SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Surge of SMS scams impersonating meal kit delivery companies
Wed, 19th May 2021
FYI, this story is more than a year old

Tessien has found a growing trend of SMS scams impersonating meal kit delivery companies.

Cybersecurity firm Tessian has identified a number of scam campaigns impersonating do-it-yourself recipe kit companies such as Gousto and HelloFresh.

The scams have come about as more people use these services due to COVID-19 lockdowns. Gousto reported that revenues jumped by 129% last year and the company sold over 25 million meals in the first three months of 2021. HelloFresh says it had 7.3 million active users globally in the first three months of 2021, up 74.2% from the year before. They believe this trend will continue rising despite restrictions easing.

Due to this, Tessian is now warning users of the phishing scams and smishing attacks (phishing scams sent via text message).

Several of the phishing campaigns will impersonate the meal kit company and ask users to rate the delivery to enter a prize draw, then link them to a fake website designed to steal personal and financial information, or harvest important account credentials.

According to Tessian, thousands of these SMS and WhatsApp messages are typically sent out at the same time, and all it takes is for one well-placed message or one distracted customer to click the link and enter their details.

“While some scam texts are convincing, many contain obvious spelling and grammar mistakes,” says Tessian's CEO and co-founder, Tim Sadler.

“Spelling errors are a tell-tale sign that it is not from a legitimate source, brands will rarely make such mistakes in their marketing campaigns. Also, it's important to keep an eye out for business and customer messages from unknown numbers or numbers starting with a local area code, as these are regularly associated with scam texts.
 
"Throughout the pandemic, we've seen cybercriminals jump on trending topics and impersonate well-known brands, with increasing sophistication. Often scammers will register new web domains to set up convincing-looking fake websites, luring their victims to these pages using phishing scams, and then harvest valuable information,” he says.

Sadler acknowledges that the scams are getting harder and harder to spot, with the perpetrators regularly coming up with new tactics to convince users to follow their link and input their confidential data. And that as a general rule of thumb, if you're not sure if something is a scam, you should assume it is. He says someone can always verify a message's legitimacy with the company directly.