How It's Been Done
The scam works like this: the courier accepts an order and travels to the restaurant to fulfill it. Shortly after they arrive, they get a call or text from the "customer" telling them some kind of story of which there are several varieties. In my own experience, the "customer" told me that they placed the order to make sure that I was actually out on the road. Others were told that Postmates Support placed the order in order to make sure the app was functioning properly.
The courier is then thanked for their hard work and told that they will receive a bonus and the amount of the supposed bonus has ranged from $20 to $100, but it doesn't matter because it's a lie anyway. All "Postmates Support" needs to give you this bonus is your log-in information, consisting of your email address and the password you use to log-into the app. Of course, this is bullshit because Postmates can send money to your account without having to ask for this information.
As soon as the scammer has this information, they will log-into your Postmates account and change your payment settings, adding their own credit card to receive your payment and they will promptly take every last dollar you still have in your Postmates account that you hadn't already cashed-out.
Since the app masks the phone numbers of both the customer and the courier, it is impossible to know from where the scammer was actually contacting you and it's most likely that they are in another state. Couriers from around the United States have reported receiving these calls.
Scamming Via Text Message
Most of the time, the courier is contacted via text message and the scammer requests that you text them back with your full name, email address and log-in password. No link is sent.
A lot of Postmates couriers are already wise to the scam, but posts from new victims always seem to arrive on Facebook or Reddit.
If you are contacted by a scammer in this fashion, you have two choices:
- Cancel the order immediately. You won't get paid for the job and you should contact Postmates immediately to let them know about it and so that cancelling the order won't count against you with the company.
- Fulfill the order. This is a good option, if the delivery point is close enough. Obviously, you won't get a tip out the job, but you will score some free food and it's extremely unlikely that the scammer will actually meet you at the delivery site. The scammers typically place very small orders (e.g. a bottle of water, an order of onion rings, etc) so you're not getting a full-course meal of of it. When I received a scam call like this, I was tempted to add a large Coke to the order, but the taco, small root beer and onion rings were enough for me, even though the scammer was probably never going to file a complaint against me with Postmates for increasing his order without his permission. Just send them a fake email address and password and make the delivery anyway. Once you arrive at the delivery spot, click the button that indicates that there's no one to accept the delivery and wait the required five minutes. The scammer won't cancel the order themselves, because they'll get billed for the job. But, they will get billed if you fulfill the order. Remember that the money they'll lose in the order's fulfillment is money that they've likely stolen from another Postmates courier, so fuck those guys!!!
Whatever decision you make, take screen shots of whatever the scammer sends you. If they call you, tell them where you are is too noisy and you'd prefer that they text you. If they won't text, just proceed however you wish.
You should especially take screen shots if the scammer texts you and tells you to call/text them at another number. Do not call or text any number the scammer gives you from your own phone number because you don't want them to have it. I have a Talkatone app downloaded to my phone with a burner number that I use to call suspicious numbers. Call them using a burner account to make sure the number they gave you is valid. Post the screenshot on Twitter, Facebook and Reddit with the hashtags #scam and #scammer, so other people can put the number on blast.
A New Twist
Some tech-savvy scammers finally decided to set-up a website that couriers and even customers could go to and enter their log-in details. The first one of which I am aware was
postmatessupport.online
The site is no longer active, having been repossessed by GoDaddy, the company from whom the scammer purchased the domain.Not to be deterred from scamming people out of their hard-earned money, the scammers went and purchased another domain from GoDaddy on 2 August 2019, which is
postmatesonline.co
and this site's registration information is readily-available on GoDaddy's website.Rather than take the chance that the registrant will alter this information after becoming aware that it's out in the public eye, I'll summarize it:
Registrant Name: Shawn Andrew
Registrant Organization: Transportation
Registrant Street: 78 idlewild rd
Registrant City: Edison
Registrant State/Province: New Jersey
Registrant Postal Code: 08817
Registrant Country: US
Registrant Phone: +1.415-2563-2154
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: shawn.andrew8766@gmail.com
Please understand that this information may be false and I have no idea what steps GoDaddy takes to ensure that the registrant's information is accurate. The scammer may have entered false information and Shawn Andrews may be completely innocent.
