam concept

Photo: Unsplash

Scams can cause significant financial losses for both individuals and companies, having a detrimental effect on society. Online victims may experience identity theft, which can cause long-term financial and emotional harm. Spam's pervasiveness has the potential to undermine user confidence in digital communications by making individuals suspicious of genuine communications, which in turn impacts both personal and professional interactions. Additionally, by affecting vulnerable communities, these schemes might exacerbate socioeconomic disparities. Internet users' security and privacy have been compromised, and advertising funds have been misused. According to data from the Federal Trade Commission (FTC), in 2023, customers reported losing over $10 billion due to fraud. The financial toll that cybercrime takes is expected to rise dramatically on a global scale; by 2027, it is expected to have cost $23.84 trillion, up from $8.44 trillion in 2022 (Sadeghpour & Vlajic, 2021b). Despite scam detection improvements, scams are a global economic issue.

$10B+

Lost to fraud in 2023

$23.84T

Projected cost by 2027

Global

Economic issue

Susceptibility

During the COVID-19 pandemic, the susceptibility of being scammed was further aggravated because of the growing online activity and dependence on e-commerce platforms, which offered a fertile field for con artists to take advantage of customers who were unaware of their vulnerability and sometimes did not have options of consumption other than online commerce (i.e., due to contamination, closing stores). Therefore, individuals are more prone to engage in riskier decision-making behaviors during times of uncertainty, which allows them to be more vulnerable to scams that promise immediate rewards or returns (Daud, Muniandy, & Nadi, 2024; Norris, Brookes, & Dowell, 2019; Fei & McKinnon, 2021).

Brushing scams

What could be better than opening the mailbox or the front door and finding an unexpected package? Everybody loves surprises and gifts. However, when these seemingly harmless free items come from a company or retailer, they may come with a higher cost than anybody realizes. Oftentimes, this kind of unsolicited merchandise is part of a larger brushing scam, which is an illegal activity in the United States and many other countries (USPIS, 2025a).

Cybercrimes present a significant threat to individuals and companies, especially as complex schemes based on technological advancements are emerging. A variation on this phenomenon is the brushing scam, a fraudulent scheme where international or third-party sellers on e-commerce platforms, who have found the recipient's address online, send unsolicited packages containing sometimes inexpensive items (i.e., earbuds, phone cases, socks, or even seeds – anything lightweight, although sometimes involves expensive items such as a diamond ring, barber chair, cars, or bicycles) to individuals using their stolen or publicly available personal information. While the package may be addressed to the recipient, there is not a return address, or the return address could be that of a retailer. The intention is not necessarily to get money from the recipient, but to create fake "verified buyer" accounts and post glowing reviews in the recipient's name to fraudulently boost product ratings and sales in the long run. Since the merchandise is usually cheap and low-cost to ship, the scammers perceive this as a profitable pay-off (F&M Bank, 2024; USPIS, 2025a).

Video: Understanding Brushing Scams

The steps

For instance, merchants reach out to (professional) brushers, who place orders and pay with the money received from the merchants; the merchants ship out empty parcels or boxes of worthless items; a package arrives at someone's doorstep, who did not order it (at first sight, it seems harmless, and even exciting, but it could mean that this individual is the target of a "brushing scam"); the brushers write good reviews about their fake orders; the merchants' products rank higher in search results, generating more future traffic. According to an estimate by Alibaba's Vice President Yu Weimin, 1.2 million merchants on Taobao, or about 17% of all vendors had faked 500 million transactions worth 10 billion Chinese Yuan in the year of 2013 alone. He further said those were "only the tip of the iceberg," and this conservative estimate put the number of brushers in the tens of thousands (Wong et al., 2015).

1

Information Gathering

Scammers obtain personal information from data breaches or the dark web

2

Fake Orders

Create fake buyer accounts and place orders for low-cost products

3

Shipping

Item shipped to victim's address, marked as "delivered"

4

Inflated Reviews

Post positive 5-star reviews to boost product visibility and sales

Summarizing what drives brushing

According to the Wall Street Journal, "faking orders, or 'brushing,'… let vendors pad their sales figures and, in theory, boost their standing on online marketplaces, which often give more prominence to high-volume sellers with good track records" (Wong et al., 2015). The Financial Times (2016) added to this statement that "shipping more goods would give [online sellers] better placement – and therefore, a better chance to garner more real sales – on websites such as Alibaba-owned Taobao." In the eyes of online merchants and industry observers, brushing becomes a necessary evil. "Without fake transactions, customers will never be able to find your product," stated a Taobao merchant, who claimed that "faking several dozen transactions a day for a week could get his products within the first five pages of search results" (Wong et al., 2015). "The difference between being at the top of a page of results and buried at the bottom is night and day; brushing is a very tempting shortcut," said an industry observer (Financial Times, 2016). Alibaba also acknowledged the existence of brushing and stated the following: "sellers may engage in fictitious or phantom transactions with themselves or collaborators in order to artificially inflate their search results rankings" (Fountain et al., 2018).

