Connect with us


Scammers Are Hacking Target’s Gig Workers and Stealing Their Money



On the Clock is Motherboard’s reporting on the organized labor movement, gig work, automation, and the future of work.

On the morning of March 28, a gig worker near Tampa, Florida, was shopping an order for Shipt, Target’s delivery platform, when he received an email from “Shipt Support” asking him to reset his password. 

The worker says he didn’t request to reset his password, but didn’t think much of the email and went on with this day. Later that evening, the worker says he was sitting at home on his couch when he received a phone call from Shipt’s corporate headquarters’ phone number. Someone identifying themselves as a Shipt employee and addressing the worker by his first name said there had been unusual activity on his account regarding his password and asked him to read back a code that had been emailed to him to verify his identity. 

Remembering the password reset email from earlier that day, the worker provided an authentication code that he’d received via email from Shipt. Shortly after, he received an email notifying him that someone had added a debit card to his account. 

When the worker checked his account again, he realized someone had logged in and cashed out his entire paycheck—$499.51. “I noticed my withdrawal balance was zero,” he said in a public video uploaded to Facebook. “At that point, I’m livid. I’m pissed.” 

In recent weeks, personal shoppers on Target’s delivery app, which boasts roughly 300,000 personal shoppers in the United States, have been repeatedly targeted by scammers hoping to steal their earnings by phishing gig workers’ credentials from them. 

Since March 28, more than 30 gig workers have posted in private, unofficial Facebook groups for Shipt’s personal shoppers saying scammers have targeted them using phishing schemes that include spoofing Shipt’s corporate phone numbers and asking for passwords over the phone. In at least some cases, the strategy used by scammers is different from other phishing campaigns: Scammers trigger password reset emails sent to personal shoppers by clicking the “forgot password” button below the Shipt login. Then they follow up via phone, asking personal shoppers to “verify” their passwords in order to look into “unusual activity” or requests to update info on their accounts. (The password reset emails are seemingly supposed to mislead workers into believing there has been suspicious activity on their accounts.) The scammers have also, in some cases, stolen two-factor codes over the phone. 

A communication from Shipt to its personal shoppers posted in an internal portal on April 9 confirms that these calls are initiated by scammers. “Never share your bank account info or shopper account password with anyone on the phone or through an email, even if they claim to be from Shipt,” it said. “Shipt will never request that info this way.”  

Earlier this year, Shipt rolled out an “instant payout” option for its gig workers, which allows them to access their earnings within an hour (instead of once a week) for 49 cents, but the new option has made it easier for scammers to prey on gig workers, many who live paycheck to paycheck, and deposit their earnings. The scam allows a criminal to steal a Shipt shopper’s password, log into their account, change their payout information, and quickly drain their account.

Danielle Schumann, a spokesperson for Shipt, told Motherboard that the company is aware of the phishing scams and account takeovers but that the problem has not impacted many of its drivers. “A very small number of shopper accounts have recently experienced this kind of activity,” she said, noting that the company has implemented precautions to protect accounts and reimburses workers for their losses. 

A voicemail from Shipt’s trust and safety team obtained by Motherboard also confirms these scams are impacting gig workers. “I just wanted to let you know about this issue that it’s something we’ve been looking into and something that we’ve been reviewing a lot of recently,” a Shipt representative said in a voicemail in response to a complaint about the phishing scams reported by a personal shopper.

These scams are not unique to Shipt but have proliferated across the gig economy during the pandemic on apps including Instacart, Postmates, Lyft, and DoorDash, according to a report in The Markup. The schemes prey on the unique vulnerabilities of gig workers, who, as independent contractors, do not have access to basic rights, protections, resources, training, or safeguards typically offered to employees on the job. For many gig workers, getting help when their accounts are hacked or income is stolen often feels like shouting into the void. 

After he was scammed, the gig worker posted a public video on Facebook, explaining step-by-step how scammers hacked his account and drained his earnings. “I wasn’t a happy camper yesterday. I’m still not a happy camper,” he said. (He declined Motherboard’s request to be interviewed but said that Shipt has reimbursed him the total amount of his losses.)

