Will hacks of Shipt shoppers’ accounts slow down deliveries for the Target-owned service?
Source: Target/Shipt

Shipt and its gig workers deal with phishing attacks

Gig delivery workers now have something else to worry about than whether they are getting enough shift hours or if customers are being generous with their tips. It seems that Shipt shoppers/drivers have fallen victim to phishing expeditions that have given thieves access to their accounts and enabling the criminals to steal the workers’ paychecks.

Motherboard, which broke the news after seeing private Facebook postings, reports that more than 30 people who pick and deliver orders for Shipt have been scammed to date. Shipt, the same-day delivery service owned by Target, employs about 300,000 gig workers in the U.S.

The report provides an account of one driver who received an email from “Shipt Support” in late March requesting that the worker’s password be reset. The worker, who did not request a reset, did so thinking that it was legitimate. It was not.

Later that night, someone claiming to be from Shipt called the driver addressing the individual by their first name. The caller said that the company had noticed some unusual activity on the driver’s account and asked for a code that had been emailed to the worker to verify his identity. The Shipt driver, still not suspecting anything was amiss, provided the information only to find out later that it was used to steal his paycheck.

Shipt, Motherboard reports, posted a message to drivers on its internal portal on April 9. “Never share your bank account info or shopper account password with anyone on the phone or through an email, even if they claim to be from Shipt. Shipt will never request that info this way.”

“We’re aware of the prevalence of scams like these that are often the result of phishing or an account takeover,” Danielle Schumann, a Shipt spokesperson, wrote in an email statement  to Motherboard and The Verge. “A very small number of shopper accounts have recently experienced this kind of activity.”

Shipt has reimbursed contractors for the full amount lost in these phishing incidents. The company has said that it has taken steps including emails to bring those working with it up to speed on how to protect their accounts from thieves.

BrainTrust

"Education for gig workers on how scams work, along with enhanced security measures, will reduce the number of incidents. It’s up to the companies to take those steps quickly."

Jeff Weidauer

President, SSR Retail LLC


"Addressing security issues in payroll is paramount, but a couple phishing scams will not deter the growth of the model."

Trevor Sumner

Head of AI and Innovation, Raydiant


"Phishing is quite rampant. The industry preys on the less aware."

Venky Ramesh

CPG/Retail enthusiast, blogger and a couch potato warrior


Discussion Questions

DISCUSSION QUESTIONS: How significant a challenge do security issues around third-party contractors pose for retailers and their vendors who use these workers? Where do you see vulnerabilities, and what needs to be done to improve security?

Poll

12 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Mark Ryski
Noble Member
2 years ago

This is yet just one more example of how anything and anyone connected to the internet is vulnerable to security breaches. While organizations can take steps to mitigate the risk, the fact is there is no way to completely eliminate it, especially when third-party contractors are involved who may not apply the same rigor. Unfortunately, there are no easy answers to solve this. All businesses (and people) need to remain vigilant about data security. As long as we’re all connected by the internet, there’s a security risk.

Jeff Weidauer
Jeff Weidauer
Member
2 years ago

Whether these security breaches become significant challenges largely depends on how Shipt and other third-party contractors respond. Education for gig workers on how scams work, along with enhanced security measures, will reduce the number of incidents. But it’s up to the companies to take those steps quickly.

Scott Norris
Active Member
Reply to  Jeff Weidauer
2 years ago

Seems like there should be a secure, exclusive hardware connection involved here, instead of having contractors use their own phones. Phishing to steal contractors’ wages is low-hanging fruit, but what about malware installations that could mess with inventory counts, enable fake orders, etc.?

Suresh Chaganti
Suresh Chaganti
Member
2 years ago

This particular instance is a scam/phishing attempt as opposed to a hack, in a generally understood sense.

This is not unique to Shipt or delivery services. Phishing attempts are rampant in the corporates, particularly impersonating the C-level executives who just left and asking for money to be transferred. Or seniors getting sucked into social security scams.

Rick Moss
Reply to  Suresh Chaganti
2 years ago

I agree, Suresh, about the use the “hacking” term. We just revised our story accordingly. Thanks for pointing that out.

Trevor Sumner
Member
2 years ago

Addressing security issues in payroll is paramount, but a couple phishing scams will not deter the growth of the model. There is tremendous demand for gig work and while fixing these issues will be critical to maintaining trust, it will not deter the increased adoption as Target looks to expand Shipt for local deliveries of e-commerce as well.

Peter Smith
Peter Smith
2 years ago

Kudos to Shipt for reimbursing the aggrieved workers, but in any evolving technology there is bound to be scams/phishing. Let’s hope the company takes meaningful steps (beyond emails) to safeguard against future abuse. The technology is not going anywhere and gig workers are, for good and/or bad, becoming essential to our commerce experience.

Venky Ramesh
2 years ago

Phishing is quite rampant. The industry preys on the less aware. The gig economy is relatively new to all, where the workers are not full-time employees and don’t fully understand the company culture or communication styles. That’s a fertile ground for fraud of all sorts. In order to curb it, gig companies need to ensure better training and awareness of right and wrong ways of communication – be it with the company, customers, or the potential predators.

Brian Numainville
Active Member
2 years ago

Today’s mix of modern-day social engineering and scams. Education and appropriate security measures help mitigate the risk, but it is an unfortunate reality with where we are at as a connected society. Definitely a challenge.

Jlauderbach
2 years ago

Security issues are significant and continue to be a growing concern for everyone and every entity. As demand by users for transaction convenience increases, the bad actors will seize the opportunity. It is certain not everyone will follow the best practice rules of security. Most likely, gig contractors and perhaps FTEs are not even instructed in the basics of Internet security. The greatest vulnerability is ignorance. It is incumbent upon business to instruct users of their systems on Internet security best practices. This activity needs to be built into ongoing budgets of HR/Education/Operations and Technology. Unfortunately, security practices are not static. What was security best practice a year ago is at best marginal practice today.