The Uber Phishing Scam Everyone Needs to Hear About

in #uber6 years ago (edited)

Scam Alert2.png

The Uber Phishing Scam Everyone Needs to Hear About

Allow me to paint the picture. It had been 3 months since I drove as an Uber driver. So when I went to sign back up, I had to verify my account. This included a car inspection at the local Greenlight Hub, and sending in copies of my license and insurance. This took about 4 hours total.

After finally competing everything, I started driving late in the afternoon, about 4 PM. At 1 AM, I received yet another normal request from someone named Jimmy. A few seconds after accepting the trip, I get a call on my cell phone. It’s someone claiming to be from Uber, and that I need to verify my account. Since I was verifying things all day, I figured this was completely normal.

Here’s what happened next...

Phone Call // start

[pre-recorded disclaimer, similar to “this phone call may be monitored or recorded for quality assurance”]

Me: Hello?

Scammer: Hi, is this [my name]?

Me: Yes.

Scammer: We need to verify your account. Can you please pull over to a safe area?

Me: Okay, hold on… what’s this about?

Scammer: We’ve seen some suspicious activity on your account. In order to continue driving, you will need to verify 4 out of the following 5 questions. Before we continue, can you cancel your current trip, and do not charge the rider?

Me: Yeah, but how will they get picked up?

Scammer: We will send another driver out to get them.

Me: Okay…

Scammer: Question 1. Have you made any recent withdrawals on your account using Instant Pay?

Me: No, I have not. I have always waited for the system to automatically send a payment directly to my bank account.

Scammer: Okay, good. That’s correct. Now, I’m going to send you a text, asking you to verify your account email address.

This was the first text message:
Verify email.png

Me: [sends text with account email]

Scammer: Good. That is correct. Just a couple more items, and you can continue driving. You will receive another text asking for your password. Please respond with your password.

This was the second text message:
Verify password.png

Me: [pauses…] Wait a second. How do I even know you are from Uber?

Scammer: My name is [gives name], and my badge number is [gives badge number]. You are on your way to pick up Jimmy, and you have given 700 rides.

(Note: Not realizing this was all public information any rider can see on my profile, and being super tired, I believed he was from Uber. After all, this information was correct, and how would he know I was on my way to pick up someone named Jimmy?)

Me: Okay, whatever, it’s probably fine. [I sent text with the password].

Now this is where the phone called got weird. There was a long period of silence, as I heard clicking, and typing. Shortly after, I get a notification on my phone, that some suspicious activity was detected on my Uber account. And then I get a notification that I successfully made a withdrawal using Instant Pay. (This means I withdrew all money from my Uber account to my debit card.)

Unfortunately, the scammer had already replaced my debit card with his debit card number. He also changed the cell phone number on file to his own number.

Scammer: [hangs up]

Phone Call // end

I quickly realized something was wrong, so I immediately called Uber support. I told them my account was hacked, and to stop all outgoing transactions. They said they do not have control over that. I said, “It just happened like 3 minutes ago! Just cancel the transaction.”

They said again, “we cannot stop the transaction.”

It took me 9 hours to earn $200, and I lost it in less than 5 minutes.

When I tried to change my password, it sent a verification code to the cell phone number on file. Well, the verification went to the scammer’s cell phone, so I could not change my password. It wasn’t until 3 days later I verified my account to change the cell number on file. However, the scammer’s debit card was still on my account. Whenever I tried to change it, the system said there was an error, and I could not change the debit card number at this time.

So I emailed support, and after multiple exchanges, they told me to go to the local Greenlight Hub to speak with someone in person.

Once there, I quickly realized that they have the same control over my account that I have. So, they could not do anything. They suggested I email support.

Ridiculous, huh?

After 2 weeks of going back and forth between emailing support and the local Greenlight Hub, the scammer’s debit card was still on my file. Uber had to outright disable Instant Pay on my account.
Ultimately, Uber never successfully removed the debit card on file, and only solved the problem by creating another problem. The scammer’s debit card was removed but at my expense of not being able to use Instant Pay.

In retrospect, I realized Jimmy was the hacker, and that's how he knew I was on my way to pick up someone named Jimmy. Clever.

Possible Solutions

I understand I should not have given out my password under any circumstances, however, I also feel Uber does not have enough security measures in place to prevent these kind of scams.

Here are 2 possible solutions.
1: Enable 2-Factor Authentication on all Driver accounts. (If the scammer asked me for my authentication code, I think that would have been enough for me to realize that he doesn’t just want to verify my account, but that he actually wants to get into my account.)
2: When a withdrawal request is made, Uber can send a verification to the email on file to approve or stop the withdrawal, especially if the withdraw is made 1 minute after a debit card is added, or changed.

After 2 weeks or so, Uber reimbursed me for the money that was taken out of my account. However, they never reimbursed me for the time I could not drive while my account was compromised. (This would roughly have been another $500.) I specifically asked for this case to be reviewed by someone in a management position, or on an executive level. After multiple attempts, they eventually stopped responding to my emails. Uber was now ignoring my request to speak to a manger about this issue.

This is a warning to all Uber drivers out there right now, and a message to Uber.

Drivers, beware.
Uber, we demand more security measures.

Please share, and help spread the message.

Sort:  

Wow @iunit, it's sad that scammers steal from hard working people. Glad you were able to get some restitution. Great post. Resteemed.

@karencarrens Thank you, sincerely. This happened to me back in March, and I tried to go thru some popular news outlets, but no one followed up with publishing it. Then, I realized Steemit would be the perfect outlet. I hope this reaches many people.