Motherboard spoke to four other Shipt workers who each told similar tales of scammers posing as Shipt corporate employees, as well as a customer who had their account breached in recent weeks. Scammers called and texted the victims to manipulate them into revealing their passwords to break into their accounts. In some cases, when personal shoppers have two-factor authentication set up, scammers prompt gig workers to read back codes emailed to them to gain access to their accounts once they’d secured passwords. 

On March 29, a Shipt personal shopper and veteran in Portland, Maine, received two voicemails from numbers that looked like they were from Shipt’s corporate headquarters. (Motherboard granted the worker anonymity because he feared retaliation from Shipt).

“I received a call from you and it looks like we got disconnected,” the first voicemail from Shipt’s corporate phone number said, addressing the worker by his first name. “If you could give us a call back whenever you can, I’d be more than happy to help you.” 

Throughout the day he received a series of calls, texts, and emails that appeared to be coming from Shipt. Finally, the gig worker picked up the phone. An agent informed him that there’d been unusual activity on his Shipt account and asked him for his password to go in and recover his account.  

“He said ‘you might not be able to access your account so we can change your password for you,'” the gig worker told Motherboard. “I said ‘it’d be better if you can send me an email with a link.’ He was like ‘if you want I can change your password for you.’ I said ‘I’m not comfortable with that.’”

“I’m not gullible at all but this was sophisticated,” the worker said. “They spoofed that number. I’m a vet and the first thing they do when they call is verify who I am and they ask me for my information, so this is creepy and scary.” 

Caller ID spoofing, the tactic being used by the scammers, is legal in the United States with the exception of doing so “with the intent to defraud, cause harm, or wrongfully obtain anything of value.” 

It’s unclear whether multiple scammer groups are preying on Shipt’s gig workers but the fact that some scammers are spoofing Shipt’s phone number and others are not suggests a variety of strategies are being deployed. 

On April 8, Karyn Johnson Dorsey, a Shipt personal shopper in San Bernardino, California received a call from a scammer with a phone number from San Diego threatening to deactivate her or prevent her from working on the app if she didn’t provide her email address. Fortunately, she knew from reading warnings from other Shipt personal shoppers posted online that it was a scam and didn’t provide any of her personal information. Motherboard reviewed a transcript of her call with the scammer. 

“On my end, I see we have your email address, but you need to verify it or your account will be deactivated,” a caller who identified themselves as “David from Shipt” told Johnson Dorsey in April, according to the call transcript.

Gig workers, including Johnson Dorsey, who’ve been targeted by phishing attempts say Shipt has not done enough to educate and warn their workforce about these phishing scams. 

“If it wasn’t for shoppers telling each other about these scams, none of us would know what’s going on,” said Johnson Dorsey. “Shipt sends us so many emails but they haven’t warned us or told us anything about these scams by email.”

Schumann, the spokesperson from Shipt, said, “We take data security very seriously and have taken, and will continue to take, several actions to inform and educate the Shipt team, as well as Shipt Shoppers, on how to keep accounts secure.” 

“We have proactively emailed all shoppers, posted information on our Shopper Hub, have a team of individuals dedicated to monitoring for, and responding to, fraud, and conducted additional internal team training,” she continued. 

The email alert that Schumann refers to was buried in a weekly newsletter sent on April 9, a day after Motherboard reached out to Shipt for comment about the scams. It discusses steps personal shoppers can take to improve security security, but does not specifically mention the recent prevalence of scams. 

On the Shipt Shopper Hub, an internal portal for personal shoppers, the company posted guidelines on how to keep Shipt accounts secure. Gig workers say Shipt frequently floods them with emails and updates, and their attention was not specifically directed toward this point. None of the six gig workers Motherboard spoke to had seen it. 

A fifth Shipt personal shopper, Gabrielle Wilkins, in Denver, Colorado, discovered her account had been hacked when she received a text on April 26 from Shipt saying she hadn’t made progress on two orders. 

Wilkins told Motherboard that she logged into her account to find she had two active orders that she didn’t accept near Ann Arbor, Michigan. Later that day, she was deactivated, according to screenshots obtained by Motherboard. Wilkins has contacted Shipt repeatedly to resolve the issue but has not received a resolution. She says she had not given out her password or login information to scammers. 

