A particularly nasty slice of phishing, scamming, and social engineering is responsible for DoorDash drivers losing a group total of around $950k.

DoorDash drivers are contractors who pick up food deliveries from stores and restaurants and deliver the products to the customer. A 21 year old man named David Smith, from Connecticut, allegedly figured out a way to extract large quantities of cash from drivers with a scam stretching back to 2020. Incredibly, this means it all began when he was 18. There’s picking up a new hobby, and then there’s this.

The theft would begin by placing a bogus DoorDash order, receiving the driver details, and then contacting said driver by text and / or phone claiming to be DoorDash support. From here, the driver would be convinced to hand over banking details or log in to a fake portal. The end result would be a loss of funds, and potentially not being able to do their job.

Considering that this took place during the pandemic, targeting drivers may have had a significant impact on vulnerable people whose only way to get food was via services like DoorDash. As with so many scams of this nature, the impact ripples out from the initial victim and never quite stops where you expect it to.

A typical example of how the scam would play out is highlighted in the Stamford Advocate. One driver on her way to a supermarket received a text which advised her not to complete her current order. A call followed, with the individual claiming to be from DoorDash support. He claimed a scam was being perpetuated by drivers, and he needed to make sure that she wasn’t involved.

He sent her a link to verify her identity, and then said she wouldn’t be able to access her earnings / account for roughly four days. Thankfully a reference to a fictitious DoorDash promo tipped her off that something wasn’t right, and she altered her login credentials just in time. Others were not so lucky, with one driver named in the Stamford article losing close to $5,000. A third lost somewhere in the region of $2,000 after being tricked by three scams in a row.

1,750 transactions in total ensured a steady stream of ill-gotten gains for the individual allegedly at the heart of the scheme. Variations on this scam included calls from “DoorDash security” which eventually resulted in banking details being handed over. In some cases, victims may never be identified due to the way some of the reports of theft have been stored in DoorDash’s systems.

It seems the only reason law enforcement has a name for this case at all is by sheer chance, after stumbling upon $700,000+ inside lockboxes while investigating an unrelated incident. At this point in time, it’s not clear that all of the 700 drivers will get their lost funds back.

The Stamford Advocate notes that Smith faces charges of “first-degree larceny, third-degree identity theft, two counts of second-degree forgery, trafficking in personal identifying information and first-degree computer crime”.

The court appearance is scheduled for July 6.

DoorDash mentions that drivers are trained to look out for scams and attacks, but this one managed to sneak in under the radar. While most people wouldn’t dream of targeting gig economy workers during a pandemic, unfortunately some people aren’t most people. All it took here was one individual with a game plan to cheat 700 folks out of close to a million dollars.

How to avoid phishing

  • Block known bad websites. Malwarebytes DNS filtering blocks malicious websites used for phishing attacks, as well as websites used to spread or control malware.
  • Don’t take things at face value. Phishing attacks often seem to come from brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Take action. If you receive a phishing attempt act work, report it to your IT or security team. If you fall for a phish, make your data useless: If you entered a password, change it, if you entered credit card details, change the card.
  • Use a password manager. Password managers can create, remember, and fill in passwords for you. They protect you against phishing because they won’t enter your credentials into a fake site.
  • use a FIDO 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.