Due to the increase of digital online purchase consumption, consumers face search frictions, and often only consider prominent products that rank high in search results. At the same time, platforms' ranking algorithm tends to give more visibility to products with higher sales volume and better reviews (which themselves tend to be correlated – see Chevalier & Mayzlin, 2006; Chintagunta et al., 2010). Thus, there is a feedback loop between rankings and sales, with higher rankings driving more sales (due to search frictions), which in turn, lead to a higher ranking (due to the ranking algorithm). With this system, merchants are naturally under pressure to rack up fictitious sales to boost rankings in search results, which leads to brushing. However, this is not the only reason why merchants brush. Placing fake orders allows merchants to generate glowing fake reviews that gives credibility to the merchandise (because they are backed by real-world transactions), which deceives consumers into believing the products are better than they actually are (Jin, Yang, & Hosanagar, 2023).

Examples of this scheme include:

Information gathering: Scammers obtain individuals' personal information (name, address, phone number) from data breaches, public records, or the dark web. Individuals' personal data have likely been leaked or stolen.

Fake orders: They use this information to create a fake buyer account on an online marketplace (i.e., Amazon, eBay, Alibaba's Taobao, Temu, Tmall) and place an order for their own low-cost product.

Shipping: The item is shipped to someone's address, again, often inexpensive items (i.e., gadgets, beauty products, clothes, or household goods). Once the package is marked as "delivered," the e-commerce platform considers it a legitimate, "verified" purchase.

Inflated reviews: Using someone's name and address, scammers create fake accounts to post positive or 5-star reviews, increasing the product's visibility and boosting product ratings without real sales to actual customers (F&M Bank, 2024).

Brushing effects on consumers

Brushing – online merchants placing fake orders of their own products – has been a widespread phenomenon on major e-commerce platforms. One key reason why merchants brush is to boost their rankings in search results. Products with higher sales volume are more likely to rank higher. Additionally, rankings matter because consumers face search frictions and narrow their attention to only the few products that show up at the top. Specifically, fake orders can affect consumer choice (Jin, Yang, & Hosanagar, 2023).

Why is the brushing scam a big deal?

While it may appear to be a victimless crime – after all, someone gets some free stuff – the reality is that the recipient's personal information may be compromised.

In terms of fraudulent reviews, scammers use someone's "verified purchase" as a loophole to make their products appear more trustworthy. This unfair practice misleads consumers who rely on reviews to make informed decisions.

As for compromised data, receiving an unexpected package is a sign that recipients' information is exposed. Scammers might have obtained their data through breaches, phishing scams, or data leaks.

While brushing scams often stop at packages, they can escalate. For instance, scammers may use someone's data for identity thefts, creating unauthorized accounts, or committing financial fraud (F&M Bank, 2024). In other instances, bad actors are using a person's address and account information to receive merchandise, then steal it from the home before the resident is able to intercept it (USPIS, 2025a).

Quishing

Recently, a new variation on the brushing scam has emerged, adding a component called quishing, short for QR code phishing. This technique uses a QR code that sends individuals to a fake website once someone scans it. These websites look legitimate and appear to be official sites of banks, government organizations, or other institutions. But they are actually scams or fake sites used by criminals to get individuals' personal identifiable information (PII). Cards with QR codes are being sent inside packages as a part of brushing scams. The QR code is sent under the guise that someone needs to scan the code to find out who sent him/her the gift or to get more information about the company that sent the gift. Common scams include a fake parking ticket placed on someone's car windshield that contains a QR code to pay the fine, or a QR code placed on the back of a parking meter, leading an individual to assume that it is a method of payment. Even ads of fake restaurants' menus have been getting individuals information when scanned (University of Colorado, n.d.; USPIS, 2025a).