“They deactivated me in the middle of my account being hacked,” said Wilkins. “I’ve tried to contact them and emailed. I’m worried they’ll never respond to me about it.” 

“I’ve worked on Shipt for about two years,” she continued. “[Being deactivated] is going to impact me a lot. I use Shipt to pay medical bills.” 

Shipt also appears to be blocking workers from warning each other about these incidents. In one instance, Shipt censored a Texas gig worker who posted a question about the scams on Shipt’s company-controlled Facebook group. The post read: “Curious has anyone experienced a phishing scam on Shipt?” Motherboard reviewed a copy of his post which was not approved by the page’s moderators. (Shipt has a well-documented record of censoring workers who voice concerns about their working conditions on the Facebook group, which has more than 140,000 members.)

Personal shoppers who’ve been subject to phishing schemes on Shipt say scammers have access to their names and phone numbers. None of the workers Motherboard spoke to remembers giving out this personal information to scammers, and several workers were concerned that this information may have been compromised in a data breach.

Motherboard found no evidence of a data breach at Shipt but found several of the victims’ personal data in recent data breaches at other companies, which in some cases could be leveraged by phishers. 

Schumann, the spokesperson for Shipt, said Shipt had not been breached. “At Shipt, we take account security very seriously and invest in monitoring, tools and controls to detect and protect against suspicious activity. Shipt has not been breached,” Schumann said. The company introduced two-factor authentication in January. 

Do you have a tip to share about a scam targeting gig workers? Please get in touch with the reporter Lauren by emailing or by messaging securely on Signal 201-897-2109.

Scammers also appear to be targeting customer accounts. Heidi Hudd, a customer in Traverse City, Michigan, received an email late one night in April saying she had placed an order for a pair of airpods. She logged into her account to see her address had also been changed to Plantation, Florida. 

“I called Shipt and they didn’t seem surprised and told me they’d fix it. I’m worried there was a data breach,” Hudd said. “They didn’t tell me what had happened—just to change my password and that was it.”

Joseph Cox contributed reporting for this article. 

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


Uber Eats, Peers Given Deadline to Abandon Gig-Worker Model in Spain




By Adam Clark

Uber Technologies Inc. and other operators of food-delivery platforms in Spain have three months to change their current gig-labor models, the Spanish government said on Tuesday.

Ministers approved a law to regulate the employment conditions of delivery workers who work via digital platforms such as Uber Eats or Inc.-backed Deliveroo PLC. The approval begins a countdown for companies to convert their workers from independent contractors into employees by mid-August.

The new regulations could be an important precedent as the European Union is consulting on rules on platform work across the bloc this year. Uber, Deliveroo and local delivery startup Glovoapp23 SL had campaigned for a deal which would avoid reclassification of workers, similar to arrangements reached in France, arguing the majority of couriers would prefer to be self-employed.

“This regulation will directly hurt thousands of couriers who use food delivery apps for much-needed flexible earnings opportunities and made it clear they do not want to be classified as employees. It will also impact Spanish restaurants that increasingly rely on delivery solutions to make ends meet,” a spokesperson for Uber said.

The companies will now have to consider how to implement the changes to their business models. Couriers’ groups said the most likely solution will be for the companies to subcontract workers via fleet-management companies.

The subcontracting model is already used by major European food-delivery platform Just Eat NV but would likely result in relatively higher costs for Uber and Deliveroo, which have a greater proportion of restaurant deals where they handle the logistics of delivery. Uber said last month that it would use fleet-management companies for the planned expansion of its Uber Eats service to Germany.

“We want to be a long-term partner to Spain and are exploring different options to adapt our delivery business to the new regulation,” the spokesperson for Uber said.

Write to Adam Clark at

(END) Dow Jones Newswires

05-11-21 0846ET

Source link

Continue Reading


Local chef creates app to connect gig workers with hospitality jobs




Posted: Updated:

CHARLESTON, S.C. (WCBD) – Connecting gig workers to hospitality jobs in Charleston is now easier than ever thanks to the app, Gigpro. It was created by a local chef, Ben Ellsworth, along with three others. The app lets anyone apply for and book jobs for just a single night at a time. It’s a fast and easy way to fill open shifts without committing to full employment with a business.

