On the morning of March 28, a gig worker near Tampa, Florida, was shopping an order for Shipt, Target's delivery platform, when he received an email from "Shipt Support" asking him to reset his password.
The worker says he didn't request to reset his password, but didn't think much of the email and went on with this day. Later that evening, the worker says he was sitting at home on his couch when he received a phone call from Shipt's corporate headquarters' phone number. Someone identifying themselves as a Shipt employee and addressing the worker by his first name said there had been unusual activity on his account regarding his password and asked him to read back a code that had been emailed to him to verify his identity.
Remembering the password reset email from earlier that day, the worker provided an authentication code that he'd received via email from Shipt. Shortly after, he received an email notifying him that someone had added a debit card to his account.
When the worker checked his account again, he realized someone had logged in and cashed out his entire paycheck—$499.51. "I noticed my withdrawal balance was zero," he said in a public video uploaded to Facebook. "At that point, I'm livid. I'm pissed."
In recent weeks, personal shoppers on Target's delivery app, which boasts roughly 300,000 personal shoppers in the United States, have been repeatedly targeted by scammers hoping to steal their earnings by phishing gig workers' credentials from them.
Since March 28, more than 30 gig workers have posted in private, unofficial Facebook groups for Shipt's personal shoppers saying scammers have targeted them using phishing schemes that include spoofing Shipt's corporate phone numbers and asking for passwords over the phone. In at least some cases, the strategy used by scammers is different from other phishing campaigns: Scammers trigger password reset emails sent to personal shoppers by clicking the "forgot password" button below the Shipt login. Then they follow up via phone, asking personal shoppers to "verify" their passwords in order to look into "unusual activity" or requests to update info on their accounts. (The password reset emails are seemingly supposed to mislead workers into believing there has been suspicious activity on their accounts.) The scammers have also, in some cases, stolen two-factor codes over the phone.
A communication from Shipt to its personal shoppers posted in an internal portal on April 9 confirms that these calls are initiated by scammers. "Never share your bank account info or shopper account password with anyone on the phone or through an email, even if they claim to be from Shipt," it said. "Shipt will never request that info this way."
Earlier this year, Shipt rolled out an "instant payout" option for its gig workers, which allows them to access their earnings within an hour (instead of once a week) for 49 cents, but the new option has made it easier for scammers to prey on gig workers, many who live paycheck to paycheck, and deposit their earnings. The scam allows a criminal to steal a Shipt shopper's password, log into their account, change their payout information, and quickly drain their account.
Danielle Schumann, a spokesperson for Shipt, told Motherboard that the company is aware of the phishing scams and account takeovers but that the problem has not impacted many of its drivers. "A very small number of shopper accounts have recently experienced this kind of activity," she said, noting that the company has implemented precautions to protect accounts and reimburses workers for their losses.
A voicemail from Shipt's trust and safety team obtained by Motherboard also confirms these scams are impacting gig workers. "I just wanted to let you know about this issue that it's something we've been looking into and something that we've been reviewing a lot of recently," a Shipt representative said in a voicemail in response to a complaint about the phishing scams reported by a personal shopper.
These scams are not unique to Shipt but have proliferated across the gig economy during the pandemic on apps including Instacart, Postmates, Lyft, and DoorDash, according to a report in The Markup. The schemes prey on the unique vulnerabilities of gig workers, who, as independent contractors, do not have access to basic rights, protections, resources, training, or safeguards typically offered to employees on the job. For many gig workers, getting help when their accounts are hacked or income is stolen often feels like shouting into the void.
After he was scammed, the gig worker posted a public video on Facebook, explaining step-by-step how scammers hacked his account and drained his earnings. "I wasn't a happy camper yesterday. I'm still not a happy camper," he said. (He declined Motherboard's request to be interviewed but said that Shipt has reimbursed him the total amount of his losses.)
Motherboard spoke to four other Shipt workers who each told similar tales of scammers posing as Shipt corporate employees, as well as a customer who had their account breached in recent weeks. Scammers called and texted the victims to manipulate them into revealing their passwords to break into their accounts. In some cases, when personal shoppers have two-factor authentication set up, scammers prompt gig workers to read back codes emailed to them to gain access to their accounts once they'd secured passwords.
On March 29, a Shipt personal shopper and veteran in Portland, Maine, received two voicemails from numbers that looked like they were from Shipt's corporate headquarters. (Motherboard granted the worker anonymity because he feared retaliation from Shipt).
"I received a call from you and it looks like we got disconnected," the first voicemail from Shipt's corporate phone number said, addressing the worker by his first name. "If you could give us a call back whenever you can, I'd be more than happy to help you."
Throughout the day he received a series of calls, texts, and emails that appeared to be coming from Shipt. Finally, the gig worker picked up the phone. An agent informed him that there'd been unusual activity on his Shipt account and asked him for his password to go in and recover his account.