To be perfectly blunt: DO NOT CONTACT "SHAWN ANDREWS" IN PERSON, BY PHONE OR BY EMAIL BECAUSE HE MAY BE 100% INNOCENT OF ANY WRONGDOING.
Steps That Have Been Taken
I sent an abuse report to GoDaddy, with a CC going to Postmates Support (the real one) as well as to agencies of the Federal Government that handle phishing websites.
Here is the official response from GoDaddy that indicates they had received my complaint.
However, after a few days, GoDaddy had taken no action against the website.
In my experience, Postmates has never responded to any notification I have sent them regarding scam sites targeting their couriers.
To be fair, Postmates does have a notice posted on their app in the Newsroom section that warns us to never share our log-in information with anyone and that Postmates will never ask us for that information themselves. So, Postmates has done all they can really be expected to do. It's not their fault that people either didn't read the warning or have ignored it.
People have wondered if the Postmates app had been hacked, but the scammers are placing orders in the app, knowing that it will conceal their actual phone number. The scammer who contacted me was using a burner phone which he shutoff once he realized that I was wise to what he was trying to do and so that I couldn't call and harass him anymore.
Postmates' Reaction to the Scam
In my experience, Postmates has never responded to any notification I have sent them regarding scam sites targeting their couriers.
To be fair, Postmates does have a notice posted on their app in the Newsroom section that warns us to never share our log-in information with anyone and that Postmates will never ask us for that information themselves. So, Postmates has done all they can really be expected to do. It's not their fault that people either didn't read the warning or have ignored it.
People have wondered if the Postmates app had been hacked, but the scammers are placing orders in the app, knowing that it will conceal their actual phone number. The scammer who contacted me was using a burner phone which he shutoff once he realized that I was wise to what he was trying to do and so that I couldn't call and harass him anymore.
Testing the Scam Site
The scammers will undoubtedly become aware that this gravy train may be coming to an abrupt end sometime soon and are probably already working on the website to replace the one they are currently using.
As you can see, the fake website does look like it could pass for the real one.
Scrolling to the bottom, you find the section where you "verify" your account
and here's what this section looks like after you enter your information.
I took an old email address that I seldom use and tried to see how they would react if I entered the email address and a fake password. I wondered if the scammer would write to me to say that my verification attempt failed. So far, I haven't heard back. It's possible that the scammer doesn't pay much attention to the site, except at times when they are actually out scamming.
Sending an email report to GoDaddy didn't result in the site being taken down and it's impossible to know how many people have actually filed a report after being contacted by the scammer or even after having lost money.
I decided to take a different approach and actually use GoDaddy's Help Center and file a complaint about the phishing attempt. I visited the GoDaddy homepage, found the Help Center and clicked on the Report Abuse link. I selected "Phishing", filled-out the complaint and submitted my report.
I think if everyone who knows about this scam site were to do the same thing, GoDaddy is more likely to take action.
Since the stated email address of the site's registrant is a GMail account and Google links appear at the bottom of the homepage, I sent an Abuse Report to Google and GMail. Honestly, I really don't expect to hear back, one way or the other.
Next, I reported postmatesonline.co as a phishing site. I did this with Google Safe Browsing and I sent an email report to the Cybersecurity and Infrastructure Security Agency (CISA) which can act under the authority given to it by the United States Government.
In an attempt to have the site blocked from view on Android and iPhones, I contacted Google, Android, McAfee and Apple Support on Twitter and reported the phishing site. If they can block the site from being viewed on people's smartphones, it will be harder for them to scam Postmates couriers and customers.
You may be wondering if hiring a hacker to take down the site would be a good idea and I don't think that it's worth it. I visited the Hackers' List website and looked at the price quotes that are expected for taking action against websites and the costs can run into hundreds of dollars. Since a scammer can simply create a new website very cheaply and in a very short period of time, it just doesn't make financial sense.