"The QR codes are very real. It's the destination that may cause the problem, which is why I think QR codes are dangerous right now. Generally, these codes work, but a cybercriminal's intent is to have an unsuspecting person scan the code and be taken to a fraudulent website"

— Charles Wertz, Information Security Officer, University of Colorado – Colorado Springs

QR code scanning

Photo by Rendy Novantino on Unsplash

Phishing

Phishing is another cybercrime or scam. This is an effort by attackers to obtain sensitive information, such as login credentials or credit card numbers, by claiming to be a trustworthy institution. They often use false emails or websites that deceive individuals into supplying personal data. Phishing attacks come in various forms, each exploiting different communication channels and tactics to deceive victims into providing sensitive information. Phishing attacks have grown as a popular and sophisticated type of cybercrime, exposing major risks to consumers and businesses worldwide (Alkhalil et al., 2021).

Anatomy of Phishing attacks

Phishing is characterized by a structured four-phase life cycle: 1. Planning – where attackers conduct surveillance to gather target-specific data, leveraging techniques such as social engineering. They can establish fraudulent infrastructure, including spoofed domains and email servers. 2. Attack – during the attack phase, attackers craft deceptive emails using HTML and CSS to enhance authenticity, employing methods like email-spoofing and URL obfuscation to mask malicious links. 3. Interaction – this phase involves exploiting user behavior through social engineering tactics, often utilizing vulnerabilities in web browsers or employing drive-by downloads to install malware. 4. Valuables acquisition – in the data acquisition phase, attackers harvest sensitive information via phishing forms that mimic legitimate sites, often employing data analysis techniques to assess the value of stolen information (Kolupuri et al., 2025).

1. Planning

Surveillance & infrastructure setup

2. Attack

Deceptive emails & URL obfuscation

3. Interaction

Social engineering & malware

4. Acquisition

Data harvesting & analysis

For instance, if an individual receives an email about a package delivery or unpaid online postage charges, it might be a scheme. Many postal customers are receiving bogus emails featuring the subject line, "Delivery Failure Notification." These emails appear to be from the U.S. Postal Service and include language regarding an unsuccessful attempt to deliver a package. The email will prompt recipients to confirm their personal delivery information by clicking a button or downloading an attachment, that, when opened, can activate a virus and steal information, such as individuals' usernames, passwords, and financial account information. The Postal Inspection Service is working hard to stop these emails and protect individuals' information (USPIS, 2025b).

Taxonomy of phishing attacks

These are the common types of phishing attacks:

This is the most common type of phishing, in which attackers send phony emails claiming to be official correspondence from reliable sources. The intention is to deceive the receivers into opening attachments or clicking on malicious URLs that would either steal their personal data or infect their devices with malware. To increase the email's believability, tricks like image-based phishing, URL concealing, and email-spoofing are frequently employed (Raza et al., 2021).

Spear phishing involves sending personalized emails or messages to specific individuals or organizations. Attackers often conduct research to gather information about the target, making the communication appear more legitimate. This type of phishing is particularly dangerous because it is harder to detect due to the personalized nature of the attack (Halevi, Memon, & Nov, 2015).

In this type of phishing, attackers use phone calls, robocalls, or voice(mail) messages from an unfamiliar number to mislead individuals from disclosing confidential data or revealing sensitive personal or financial information (i.e., login credentials such as passwords, personal identifying information, credit card numbers, bank details, or Social Security numbers). Usually, this type of approach claims the need to verify sensitive personal information. The attackers often imitate genuine organizations (i.e., companies, banks, tech support, or government authorities) or impersonate legitimate entities to create a sense of urgency, pressuring victims to share confidential details (i.e., "your account is compromised," or offering prizes). They may also pretend to be Postal Inspectors, or other people in USPS and USPIS positions of authority. They may attempt to coerce the person with threats of arrest or some other punishment, claiming that the individual is the suspect of a criminal investigation or currently have an outstanding warrant for their arrest. Further, they have a blocked or spoofed/fake caller ID, where the number looks familiar (i.e., your bank's number or your local area code), but the call is a scam. Additionally, there might be a request for unusual payment methods (i.e., gift cards or wire transfers) (Jones et al., 2020).

Smishing (SMS phishing) is a scam or another form of phishing that uses deceptive text messages to trick a person into revealing personal information (i.e., passwords, bank details) or downloading malware, often by impersonating trusted entities such as banks, delivery services (i.e., Fedex, UPS), or government agencies, creating urgency to get the person to click malicious links or call fake numbers. In many cases, the smisher also poses as someone the individual knows. Some individuals are more likely to provide personal information over a text message than via email or another form of communication. Smishermen abuse this trust and are often able to get away with stealing highly valuable data. To avoid smishing, it is important to understand not only the smishing meaning but also how it works. Common types include fake package alerts, urgent account warnings, prize notifications, and false job offers, all designed to steal your data for fraud or unauthorized access (Fortinet, 2025).

