![[FCO]FreeCoursesOnline](https://onehack.us/uploads/default/original/3X/b/4/b4d2fc8468becec1e9976784dba394e5a378ec81.jpg){kind=small}
Scammers have been spoofing Target’s delivery company Shipt’s phone number in order to steal its gig workers’ earnings by phishing their credentials from them. From a report:
On the morning of March 28, a gig worker near Tampa, Florida, was shopping an order for Shipt, Target’s delivery platform, when he received an email from “Shipt Support” asking him to reset his password. The worker says he didn’t request to reset his password, but didn’t think much of the email and went on with this day. Later that evening, the worker says he was sitting at home on his couch when he received a phone call from Shipt’s corporate headquarters’ phone number. Someone identifying themselves as a Shipt employee and addressing the worker by his first name said there had been unusual activity on his account regarding his password and asked him to read back a code that had been emailed to him to verify his identity.
Remembering the password reset email from earlier that day, the worker provided an authentication code that he’d received via email from Shipt. Shortly after, he received an email notifying him that someone had added a debit card to his account. When the worker checked his account again, he realized someone had logged in and cashed out his entire paycheck – $499.51. “I noticed my withdrawal balance was zero,” he said in a public video uploaded to Facebook. “At that point, I’m livid. I’m pissed.” In recent weeks, personal shoppers on Target’s delivery app, which boasts roughly 300,000 personal shoppers in the United States, have been repeatedly targeted by scammers hoping to steal their earnings by phishing gig workers’ credentials from them. Since March 28, more than 30 gig workers have posted in private, unofficial Facebook groups for Shipt’s personal shoppers saying scammers have targeted them using phishing schemes that include spoofing Shipt’s corporate phone numbers and asking for passwords over the phone. In at least some cases, the strategy used by scammers is different from other phishing campaigns: Scammers trigger password reset emails sent to personal shoppers by clicking the “forgot password” button below the Shipt login. Then they follow up via phone, asking personal shoppers to “verify” their passwords in order to look into “unusual activity” or requests to update info on their accounts.