"He said 'you might not be able to access your account so we can change your password for you,'" the gig worker told Motherboard. "I said 'it’d be better if you can send me an email with a link.' He was like 'if you want I can change your password for you.' I said 'I’m not comfortable with that.'”
"I’m not gullible at all but this was sophisticated," the worker said. "They spoofed that number. I’m a vet and the first thing they do when they call is verify who I am and they ask me for my information, so this is creepy and scary."
Caller ID spoofing, the tactic being used by the scammers, is legal in the United States with the exception of doing so "with the intent to defraud, cause harm, or wrongfully obtain anything of value."
It's unclear whether multiple scammer groups are preying on Shipt's gig workers but the fact that some scammers are spoofing Shipt's phone number and others are not suggests a variety of strategies are being deployed.
On April 8, Karyn Johnson Dorsey, a Shipt personal shopper in San Bernardino, California received a call from a scammer with a phone number from San Diego threatening to deactivate her or prevent her from working on the app if she didn't provide her email address. Fortunately, she knew from reading warnings from other Shipt personal shoppers posted online that it was a scam and didn't provide any of her personal information. Motherboard reviewed a transcript of her call with the scammer.
"On my end, I see we have your email address, but you need to verify it or your account will be deactivated," a caller who identified themselves as "David from Shipt" told Johnson Dorsey in April, according to the call transcript.
Gig workers, including Johnson Dorsey, who've been targeted by phishing attempts say Shipt has not done enough to educate and warn their workforce about these phishing scams.
"If it wasn't for shoppers telling each other about these scams, none of us would know what's going on," said Johnson Dorsey. "Shipt sends us so many emails but they haven't warned us or told us anything about these scams by email."
Schumann, the spokesperson from Shipt, said, "We take data security very seriously and have taken, and will continue to take, several actions to inform and educate the Shipt team, as well as Shipt Shoppers, on how to keep accounts secure."
"We have proactively emailed all shoppers, posted information on our Shopper Hub, have a team of individuals dedicated to monitoring for, and responding to, fraud, and conducted additional internal team training," she continued.
The email alert that Schumann refers to was buried in a weekly newsletter sent on April 9, a day after Motherboard reached out to Shipt for comment about the scams. It discusses steps personal shoppers can take to improve security security, but does not specifically mention the recent prevalence of scams.
On the Shipt Shopper Hub, an internal portal for personal shoppers, the company posted guidelines on how to keep Shipt accounts secure. Gig workers say Shipt frequently floods them with emails and updates, and their attention was not specifically directed toward this point. None of the six gig workers Motherboard spoke to had seen it.
A fifth Shipt personal shopper, Gabrielle Wilkins, in Denver, Colorado, discovered her account had been hacked when she received a text on April 26 from Shipt saying she hadn't made progress on two orders.
Wilkins told Motherboard that she logged into her account to find she had two active orders that she didn't accept near Ann Arbor, Michigan. Later that day, she was deactivated, according to screenshots obtained by Motherboard. Wilkins has contacted Shipt repeatedly to resolve the issue but has not received a resolution. She says she had not given out her password or login information to scammers.
"They deactivated me in the middle of my account being hacked," said Wilkins. "I've tried to contact them and emailed. I'm worried they'll never respond to me about it."
"I've worked on Shipt for about two years," she continued. "[Being deactivated] is going to impact me a lot. I use Shipt to pay medical bills."
Shipt also appears to be blocking workers from warning each other about these incidents. In one instance, Shipt censored a Texas gig worker who posted a question about the scams on Shipt's company-controlled Facebook group. The post read: "Curious has anyone experienced a phishing scam on Shipt?" Motherboard reviewed a copy of his post which was not approved by the page's moderators. (Shipt has a well-documented record of censoring workers who voice concerns about their working conditions on the Facebook group, which has more than 140,000 members.)
Personal shoppers who've been subject to phishing schemes on Shipt say scammers have access to their names and phone numbers. None of the workers Motherboard spoke to remembers giving out this personal information to scammers, and several workers were concerned that this information may have been compromised in a data breach.
Motherboard found no evidence of a data breach at Shipt but found several of the victims' personal data in recent data breaches at other companies, which in some cases could be leveraged by phishers.
Schumann, the spokesperson for Shipt, said Shipt had not been breached. "At Shipt, we take account security very seriously and invest in monitoring, tools and controls to detect and protect against suspicious activity. Shipt has not been breached," Schumann said. The company introduced two-factor authentication in January.
Do you have a tip to share about a scam targeting gig workers? Please get in touch with the reporter Lauren by emailing Lauren.email@example.com or by messaging securely on Signal 201-897-2109.
Scammers also appear to be targeting customer accounts. Heidi Hudd, a customer in Traverse City, Michigan, received an email late one night in April saying she had placed an order for a pair of airpods. She logged into her account to see her address had also been changed to Plantation, Florida.
"I called Shipt and they didn't seem surprised and told me they'd fix it. I'm worried there was a data breach," Hudd said. "They didn't tell me what had happened—just to change my password and that was it."
Joseph Cox contributed reporting for this article.