Pharming is similar to phishing in the sense that it is a threat that tricks users into divulging private information, but instead of relying on email as the attack vector, it uses malicious code executed on the victim's device to redirect to an attacker-controlled website. That is, while phishing uses email messages to get people to divulge private information or download malware, in addition to the attacker making it seem imperative that the target enter personal data to solve a pressing problem or obtain money, pharming on the other hand uses fake websites. In pharming attacks, malicious individuals or groups utilize various techniques to deceive users and lead them to counterfeit websites that closely resemble legitimate ones, such as online banking portals, retail shopping platforms, or social media networks. Through these fake websites, it gets the target to enter their credentials (i.e., usernames, passwords, credit card details, or other sensitive data), which attackers then "farm" and collect to use for illicit activities (Fortinet, 2025). Because pharming runs code on the victim's computer, the attacker does not rely on the targeted user clicking a link or replying to an email. Instead, the malicious code directs the targeted user to the attacker's website, eliminating the extra step of a user clicking a link. Pharming is also known as "pharmaceutical phishing" or "phishing without a lure." The term is a combination of the words "phishing" and "farming," indicating the large-scale nature of the attack (Proofpopint, 2022).

Comparison of Attack Methods

Attack Type Medium Key Characteristics
Phishing Email Fake emails with malicious links
Vishing Phone/Voice Spoofed caller ID, urgency tactics
Smishing SMS/Text Fake delivery alerts, urgent warnings
Pharming Malicious Code Redirects to fake websites automatically

Source: Fortinet Cyberglossary

Click fraud

This is a significant form of fraud that requires the generation of counterfeit clicks on online advertisements to fraudulently inflate ad revenue or deplete a competitor's ad budget. It results in substantial financial losses for online businesses, with global estimates indicating losses amounting to billions of dollars annually, totaling around USD 23.786 billion (Sadeghpour & Vlajic, 2021b). The methods employed for click fraud range from manual click farms to advanced automated bots (the bots being more prevalent and effective). Automated bots make up around 45% of all online traffic, with a significant portion attributed to click fraud, as they are responsible for an estimated 70-90% of all clicks on ads (Alzahrani & Aljabri, 2022). Click fraud is executed through the use of automated programs known as click bots. These bots can be categorized into good and bad bots.

For instance, good web-bots perform legitimate and beneficial tasks such as search engine optimization (SEO), website monitoring, and social networking. As for bad web-bots, they are considered malicious bots, used for harmful activities including data scraping, ticket scalping, spam, and click fraud. They mimic human behavior to evade detection and perform tasks that appear to be legitimate user interactions (Kolupuri et al., 2025).

Good Bots

  • Search engine optimization (SEO)
  • Website monitoring
  • Social networking
  • Beneficial tasks

Malicious Bots

  • Data scraping
  • Ticket scalping
  • Spam distribution
  • Click fraud (70-90% of ad clicks)

Taxonomy of automated click fraud:

Badvertising: The use of tampered JavaScript (JS) files to covertly raise click-through rates; it mimics fake clicks and inflates the number of registered visits, increasing the publisher's revenue.

Hit inflation: It occurs when publishers or advertisers repeatedly click on their ads, use scripts to automate clicks, or redirect users to manipulated web pages where automatic clicks are triggered. Hit counts can earn unjustified revenue or harm competitors.

Hit shaving: Advertisers employ this fraudulent method to understate the actual number of hits they receive from publishers in order to receive a reduced commission rate. This manipulation affects the publisher's earnings and decreases the perceived effectiveness of the ad campaign.

Botnet click campaigns: These campaigns utilize a network of users' computers and devices that are compromised by malware to automatically visit websites and click on ads all without the device owners' awareness. These attacks are often coordinated and the traffic created by botnets can mimic real user behavior, making it even harder to detect them (Kolupuri et al., 2025).

Scams using AI advertising

AI advertising scams use many different approaches to create convincing ads for non-existent products or fake deals, preying on urgency (e.g., short promotion time deal), big discounts, and emotional backstories to steal personal information or money, with victims often receiving inferior goods or nothing at all. Key red flags include prices too good to be true, pressure to buy now, payments via money apps, and overly polished, unbelievable stories. Protecting yourself from these scams requires constant vigilance to verify claims and use official sites (Media Mention, 2026; PinnacleBank, 2025).

