“Like free food? Me too,” says the message on the app. “Which is why I’m offering 2 ways to earn free food.”
Or more accurately, new ways to rip off restaurants, delivery apps and consumers.
An elaborate scheme is out there where scammers use stolen personal information and payment data to sell deeply discounted restaurant meals delivered right to your door.
It reminds me of someone selling handbags out of a car trunk. There’s no way that a designer purse can be priced that low but some shoppers don’t want to imagine that the guy on the corner is making quick cash on stolen merchandise or counterfeit goods.
Now it’s Korean-style fried chicken or lobster tacos.
Many of us picture fraudsters only going after big ticket rip-offs, like romance scams where tens of thousands of dollars can be lost, or tax time scams that scare people into putting $1,000 or more on gift cards to pay back taxes.
But the scammers know how to play up what’s popular in all sorts of ways so that even relatively small-time deals can add up to big dollars in the fraud economy.
Restaurant-related scams exploded when many people were home during the pandemic and restaurants embraced the delivery model to limit indoor dining.
Who isn’t looking for a deal on food?
“If you need to eat, you need to eat,” said Brittany Allen, trust and safety architect for Sift, a fraud prevention company. She has worked about a decade at e-commerce marketplaces, include Etsy and Airbnb, to prevent the misuse of consumer data.
Many people who lost jobs and faced financial challenges during the pandemic were looking for bargains. Some easily rationalized questionable pitches that suggested a way to basically get restaurant meals for nothing.
The proliferation of food delivery services and restaurant apps only makes another easy target for scammers who are engaging in account takeover attacks.
I first heard of this unusual scam when a friend at the Free Press told me she spotted a $60 charge on her credit card for Bonchon Chicken on Grubhub. She thought that the charge was weird because she hadn’t ordered Grubhub in a long time and rarely gets food delivery.
She went to Grubhub and saw that someone in Philadelphia had used her account for a Bonchon Chicken order that subsequently was canceled. Yes, she called her credit card company and got a new number and card issued.
Messaging apps, like Telegram and Discord, which reach people beyond your own circle of contacts, often are used to promote some sketchy offers.
A TikTok video even shows how to get “free food” and how to scam delivery companies.
Some consumers spot the deals on social media sites, like Facebook and Instagram, where fraudsters impersonate a big brand name and offer so-called local specials.
How the scam works
The fraudster might advertise that they can place an order via a stolen Grubhub account. But the crooks want 20% of the total order value to provide this service.
The consumer shopping for the “deal” then orders $100 worth of food from a local restaurant and then pays the fraudster say $20 in cryptocurrency.
The discount diner who is ordering the kung pao chicken dumplings or steak and cheese sandwiches at a great price pays a fraction of the value of the food ordered.
The fraudster then orders the food and pays $100 to Grubhub using the credit card on file in the stolen account.
The fraudster often uses another consumer’s credit card that’s on file in a food delivery app — information that the crooks have on hand — to make the purchase and ding that card to pick up the rest of the cost for your low-budget, OK, let’s make that stolen, meal.
Some consumer could be eating on the cheap in Philadelphia while a credit card for someone in Detroit will be used to pick up most of the tab.
Or the crooks may be able to use any loyalty points that you’ve built up or any account balance, Allen said.
“It’s turning into a fraud as a service (kind of) attack,” she said.
What some delivery services, restaurants are warning
Grubhub said it is vigilant about trying to prevent unauthorized activity and has safeguards in place, such as securely encrypting credit and debit card information using a third-party payment processor.
“But, unfortunately, there will always be people who try to use technology fraudulently,” according to a Grubhub spokesperson.
Diners are encouraged to contact the delivery app and their bank immediately if they notice suspicious charges.
“As a matter of practice, we also recommend that diners monitor their account and use a password that is unique to Grubhub and change it regularly.”
Another twist on food delivery scams: Fake websites mirror a local restaurant. The consumer orders food and pays by credit card. But the food may never arrive. Or a delivery person comes to pick up an order that might not show up in the system but the restaurant fills the order anyway — and then realizes that the order wasn’t real and they aren’t being paid.
The Better Business Bureau has warned of such fake restaurant sites, which might be set up only to steal your credit card information and never deliver any food. The BBB suggests that if you suspect you entered your credit card information to a fraudulent website, you should cancel your card right away and request a new one. The crooks know how to spoof delivery sites and restaurants. Look out for odd URLs before placing an order.
Sometimes, diners enjoy the scam
In some cases, consumers are willing participants to a scam that saves them money.
A local restaurant told me that they’ve experienced cases where someone claims they’re at the restaurant to pick up an order made online — but the restaurant knows that’s a fraud because they don’t take orders online.
“You can honestly search for the word ‘fraud’ or ‘free food,’ ” Allen said.
In many cases, “those diners are fully aware that whatever they’re participating in has to do with fraud,” Allen said. “They are not in the dark about this.”
Private messaging apps, like Telegram and other messaging apps, she said, offer ways for scammers to appeal to a wider audience that is interested in fraud but might not be as technically savvy to navigate the dark web.
Fraudsters might even offer “free food” if you refer a group of friends.
“Once a diner who wants to receive this food goes to one of these Telegram groups, honestly all they have to do is make a payment via a cryptocurrency. Fraudsters are smart; they know that credit card transactions can be reversed or disputed. They don’t want to deal with that,” Allen said.
“They’ll get paid in Bitcoin or Ethereum.”
For the scam to work, though, fraudsters start out getting information via large data breaches where hackers can get names, addresses and email addresses and possibly financial information, such as credit card and debit card numbers.
Allen said the fraudsters take advantage of the fact that about 70% of consumers use the same password at a variety of sites. Once they have your password for one entity, they can use the same one for another.
The fraudsters obtain breached credentials from one platform and test them against websites, she said, including restaurant sites or delivery apps that they want to target.
Scammers are adapting to skirt security measures that restaurants try to put in place.
In early March, Allen spotted a fraudster posting how to get around one restaurant’s effort to block delivery from certain addresses that had repeated fraud.
The fraudster suggested that its customers give an address that’s two or three doors down from where they live and then the diner can go in the street to that location to pick up the food delivery as a way to continue getting service.
“They were basically going to be burning the addresses of totally innocent neighbors,” she said.
How do you know if your account was used to buy someone a round of burgers?
Signs include a password change, an alert to a phone or an odd charge to a credit card or debit card.
Consumers should make sure to not use the same passwords. Craft unique passwords for a variety of apps and services.
Also set up alerts for purchases on your credit card that can help you react quickly before more charges are made. You can have the number changed by the credit card issuer when you know your card has been compromised.