The Future Is Here
We may earn a commission from links on this page

A Phishing Scam Targeting Postmates Drivers Pretends to Represent the Company to Empty Out Victims’ Accounts

This illustration photo taken on June 30, 2020 shows the logo of delivery app Postmates on a smartphone screen in Los Angeles.
This illustration photo taken on June 30, 2020 shows the logo of delivery app Postmates on a smartphone screen in Los Angeles.
Photo: Chris Delmas / AFP) (Getty Images)

As if gig workers didn’t have it hard enough already, they now have to be on the lookout for possible phishing scams from malicious actors that pretend to represent their company.

An in-depth report by the Markup published this week describes the phishing scams, which the outlet states have affected hundreds of Postmates drivers. The scams typically work like this: Bad actors place an order to be able to talk to the driver, they call the driver pretending to be Postmates employees, and then con the drivers into giving up their logins and passwords.

Advertisement

Once the scammers log in, they change the payment information on the account and drain it. Since Postmates generally deposits drivers’ earnings on Mondays, scams tend to occur on the weekends when drivers have the most earnings waiting to be deposited.

Advertisement

Postmates was acquired by Uber last December. The delivery service has more than 500,000 fleet members.

Advertisement

Meghan Casserly, head of delivery communications for Uber and Postmates, declined to tell the Markup how many Postmates drivers had been affected by phishing scams. Casserly told the outlet that Postmates sends out “periodic reminders” about fraudulent activity and works to safeguard drivers’ earnings.

“While incidents like these are not unique to Uber or Postmates, we take all reports of fraudulent activity very seriously,” Casserly stated.

Advertisement

She also said that Postmates has a support page that includes some pretty generic warnings about phishing scams. In all honesty, the page is titled, “How can I keep my account safe?” While the intention is probably good, it doesn’t really do a good job of communicating that this is a danger that drivers face now and that they should be aware of it.

In addition, Casserly stated that Postmates does have prevention measures in place, such as two-factor authentication and blocking payouts if there is an indication of fraud. The Markup noted that drivers who shared their experiences with the scams online have said they weren’t able to recover their stolen earnings. Casserly told the outlet that Postmates has a process that allows drivers that are verified victims of a scam to request reimbursements.

Advertisement

Yet, she did not tell the outlet how many workers have been able to get their earnings back via this route.

Gizmodo reached out to Postmates and Uber to ask whether the companies had plans to take any additional action to prevent couriers from falling prey to these phishing scams in the future. We’ll make sure to update this blog if we hear back.

Advertisement

If you’re a Postmates driver, how can you avoid getting scammed by despicable people? Here are some things you should know according to Casserly and Postmates’ own guidance:

  • Postmates will never tell you there are suspicious changes to your password or bank account information via phone call. It will always be done through its automated monitoring systems.
  • Postmates will never ask you for your account login information, including your username, password, or a code texted to your phone.
  • Do not provide login information even if the person you are speaking to claims to be a Postmates employee.
  • If you receive a phone call or text requesting your login information, do not provide any of the information requested or click on any of the links in the text. Contact Postmates immediately so they can investigate the incident.
Advertisement

While it’s important for gig workers to be vigilant and cautious, it’s also important for companies to take steps to protect their workers. This means going beyond stating facts or linking to generic support pages.