The hospitality industry is facing a detrimental shortage of workers with both back-of-house staff like line cooks and dishwashers as well as front-of-house staff like servers and bartenders.

The idea came to Ben Ellsworth, who’s been a chef in Charleston since 1998, as he stared at a pile of dishes in the Royal American kitchen during a shift when the dishwasher called out. He says the lightbulb switched on when he checked his cell phone.

“I got a notification on my phone that someone had booked my Airbnb and I said out loud ‘I wish he had booked to wash these dishes.’,” said Ellsworth.

That’s when Gigpro was born.

Nearly 150 Charleston businesses and over 2,000 workers have joined the platform since its initial release in late 2019. In the first month of beta testing, 36 gigs were booked and in the second month, 86 gigs were booked.

Now Ellsworth says around 200 gigs are posted to the platform each week.

There are only a few simple steps to set up Gigpro and begin picking up shifts. Download the free app, create a profile with a resume, fill out insurance information and add a payment method. A restaurant will post a shift with information like date, hours, and pay, then workers on the app can scroll through and apply for a job. If the employer finds a good fit for the night, the job will be booked. After a worker completes the job, payment is sent through the app two to three days later.

“Everybody that’s on the platform gets covered with occupational accident insurance,” explained Ellsworth. “Which takes the liability off the business and keeps the pro safe.”

He says the occupational accident insurance is about $0.38 per hour. Many gigs pay $15 to $30 an hour.

It’s a big help for employers working to fill shifts when employees call out or when staff is short.

Wild Dunes Resort on the Isle of Palms has been working with Gigpro for just over a year and recently has been booking workers most weekends.

“It’s a great tool to have in our toolkit,” said Manny Montes, the assistant director of HR at Wild Dunes Resort.

In some cases, at Wild Dunes and other businesses, workers have been asked to stick around.

“There’s actually two people that we connected with originally on the app that we’ve ended up offering positions to stay on board with us as actual employees,” said Montes.

Gigpro is a way to get some fast cash and help out businesses that are in dire need of staff.

“I would say right now that our biggest mission is to try and get more money in the pockets of the workforce in this industry. I’ve heard from multiple businesses that we’re working with that we’re kind for the only thing that’s moving the needle and getting help in the door,” said Ellsworth.

Gigpro is officially expanding to Nashville, TN and Charlotte, NC and Ellsworth hopes to add more “food eccentric cities” to the list soon.

For more about Gigpro, click here.

Source link

Continue Reading


Rep. McHenry introduces Gig Worker Equity Compensation Act




U.S. Rep. Patrick McHenry (R-NC) introduced legislation that would include the gig workforce in the category of workers who can benefit from equity compensation.

© Shutterstock

The Gig Worker Equity Compensation Act (H.R. 2990) would help gig workers share in the economic resurgence while preserving their flexibility and independence.

“How people choose to work is changing. Our technology-driven economy is embracing this shift, Washington needs to keep up,” McHenry, the Republican leader on the House Financial Services Committee, said. “By giving these non-traditional workers access to equity compensation—just like traditional employees—we can ensure they benefit from the growth of the companies they are making successful. While Democrats attempt to stifle this growing sector of the workforce, my bill ensures they retain the flexibility they need while giving them the opportunity to grow wealth. This is a win for our capital markets, job creators, and gig workers.”

McHenry points out that about a quarter of the U.S. workforce participates in the gig economy or non-traditional work — whether as a rideshare driver, food delivery courier, or sharing their property through a platform like Airbnb. Further, about 10 percent of workers rely on alternative work arrangements for their primary source of income. These workers do not want to be bound by constraints like an office, set hours, or a traditional employer-employee relationship. This bill seeks to provide additional flexibility to support these workers.

In November 2020, the Securities and Exchange Commission (SEC) voted to propose rules to provide equity compensation options for gig workers. McHenry welcomed this initiative and is committed to working with the SEC to implement his broader proposal.

Source link

Continue Reading


Copyright © 2019