Scammers are hacking into the accounts of Target gig workers and draining their bank accounts, Motherboard reports. Since March 28th, more than 30 employees who work for Shipt, Target’s delivery app, have posted on Facebook about being attacked. The company employs about 300,000 contract shoppers in the United States.
In some cases, the scammers are spoofing Shipt’s phone number and pretending to be corporate employees. They say they’ve noticed unusual activity on the worker’s account and ask for the person’s password. Once they get in, they transfer the worker’s earnings to themselves.
The scam is made possible in part by an “instant payout” feature Shipt rolled out earlier this year. The feature allows workers to cash out their earnings within the hour. But it also enables scammers to instantly get access to workers’ funds. Previously, workers only had access to their earnings once a week.
The scammers appear to know workers’ names and phone numbers, making some people nervous that their information leaked in a data breach. Motherboard found evidence that some workers’ information was exposed in data breaches at other companies — but not at Shipt.
A representative from Shipt’s trust and safety team left a voicemail for a worker who’d complained about phishing attacks. “I just wanted to let you know about this issue that it’s something we’ve been looking into and something that we’ve been reviewing a lot of recently,” the representative said, according to a recording obtained by Motherboard.
Some workers received emails asking them to reset their passwords prior to getting the scam call. According to Motherboard, the emails were likely an attempt to trick workers into thinking there was suspicious activity on their account. Other shoppers had two-factor authentication set up but were deceived into reading the codes to scammers who called them on the phone.
In a statement emailed to The Verge, Danielle Schumann, a Shipt spokesperson, said the company knows about the attacks but does not believe they have impacted a large number of Shipt workers. “We’re aware of the prevalence of scams like these that are often the result of phishing or an account takeover,” Schumann said. “A very small number of shopper accounts have recently experienced this kind of activity.”
The company also said it has reimbursed shoppers for the full amount lost, and taken several steps to educate people on how to secure their accounts, including proactively emailing all shoppers.
Six workers told Motherboard that they did not see the email containing security information since the company sends so many updates.
Shipt workers have been talking about the attacks in private Facebook groups. Some have described what happened to them in detail. But others appear to have been censored when they tried to get information on the attacks. In one instance, the company seemingly blocked a contractor from asking colleagues about phishing schemes. “Curious has anyone experienced a phishing scam on Shipt?” the worker wrote. Moderators for the group did not approve the post.
Shipt has a history of allegedly censoring contractors who speak out about working conditions on the platform. According to Motherboard, the company has retaliated against workers who complained about app changes and pay on social media.