Large-Scale ‘Instacart’ Hacks Pushing Gig Workers in Despair

• Hackers are now targeting Instacart accounts that have been doing pretty well during the pandemic.
• Gig workers are increasingly targeted by phishing actors who employ social engineering.
• The platforms appear indifferent to restore the accounts once they’re deemed risky by their algorithms.

There’s a wave of hacks targeting gig workers who rely on platforms like Instacart to make ends meet, and according to numerous reports that come from victims, there’s really no way to deal with them once they get you. Because the pandemic has created a boom for online shopping, grocery delivery and pickup services like Instacart have exploded, welcoming tens of thousands of new shoppers. These people have found a way out of the lock-down-induced unemployment, and they were happy to be able to support themselves and their families again.

Hackers though were quick to take note of this activity, as they always do, and launched various targeted phishing campaigns against these people. If these accounts were making money, they were valuable, and hackers are after anything that they can potentially exploit to divert money into their pockets. The hackers steal the users' data, take over their accounts, and drain their earnings, all by phishing security codes to log in and create shopping orders.

As many Instacart shoppers report, if you fall victim to this, the platform will sooner or later deactivate you. To make matters worse, most find it impossible to get their accounts back to normal status even if they follow the advised procedure and give all the proof they are asked for. Instacart just seems to rely solely on an algorithm that handles these flags, so if an account has a suspicious activity like logins from two remote locations, for example, it will be very hard to reinstate.

Another shopper I spoke to said she felt completely ignored while trying to appeal to Instacart over her 'linked' account deactivation. Today, she got an email saying her appeal was approved and her account reactivated. She still doeosn't understand what happened.

— sara ashley o'brien (@saraashleyo) April 30, 2021

@Instacart Please, I need a positioning of the company and that my account is reactivated, because there is NO reason for the deactivation.

— Chris Serrano 🇪🇸🇺🇸🇧🇷🇦🇷✌🏻 (@ChSerrano18) April 13, 2021

But Instacart isn’t the only space where crooks are engaging. Last week, Vice reported about an uptick in hacking attempts against gig workers of Shipt, Target’s delivery platform. A large number of reports from Shipt users mention the reception of password reset emails, indicative of account takeover attempts.

These emails were followed by calls over the phone, where scammers pretended to be Shipt employees needing to verify the user’s account. For this, they asked the code that was emailed to them, allegedly as a result of a centrally-controlled verification process. The scammers then added a credit card to the victim’s account and emptied the balance by transferring the entire paycheck into their pocket.

In all cases, the responsibility to protect these accounts burdens the gig workers themselves. Even in the case of Shipt, where the 2FA step is in place, it isn’t something that simple yet effective social engineering cannot possibly overcome. If you are making money online on Instacart, or any other platform, beware of scamming attempts and remain vigilant against phishing actors at all times.