UPDATE: As of 15 September 2019, this website is offline.
A new site - postmates.pro - has come onto the scene. While the site may have once been active, it no longer seems to be online and you only get the 404 warning now. Here is their registration data from GoDaddy:
You should immediately file a report with the Internet Crime Complaint Center at this link. Make sure you have all information ready, such as screen shots of any texts that the scammer may have sent you.
I will update this blog post if/when I hear back from the companies and agencies to whom I sent reports.
Duane Browning
Striking Back
Sending an email report to GoDaddy didn't result in the site being taken down and it's impossible to know how many people have actually filed a report after being contacted by the scammer or even after having lost money.
I decided to take a different approach and actually use GoDaddy's Help Center and file a complaint about the phishing attempt. I visited the GoDaddy homepage, found the Help Center and clicked on the Report Abuse link. I selected "Phishing", filled-out the complaint and submitted my report.
I think if everyone who knows about this scam site were to do the same thing, GoDaddy is more likely to take action.
Since the stated email address of the site's registrant is a GMail account and Google links appear at the bottom of the homepage, I sent an Abuse Report to Google and GMail. Honestly, I really don't expect to hear back, one way or the other.
Next, I reported postmatesonline.co as a phishing site. I did this with Google Safe Browsing and I sent an email report to the Cybersecurity and Infrastructure Security Agency (CISA) which can act under the authority given to it by the United States Government.
In an attempt to have the site blocked from view on Android and iPhones, I contacted Google, Android, McAfee and Apple Support on Twitter and reported the phishing site. If they can block the site from being viewed on people's smartphones, it will be harder for them to scam Postmates couriers and customers.
You may be wondering if hiring a hacker to take down the site would be a good idea and I don't think that it's worth it. I visited the Hackers' List website and looked at the price quotes that are expected for taking action against websites and the costs can run into hundreds of dollars. Since a scammer can simply create a new website very cheaply and in a very short period of time, it just doesn't make financial sense.
UPDATE: As of 15 September 2019, this website is offline.
The Next Generation
A new site - postmates.pro - has come onto the scene. While the site may have once been active, it no longer seems to be online and you only get the 404 warning now. Here is their registration data from GoDaddy:
Name: postmates.pro
Registry Domain ID: D503300001162786830-LRMS
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2019-09-13T17:05:04Z
Creation Date: 2019-09-13T17:05:03Z
Registrar Registration Expiration Date: 2020-09-13T17:05:03Z
Registrar: GoDaddy.com, LLC
Registrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Registry Registrant ID: CR388272312
Registrant Name: john smith
Registrant Street: 1044 noble ave
Registrant City: Bridgeport
Registrant State/Province: Connecticut
Registrant Postal Code: 06608
Registrant Country: US
Registrant Phone: +1.9412468042
Registrant Email: postmatestakemoney1388@gmail.com
I received no response when I sent an email to the registrant or text and they didn't answer when I called their phone number.
If You Have Lost Money to This Scam
You should immediately file a report with the Internet Crime Complaint Center at this link. Make sure you have all information ready, such as screen shots of any texts that the scammer may have sent you.
More To Come?
I will update this blog post if/when I hear back from the companies and agencies to whom I sent reports.
Duane Browning
3 comments:
Please read my post on reddit under user name fitzy000 for more info to tell all
This is happening to me right now. It's had left me destitute. I have no gas money to go and make deliveries. I have Changed passwords on all of my accounts and somehow they are still siphoning my money. I'm not sure what to do. On top of it all I'm ashamed that I let them get one over on me.
My apologies to everyone who posted a comment, but didn’t see it posted right away. Google had disabled comments on Blogspot for a long time and I neglected to check for any updates.
I have gone through all pending comments, approved most and deleted the spam.
I will be more diligent about checking my pending comments in the future.
Duane
Post a Comment