Gig workers, who report to a phone app instead of a human, are unusually vulnerable to phishing scams that drain entire paychecks
By: Dara Kerr
Courier Benjamin Safer thought he’d hit the jackpot when he got a Postmates order to deliver a single cookie from a downtown San Francisco McDonald’s. It’d be a quick pickup, light to carry on his bike, and the drop-off location was a flat ride about a mile away. It would also help get him one step closer to his goal of 10 deliveries that Sunday night, which meant a $75 bonus from Postmates.
“It’s San Francisco. It’s windy. It’s cold. Someone wants a cookie and doesn’t want to go out,” Safer said. “You’re like, ‘This is gold. I’m closer to hitting my quota.’ ”
But it was too good to be true. The order was the first step in a scam that cost Safer his entire week’s earnings, $346.73, one of his highest ever, and earned him a long, fruitless battle to get his money back.
Safer had fallen for a phishing scam that thrives on the dynamics of an app-based workplace, where workers answer to an algorithm instead of a human boss, have no colleagues, and get little in the way of training or guidance that could help them spot when they’re being preyed upon.
And because their earnings can be cashed out via instant transfer at any time, their pay can be stolen in ways that regular employees’ paychecks can not—simply by scamming the couriers into revealing their passwords.
“In regular employment arrangements, there is a company culture and there are always people you can talk to. One word for that is social transparency,” said Elizabeth Watkins, a senior research assistant at Princeton University’s Center for Information Technology Policy. “In gig work, they don’t have this—it’s called digital isolation.”
The Markup spoke with three Postmates workers who were targeted by similar scams, one of them three times. The scams typically involve putting in an order for the sole purpose of being able to talk to the driver on the phone, pretending to be Postmates employees, and getting the driver to reveal his or her login and password.
Postmates couriers have detailed hundreds of similar stories on Reddit, Twitter, YouTube, and even the jobs site Glassdoor. Workers for Lyft, Instacart, and DoorDash have been hit by similar scams. And experts say companies like Postmates should anticipate that their workers will be targeted and take simple steps to shield them.
“There are constantly new drivers who have no idea of what to look out for,” Watkins said. “The platforms owe it to their workers to use tools at their disposal to protect them.”
Postmates has more than 500,000 couriers, mostly based in the U.S. Uber recently acquired the company for $2.65 billion. Meghan Casserly, head of delivery communications for Uber and Postmates, said, “Our teams work hard to safeguard the earnings of drivers and delivery people who use our platforms, and will continue to make privacy education a priority.”
She declined to say how many complaints Postmates has gotten from workers about phishing scams.
After Safer picked up the McDonald’s cookie, he answered a call from an unknown number. The caller identified himself as a Postmates employee and told Safer that his account had been flagged for fraudulent use. The caller said Postmates needed to cancel the McDonald’s order and verify Safer’s information to avoid deactivation.
Safer said he followed the instructions. “I was panicked. I didn’t want my Postmates account to be deactivated,” he said. “The whole conversation was weird to me, but it kind of made sense.”
Once scammers get couriers’ login details, they’ll change the debit card information to their own and drain the couriers’ accounts. Postmates typically transfers workers’ weekly earnings to their bank accounts on Mondays, so scams tend to happen on weekends when workers’ Postmates accounts are full. The company has an instant transfer feature, but it comes with a $0.50 fee, so many workers wait for the free weekly payout. When scammers cash out couriers’ savings, they use instant transfer.
Safer said that on the Tuesday after the cookie incident, he woke up at 4 a.m. with a bad gut feeling. He checked his Postmates account, and it was empty. He had planned to use the big paycheck to pay off his credit card.
“It’s been a stressful time financially,” Safer said.
Steve Ragan, the security researcher with cybersecurity and cloud service firm Akamai, said gig workers tend to be easy prey for this type of scam.
“Gig workers are lucrative targets for criminals,” Ragan said. “They’re stressed, they’re busy, and for many of them, they can’t lose this job. Criminals are taking advantage of that fear element.”
Ragan describes the scam as one-part phishing, one-part social engineering because it involves the con artist playing up a power dynamic.
“Your boss or someone important is telling you to do something,” he said.
Some con artists will even get the restaurant involved, which adds another layer to the power dynamic. The Rancho Cucamonga Police Department, in California, posted a Facebook warning about a scheme in which the con artist first called the restaurant fulfilling the order. The scammer convinced the restaurant to tell the Postmates courier to call back and reset their password. When the courier followed those orders, the account was wiped out.
Rancho Cucamonga deputy Justin Applegate said Postmates was less than cooperative.
“When we talked to Postmates, they said they weren’t aware of anything going on,” Applegate said. “They wouldn’t give us any information over the phone; they wanted to speak to the driver personally.”
During the pandemic, these types of phishing schemes against gig workers have intensified, Ragan said.