Video: AI Ads Making Fake Products Look Real

Common AI advertising scams

Deepfake endorsements: In this case, AI is used to generate realistic videos or images of celebrities (e.g., Taylor Swift, Gisele Bündchen) or trusted figures promoting products, asking for credit cards or personal information to "enter a giveaway."

Fake "family" businesses: Elaborate, emotional backstories with AI generated images for fake online boutiques are used, claiming to be family-run with limited stock to drive impulse buys.

Malicious software ads: Ads on search engines (SEO) or social media that when clicked, install malware or steal data.

Enhanced phishing: AI makes phishing emails and texts more convincing (than normal phishing) with perfect grammar and personalized greetings, often mimicking delivery services or brands (Media Mention, 2026; PinnacleBank, 2025).

Red flags to watch for AI ads

Unbelievable offers

Prices drastically lower than market value or promises of guaranteed returns.

Extreme urgency

The use of phrases such as "Buy Now," "Limited Time," to pressure quick decisions.

Payment methods

Only accepting payment via money transfer apps (i.e., Venmo, Cash App) or cryptocurrency.

Too polished/perfect

AI-generated sites with flawless images and stories that lack authentic human imperfections.

Fake endorsements

Public figures never endorsing the product/service, as confirmed by their official channels (Media Mention, 2026; PinnacleBank, 2025).

Online advertising fraud

Online advertising, also referred to as web advertising or Internet marketing or digital advertising, involves promoting products and services over the Internet and has become a key business model in the digital age. Its profitability and global widespread use have made it an attractive target for malicious parties, who exploit it for various purposes, including stealing a share of advertising revenues, accessing users' private information, and distributing malware. A study found that fraudulent activities cost advertisers $19 billion in 2018 (Sadeghpour & Vlajic, 2021a).

Taxonomy of advertising fraud

Identity fraud: Unauthorized ad placement may acquire a person's personal information without their permission or knowledge, generally for financial benefit.

Traffic fraud: This entails raising the network traffic on their websites in an unethical manner to boost their revenue. It manipulates impressions and conversions of ads to generate false metrics and revenue using techniques such as fake impressions and conversion.

Content fraud: This refers to the deliberate production or spread of false or damaging user-generated content. It includes domain spoofing and ad placement fraud.

Detection methods: Systems designed to combat the diverse array of advertising fraud (Kolupuri et al., 2025).

Detection methods

To combat the diverse array of advertising fraud and scams (as the ones listed above), there are some detection methods that can be used:

Attack detection: For instance, one can use the ratio of impression to delivery count for a site and the average delay between consecutive impressions by an IP address.

Anomaly detection: This involves gathering previous data on ad impressions, viewability metrics, and user interactions. From this, features such as demographics and browsing patterns are extracted to create a dataset to train algorithms.

These two approaches can identify patterns of legitimate behavior and flag anomalies in real time (i.e., spikes in impressions without engagement, indicating possible fraud from sources like bots) (Kolupuri et al., 2025).

