Scam alert: If you received an unsolicited smartwatch in the mail, don't turn it on

PSA: A common tactic for cybercriminals is to distribute storage drives, phones, or other internet-connected devices filled with hidden malware to hack victims and steal their information. Although smartwatches haven't been known for major security breaches so far, they carry many of the same vulnerabilities as other IoT products and warrant a similar degree of caution.

US military service members have recently reported receiving smartwatches in the mail which they didn't order. It is unclear who sent the devices and why, but foul play is suspected, and the Army's criminal investigation division (CID) advises recipients to never turn the watches on.

The CID reports that the smartwatches have automatically connected to Wi-Fi networks and smartphones independent of user prompts upon activation, indicating that they could be an attempt to infiltrate networks belonging to military personnel. Although no one has confirmed that the devices contain malware or are collecting and sending information, that remains a distinct possibility.

Android phones and other internet-connected devices from third-party sellers have been known to carry pre-installed malware. Although smartwatches haven't been associated with major security incidents, they are uniquely suited to nefarious snooping.

As wearables, they record and store significant amounts of biometric and location data. They also have microphones, and their wireless connections to smartphones could potentially put those devices at risk. The greatest concern is that someone could be using the unsolicited gifts to scrape military secrets.

Another, more benign explanation, is that the senders are trying to pump up online product reviews in a fraudulent practice called brushing. It involves vendors purchasing their own products and then sending them to random addresses and writing positive reviews in the recipients' names on retail sites like Amazon to boost ratings and visibility. Despite the lack of real customers, the record that someone bought and shipped the items lends the reviews increased legitimacy in the retail system.

The US postal inspection service advises that anyone who receives suspicious unsolicited packages from online retailers should notify the retailer, look for fraudulent reviews in their name on the retailer's website, and check to see if their personal information hasn't been compromised. The CID advises service members who find the mysterious smartwatches on their front doors to report them to their local counterintelligence or security managers.