“When we all got locked down last year, the criminals got locked down too. They shifted tactics directly to take advantage of COVID,” he said. “There is a connection between the pandemic and the targeting of gig workers. It’s dark-heart-type shady.”
Workers Say Postmates Hasn’t Done Enough
Shaleece Green was new to Postmates when a con artist targeted her last year. It started with an order for value fries from a Jack in the Box in San Diego. Green thought it was strange that someone wanted a delivery for something that cost around a dollar, but she figured, Why not?
As in Safer’s case, after she accepted the order, someone called claiming to be from Postmates. This time the caller told her to cancel the value fries because the customer used a stolen credit card. The caller told Green she’d get a $9 credit for the time the delivery had already taken her. Then the person asked her to hang up, check how much money was in her account, and call back with her login details.
Green did as she was asked. When she called back and told the person she had around $6 in her account, the caller hung up.
Confused, Green called Postmates customer service. The actual Postmates representative told her the company would never call and ask for account information.
“It sucks to go in there blind like that, and there’s nobody to help you,” Green said. “Postmates needs to get it together, put some preventative measures in place or notify people.”
All of the couriers The Markup spoke with said they wished they had warnings from Postmates about this scam. Casserly, the Postmates spokeswoman, said the company does send out “periodic reminders” about fraudulent activity and pointed to a Postmates support page that includes information on phishing scams. The couriers who spoke to The Markup said they’d never seen the support page before.
The couriers also said Postmates could put more protections in place for workers, such as placing a temporary hold on an account if the payment information has been changed and creating a caller ID that identifies customer calls as from “the customer.”
“While incidents like these are not unique to Uber or Postmates, we take all reports of fraudulent activity very seriously,” Casserly said. She said Postmates has included prevention measures, like two-factor authentication for account access and blocking account cashouts if it suspects fraud. She declined to say when those measures were added or how often cashouts have been blocked. The couriers who spoke with The Markup said they only noticed the two-factor authentication within the past few weeks.
Casserly added that Postmates workers are “notified in real time of any suspicious changes to password or bank account information through our automated monitoring systems, never by a phone call.”
Green’s account ultimately wasn’t breached, so she wouldn’t have been notified. But Safer said Postmates never contacted him about changes the scammer made to his account, and never returned his calls when he tried to get his money back.
“That’s what was so surprising. I don’t request for money to be taken out,” Safer said. “Postmates could’ve looked up where this money was being sent to.”
When he woke up that Tuesday morning and saw his account was empty, he immediately contacted Postmates in hopes the company would refund his money. “Communicating with Postmates has been hell in a handbasket,” he said.
When he first called, Postmates simply informed him it would never ask for his password. Then he emailed and got a boilerplate message saying it could take 72 hours to hear back. When he never got a response, he started calling repeatedly. Sometimes, he was kept waiting for up to an hour on the phone.
“Every time, they say, ‘Your account is being investigated,’ ” Safer said. “It’s the same call, same response.”
After about a month of trying, Safer gave up. He never recouped the money and decided to stop working for Postmates.
Other couriers who’ve detailed their sagas online also say they weren’t able to get their earnings refunded. Casserly said Postmates doesn’t comment on specific cases, but “when we can verify the courier was the victim of a scam, there is a process in place for the couriers to request reimbursements.”
She declined to say how many workers the company has repaid and didn’t respond to a request for further comment on what that process is.
Some Drivers Strike Back
Some workers, meanwhile, are coming up with their own strategies to deal with the scam.
By the third time Bryce Doubravsky got the call from scammers, he’d had enough. The first time he’d accepted a small order from McDonald’s and was on his way to make the delivery in Riverside, Calif. The con artist, posing as a Postmates staffer, called and said Doubravsky needed to verify his credentials.
The scammer then texted Doubravsky a link to a Postmates “support website.” Doubravsky said the site looked just like Postmates’. But right before logging on, he noticed the URL seemed slightly off.
“When I saw that, I thought, ‘Whatever is going to happen it’s going to be bad.’ And I hung up,” Doubravsky said. “As it’s happening, it’s pretty confusing because it’s not easy to see the con.”
The second time Doubravsky got the call, he decided to mess with the scammer by playing dumb. At one point, the con artist was so frustrated that he started yelling and saying Doubravsky was “terminated.” The third time it happened was just three weeks ago. Again, Doubravsky played dumb. That scammer ended up texting Doubravsky, “I could kill you,” according to screenshots provided to The Markup. “I’m gonna let you live this time.”
Doubravsky reported the incident to Postmates’ Trust & Safety Team, asking that the person be banned from the platform and for the company to add more security measures in the app. Postmates told Doubravsky that it “permanently deactivated the user” but didn’t respond to his requests for added protection.
“I would like to see them do more to stop this from happening to their drivers,” Doubravsky said. “Because there is a formula.”
This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.