Recommendations and Prevention

Are You at Risk? Quick Assessment

Answer these questions to assess your cybersecurity awareness

1. Do you click on links in unsolicited emails or text messages?

2. Do you use two-factor authentication on your accounts?

3. How often do you update your passwords?

4. Do you verify QR codes before scanning them?

5. Have you received unexpected packages at your address?

1 of 5

Protection Guide by Scam Type

Your Protection Progress
0%

0 of 0 steps completed

What to Do About Brushing Scams

  • Confirm it is not a gift: Check with friends and family to ensure it was not a well-intentioned surprise.
  • Do not pay for the merchandise: Do not be swindled or talked into paying for it. If someone did not order it and received it, then, the merchandise belongs to the recipient. That is, nobody is under any legal obligation to pay for the merchandise and can keep, donate, or dispose of it. Recipients should not contact the sender or scan any QR codes inside the package.
  • Return to sender: If marked with a return address and it is "unopened," the recipient may mark it "return to sender" and USPS will return it at no charge to the recipient.
  • Throw it away: If the recipient opened it, and do not wish to keep it, he/she may simply dispose of it in the garbage, as long as it is safe to do so.
  • Keep it: If the recipient opened it and liked it, he/she may keep it. By law, anyone may keep unsolicited merchandise and is under no obligation to pay for it.
  • Suspicious contents: If the recipient is wary of the contents inside an unsolicited package, he/she should follow the instructions on the United States Postal inspection Service – "Suspicious Mail" [https://www.uspis.gov/report-suspicious-mail] page.
  • If individuals become victims of brushing scam, they should notify the retailer (e.g., Amazon, eBay, Temu) as a fraud report. They should request the company to remove any fake reviews under their name. Recipients should also file a complaint or notify authorities such as the Better Business Bureau (BBB) at BBB Scam Tracker [https://www.bbb.org/scamtracker], the Federal Trade Commission (FTC) [https://ReportFraud.ftc.gov] and the United States Postal Inspection Service (USPIS) [https://www.uspis.gov/report]. If the merchandise is organic (e.g., seeds, food, meat plants) or an unknown liquid or substance, recipients should notify the proper authorities immediately, and follow their instructions (F & M Bank, 2024; USPIS, 2025a).
  • The issue about notifying retailers or platforms is that they usually do not condone brushing. They deploy sophisticated data mining and machine learning techniques in an attempt to detect and remove fake transactions (Bloomberg, 2017; Wall Street Journal, 2015). The reason is that these fake orders are backed by real shipping and delivery (Wong et al., 2015). Further, sophisticated brushers would mimic real shoppers browsing and clicking behavior before ordering to make the entire process look as real as possible (Fountain et al., 2018). Some studies (see: Xu et al., 2017) report that only a small proportion of the sellers involved in brushing are detected and materially penalized. Although platforms' effort to crack down on brushing cannot easily eliminate the scam procedure, it makes brushing more costly for merchants, which is believed to at least attenuate brushing and make consumers better off.
  • Besides making brushing more difficult for merchants, platforms may instead consider improving search technologies to make search easier for consumers. For instance, reducing search frictions benefits consumers because they can incur less cost and also search more to find a product that better fits their needs. And because a lower search cost implies consumers are less influenced by rankings (which motivate brushing), reducing search frictions is believed to further dampen brushing incentives and thus improve consumer welfare.
  • Another lever platforms can pull is to fine-tune the design of the ranking algorithm, which can play a critical role in shaping merchants' brushing behavior and consequently, consumer welfare. Specifically, because brushers home in on sales-volume-related factors (e.g., ratings, sales), there could be a way to incorporate these factors into the ranking algorithm in light of brushing (Jin, Yang, & Hosanagar, 2023).
  • Additionally, victims should also closely monitor and review their bank accounts and statements, credit reports (for free at https://www.annualcreditreport.com) for suspicious activities. They should change passwords on their online shopping accounts and enable two-factor authentication for added security. Victims can check data breaches at https://www.identitytheft.gov. Further, individuals should consider placing a "fraud alert" on their credit file to prevent unauthorized activity and closely monitor their credit reports and credit card bills. They should also change their account passwords (F&M Bank, 2024; USPIS, 2025a).
  • If you receive a package that you did not order, do not ignore it. This may not be a gift but a warning sign. Individuals should stay vigilant, protect their information, and report suspicious activities (F&M Bank, 2024).

Conclusion

The costs of any type of cybercrime are high. From damaged lives and businesses to disrupted infrastructure systems, and of course huge financial losses, the problem seems to be growing larger year after year, as technology evolves (i.e., Artificial Intelligence). According to Smith & Lostri (2020), "since 2018, we estimated that the cost of global cybercrime reached over $1 trillion. We estimated the monetary loss from cybercrime at approximately $945 billion. Added to this was global spending on cybersecurity, which was expected to exceed $145 billion in 2020. Today, this is a $1 trillion dollar drag on the global economy." The U.S. Department of Justice, highlighting a report by Cybersecurity Ventures, projected a doubling annual cost of cybercrime between 2015 ($3 trillion) and 2021 ($6 trillion) (Rosenstein, 2017).

It is important to highlight that many scams have a psychological component: a large number of people fall victim to these schemes because of a mix of faith in online systems and the appeal of free products or services. As a result of the ubiquity of identity theft and false reviews, as well as bogus advertising, it is clear that individuals are often not fully equipped to recognize these types of frauds (Daud, Muniandy, & Nadi, 2024; Norris, Brookes, & Dowell, 2019; Ravenelle, Janko, & Kowalski, 2022).

The effects on the victims of cybercrimes may be catastrophic, resulting in their financial loss as well as mental suffering and confidence erosion towards the digital technology. Public awareness, robust cybersecurity policies, and technology that identify their behavior help to identify scammers and minimize their impact. Problems with security and vulnerabilities are major issues in the digital environment (Catal & Guldan, 2017; Hossain et al., 2023).

