Source: Target/Shipt
Shipt and its gig workers deal with phishing attacks
Gig delivery workers now have something else to worry about than whether they are getting enough shift hours or if customers are being generous with their tips. It seems that Shipt shoppers/drivers have fallen victim to phishing expeditions that have given thieves access to their accounts and enabling the criminals to steal the workers’ paychecks.
Motherboard, which broke the news after seeing private Facebook postings, reports that more than 30 people who pick and deliver orders for Shipt have been scammed to date. Shipt, the same-day delivery service owned by Target, employs about 300,000 gig workers in the U.S.
The report provides an account of one driver who received an email from “Shipt Support” in late March requesting that the worker’s password be reset. The worker, who did not request a reset, did so thinking that it was legitimate. It was not.
Later that night, someone claiming to be from Shipt called the driver addressing the individual by their first name. The caller said that the company had noticed some unusual activity on the driver’s account and asked for a code that had been emailed to the worker to verify his identity. The Shipt driver, still not suspecting anything was amiss, provided the information only to find out later that it was used to steal his paycheck.
Shipt, Motherboard reports, posted a message to drivers on its internal portal on April 9. “Never share your bank account info or shopper account password with anyone on the phone or through an email, even if they claim to be from Shipt. Shipt will never request that info this way.”
“We’re aware of the prevalence of scams like these that are often the result of phishing or an account takeover,” Danielle Schumann, a Shipt spokesperson, wrote in an email statement to Motherboard and The Verge. “A very small number of shopper accounts have recently experienced this kind of activity.”
Shipt has reimbursed contractors for the full amount lost in these phishing incidents. The company has said that it has taken steps including emails to bring those working with it up to speed on how to protect their accounts from thieves.
BrainTrust
Jeff Weidauer
President, SSR Retail LLC
Trevor Sumner
Head of AI and Innovation, Raydiant
Venky Ramesh
CPG/Retail enthusiast, blogger and a couch potato warrior
Discussion Questions
DISCUSSION QUESTIONS: How significant a challenge do security issues around third-party contractors pose for retailers and their vendors who use these workers? Where do you see vulnerabilities, and what needs to be done to improve security?
This is yet just one more example of how anything and anyone connected to the internet is vulnerable to security breaches. While organizations can take steps to mitigate the risk, the fact is there is no way to completely eliminate it, especially when third-party contractors are involved who may not apply the same rigor. Unfortunately, there are no easy answers to solve this. All businesses (and people) need to remain vigilant about data security. As long as we’re all connected by the internet, there’s a security risk.
Whether these security breaches become significant challenges largely depends on how Shipt and other third-party contractors respond. Education for gig workers on how scams work, along with enhanced security measures, will reduce the number of incidents. But it’s up to the companies to take those steps quickly.
One of the things I found interesting in the reporting on this was the acknowledgement by a small number of Shipt shoppers that they hadn’t seen emails from the company on this issue. Their explanation was that Shipt sends so many emails that they tune them out. That’s a completely different and equally worrying challenge for the company in my mind.
Seems like there should be a secure, exclusive hardware connection involved here, instead of having contractors use their own phones. Phishing to steal contractors’ wages is low-hanging fruit, but what about malware installations that could mess with inventory counts, enable fake orders, etc.?
This particular instance is a scam/phishing attempt as opposed to a hack, in a generally understood sense.
This is not unique to Shipt or delivery services. Phishing attempts are rampant in the corporates, particularly impersonating the C-level executives who just left and asking for money to be transferred. Or seniors getting sucked into social security scams.
I agree, Suresh, about the use the “hacking” term. We just revised our story accordingly. Thanks for pointing that out.
Addressing security issues in payroll is paramount, but a couple phishing scams will not deter the growth of the model. There is tremendous demand for gig work and while fixing these issues will be critical to maintaining trust, it will not deter the increased adoption as Target looks to expand Shipt for local deliveries of e-commerce as well.
Kudos to Shipt for reimbursing the aggrieved workers, but in any evolving technology there is bound to be scams/phishing. Let’s hope the company takes meaningful steps (beyond emails) to safeguard against future abuse. The technology is not going anywhere and gig workers are, for good and/or bad, becoming essential to our commerce experience.
Phishing is quite rampant. The industry preys on the less aware. The gig economy is relatively new to all, where the workers are not full-time employees and don’t fully understand the company culture or communication styles. That’s a fertile ground for fraud of all sorts. In order to curb it, gig companies need to ensure better training and awareness of right and wrong ways of communication – be it with the company, customers, or the potential predators.
Today’s mix of modern-day social engineering and scams. Education and appropriate security measures help mitigate the risk, but it is an unfortunate reality with where we are at as a connected society. Definitely a challenge.
Shipt spokesperson Danielle Schumann provided the following statement in response to coverage of this story.
At Shipt, we take account security very seriously and invest in monitoring, tools and controls to detect and protect against suspicious activity. Shipt has not had a data breach.
We’re aware of the prevalence of scams like these that are often the result of phishing or an account takeover. A very small number of shopper accounts have recently experienced this kind of activity.
The isolated incidents you describe–bad actors phishing or attempting to use social engineering tactics–are not unique to Shipt.
We take data security very seriously and have taken, and will continue to take, several actions to inform and educate the Shipt team, as well as Shipt Shoppers, on how to keep accounts secure. We’ve implemented additional precautions to protect accounts, locked and required password resets for impacted accounts, and reimbursed people for the full amount of loss. We’ve also made our frontline employees aware of this scam activity and provided them with tips and guidelines for how to handle them. We have proactively emailed all shoppers, posted information on our Shopper Hub, have a team of individuals dedicated to monitoring for, and responding to, fraud, and conducted additional internal team training. Shipt has also offered two-factor authentication since January to our approximately 300,000 Shipt Shoppers and customers as a tool that helps protect against scams.
If a shopper believes they’ve experienced unauthorized account activity, we encourage them to immediately report it to us at 205-502-2500 and receive 24/7 support.
Security issues are significant and continue to be a growing concern for everyone and every entity. As demand by users for transaction convenience increases, the bad actors will seize the opportunity. It is certain not everyone will follow the best practice rules of security. Most likely, gig contractors and perhaps FTEs are not even instructed in the basics of Internet security. The greatest vulnerability is ignorance. It is incumbent upon business to instruct users of their systems on Internet security best practices. This activity needs to be built into ongoing budgets of HR/Education/Operations and Technology. Unfortunately, security practices are not static. What was security best practice a year ago is at best marginal practice today.