Some Target workers are reporting hacks that are siphoning money from their bank accounts over the past month.
Employees of the gig service Shipt have posted to Facebook various reports of the scammers’ activity, according to Motherboard.
Beginning March 28, upwards of 30 Shipt workers have reported the scam, saying they’ve noticed unusual account issues and that the hackers are asking for personal passwords. Hackers are reported to be disguising their identification as corporate employees.
Once they get in, they transfer the worker’s earnings to themselves.
Shipt is Target’s delivery app. The company employs about 300,000 contract shoppers in the United States.
According to Motherboard, the scam works through an “instant payout” feature Shipt rolled out earlier this year. It allows workers to cash out earnings almost immediately but also affords scammers instant access to the employees’ money.
The ongoing hack is more concerning because the scammers may already know workers’ names and phone numbers, suggesting a data breach.
Motherboard found such data-breach evidence at other companies but not at Shipt.
The concerns are being addressed, if gradually.
A representative from Shipt’s trust and safety team left a voicemail for a worker who’d complained about phishing attacks. “I just wanted to let you know about this issue that it’s something we’ve been looking into and something that we’ve been reviewing a lot of recently,” the representative said, according to a recording obtained by Motherboard.
In a statement emailed to The Verge, Danielle Schumann, a Shipt spokesperson, seemed to downplay to size of the attack. “We’re aware of the prevalence of scams like these that are often the result of phishing or an account takeover,” Schumann said. “A very small number of shopper accounts have recently experienced this kind of activity.”