To sum, in the past 10 years, with the increase in digital transactions (particularly with the COVID-19 pandemic) and online interactions, adding Artificial Intelligence (AI) to the picture, scams have become more widespread than ever, and many times harder to detect. To prevent this growing threat, there have been significant advancements in technology, which provide some powerful tools for detection, prevention and mitigation of scams, in an attempt to create a more secure environment for individuals and business (until something new breaks these barriers as well).

Technological Solutions

Advanced surveillance systems

They can monitor transactions in real time, by identifying patterns indicative of fraud (i.e., sudden spikes in transactions or unusual geographical activity), which could be flagged for review, enhancing security for users and businesses (Hariri, Kind, & Brunner, 2019).

Predictive modeling and risk assessment

This involves analyzing historical data to predict future outcomes in the context of scam prevention. This approach can assess the risk associated with transactions, identifying high risk transactions that differ from a user's typical behavior, allowing pre-emptive measures to be taken (Valavan & Rita, 2023).

Biometric authentication systems

These systems employ distinctive features like fingerprints, face and voice recognition, and speech detection to authenticate identity, preventing unauthorized access (Jain, Ross, & Prabhakar, 2004).

As the digital world expands, scams and fraud have become increasingly prevalent, offering financial incentives for perpetrators. This site delves into various real-world advertising scams, showing the significant risks they pose to individuals, organizations, and society. However, as technology advances and automated systems become more sophisticated, fraud detection and prevention strategies must continuously evolve (Kolupuri et al, 2025).

References

Alkhalil, Z., Hewage, C., Nawaf, L., & Khan, I. (2021. Phishing attacks: A recent comprehensive study and a new anatomy. Frontiers in Computer Science, 3.

Alzahrani, R. A. & Aljabri, M. (2022). AI-based techniques for ad click fraud detection and prevention: Review and research directions. Journal of Sensor and Actuator Networks, 12(1), 4.

Bloomberg. (2017, November 6). China is finally going after click farms and fake online sales. https://www.bloomberg.com/news/articles/2017-11-06/china-is-finally-going-after-click-farms-and-fake-online-sales

Catal, C. & Guldan. (2017). Product review management software based on multiple classifiers. IET Software, 11(3), 89-92.

Chevalier, J. A., & Mayzlin, D. (2006). The effect of word of mouth on sales: Online book reviews. Journal of Marketing Research 43(3), 345-354.

Chintagunta, P. K., Gopinath, S., Venkataraman, S. (2010). The effects of online user reviews on movie box office performance: Accounting for sequential rollout and aggregation across local markets. Marketing Science, 29(5), 944-957.

Daud, P., Muniandy, N., & Nadi, F. (2024). Publics perception and awareness towards the identity theft among the residents of Bistari Impian apartment, Johor, Malaysia. International Journal of Academic Research in Business and Social Sciences, 14(11).

F&M Bank. (2024, December 18). What is a brushing scam? Why "free stuff" isn't good news. https://www.fmbankva.com/brushing-scam/

Fei, K. & McKinnon, T. (2021). COVID-19 and cyber fraud: Emerging threats during the pandemic. Journal of Financial Crime, 29(2), 433-446.

Financial Times. (2016, November 22). China's e-commerce sites try to sweep away 'brushing.' https://www.ft.com/content/735722e6-aca6-11e6-9cb3-bb8207902122

Fortinet. (2025). What is smishing? https://www.fortinet.com/resources/cyberglossary/smishing

Fountain, N., Malone, K. & Wei, S. (2018, April 27). A series of mysterious packages. NPR Planet Money. https://www.npr.org/sections/money/2018/04/27/606528176/episode-838-a-seriesof-mysterious-packages

Halevi, T., Memon, N., & Nov, O. (2015, January). Spear-phishing in the wild: A real-world study of personality, phishing self-efficacy and vulnerability to spear-phishing attacks. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.2544742

Hariri, S., Kind, M. C., & Brunner, R. J. (1019). Extended isolation forest. IEEE Transactions on Knowledge and Data Engineering, 33(4), 1479-1489.

Hossain, M. N., Hassan, M. M., Monir, R. J., Sayeed, M. S., Wajiha, S. & Wazid Ullah, S. M. (2023). Cyber security and people: Human nature, psychology, and training affect user awareness, social engineering, and security professional education and preparedness. In 2023 14th International Conference on Computing Communication and Networking Technologies (ICCCNT), pp. 1-5.

Jain, A. K., Ross, A., & Prabhakar, S. (2004). An introduction to biometric recognition. IEEE Transactions on Circuits and Systems for Video Technology, 14(1), 4-20. https://doi.org/10.1109/TCSVT.2003.818349

Jin, C., Yang, L., & Hosanagar, K. (2023). To brush or not to brush: Product rankings, consumer search, and fake orders. Information Systems Research, 34(2), 532-552. doi: https://doi.org/10.1287/isre.2022.1128

Jones, K. S., Armstrong, M. E., Tornblad, M. K., & Namin, A. S. (2020). How social engineers use persuasion principles during vishing attacks. Information & Computer Security, 29(2), 314-331.

Kolupuri, S. V. J., Bhowmick, R. S., Paul, A., & Ganguli, I. (2025, January 4). Scams and frauds in the digital age: ML-based detection and prevention strategies. ICDN 2025: 26th International Conference on Distributed Computing and Networking, January 4-7, 2025, Hyderabad, India.

Media Mention. (2026, January 16). In the news: Seth Ketron on AI-driven online shopping scams. University of St. Thomas Newsroom. https://news.stthomas.edu/in-the-news-seth-ketron-on-ai-driven-online-shopping-scams/

Norris, G., Brookes, A., & Dowell, D. (2019). The psychology of Internet fraud victimization: A systematic review. Journal of Police and Criminal Psychology, 34(3), 231-245.

PinnacleBank. (2025, October 29). How to spot AI-generated fake ad scams. https://www.pinnbankaz.com/articles/2025/ai-ad-scams.

Proofpoint. (2022). What is pharming? https://www.proofpoint.com/us/threat-reference/pharming

Ravenelle, A., Janko, E., & Kowalski, K. (2022). Good jobs, scam jobs: Detecting, normalizing, and internalizing online job scams during the COVID-19 pandemic. New Media & Society 24(7), 1591-1610.

Raza, M., Jayasinghe, N. D., & Muslam, M. M. A. (2021). A comprehensive review on email spam classification using machine learning algorithms, 327-332. https://doi.org/10.1109/ICOIN50884.2021.9334020

Rosenstein, R. J. (2017, October 4). Deputy Attorney General Rod J. Rosenstein delivers remarks at the Cambridge Cyber Summit. United States Department of Justice. https://www.justice.gov/archives/opa/speech/deputy-attorney-general-rod-j-rosenstein-delivers-remarks-cambridge-cyber-summit

Sadeghpour, S., & Vlajic, N. (2021a). Ads and fraud: A comprehensive survey of fraud in online advertising. Journal of Cybersecurity and Privacy, 1(4), 804-832.

Sadeghpour, S., & Vlajic, N. (2021b). Click fraud in digital advertising: A comprehensive survey. Computers, 10, 12.

Smith, Z. M., & Lostri, E. (2020). The hidden costs of cybercrime. Center for Strategic and International Studies. https://companies.mybroadband.co.za/axiz/files/2021/02/eBook-Axiz-McAfee-hidden-costs-of-cybercrime.pdf

University of Colorado. (n.d.). What is quishing and how to protect yourself. Retrieved January 18, 2026. https://www.cu.edu/security/what-quishing-and-how-protect-yourself

United States Postal Inspection Service (USPIS). (2025a, March 24). Brushing scam. https://www.uspis.gov/news/scam-article/brushing-scam

United States Postal Inspection Service (USPIS). (2025b, May 19). Fake USPS emails. https://www.uspis.gov/news/scam-article/fake-usps-emails

United States Postal Inspection Service (USPIS). (2025c, May 19). Smishing: Package tracking text scams. https://www.uspis.gov/news/scam-article/smishing-package-tracking-text-scams

United States Postal Inspection Service (USPIS). (2024, June 17). Vishing. https://www.uspis.gov/news/scam-article/vishing

Valavan, M., & Rita, S. (2023). Predictive-analysis-based machine learning model for fraud detection with boosting classifiers. Computer Systems Science and Engineering, 45, 231-245. https://doi.org/10.32604/csse.2023.026508

Wong, G., Chu, K., & Osawa, J. (2015, March 2). Inside Alibaba, the sharp-elbowed world of Chinese e-commerce. Wall Street Journal. https://www.wsj.com/articles/inside-alibaba-the-sharp-elbowed-worldof-chinese-e-commerce-1425332447

Xu, H., Liu, D., Wang, H., & Stavrou, A. (2017). An empirical investigation of e-commerce-reputation-escalation-as-a-service. ACM Transaction Web, 11(2), 1-35 (TWEB).