This Shipt Delivery Email Scam Will Fool Even the Savviest Users
The other day, I received an email on my phone from Shipt confirming that my groceries were on their way and I should expect them by 4 p.m.
But I'm not a Shipt user.
Here's where this email phishing scam caught me, hook, line, and sinker.
My first instinct was to blame my husband for likely trying something new – online grocery store ordering – and using my email address to track the order likely because I am “home all day so it would be easier for (me) to get the updates," one of the phrases that have become common now that COVID-19 has most of us working from home or supervising distance learning from home. It didn’t seem like much of a stretch to think he’d do this, especially since he was going to be away for most of the weekend and knows I don’t like to bring the kids to the store.
What I did next was just about hit the roof when I saw what my card would be charged for groceries since it was well beyond our weekly grocery budget. Under no normal circumstances would the savvy grocery shopper that I know him to be end up spending this kind of money. But lucky for me, there was a giant button that read "VIEW ORDER." If I clicked on it, I could instantly see why my bill was so high. Against all better internet phishing scam judgment, I did the one thing I thought I was too smart to ever do: I clicked on the dumb, green "VIEW NOW" button.
A giant orange screen with an X appeared and I knew right away that I fell for a simple email phishing scam.
Now how could that happen to someone who has to take phishing scam training lessons as part of her job? Easy. Remember when I said the email came to my phone? On a mobile device, there is no way to hover over a link to see the URL destination and see where the button or link is going to take you once you do.
There is also no way to tell what the email handle is the same way as if you were to open an email from your desktop computer. On a phone, at least in my case, all I could see was that "Shipt Grocery Delivery" sent me a message that my groceries were on their way.
I pulled my inbox up on my desktop computer to look more closely at what it was I missed on my phone; what part of this scam email duped me so easily?
First of all, there were no spelling errors, one of the more obvious scam email giveaways.
Secondly, there was no urgent call to action asking me to log in and confirm anything. It just said my stuff would be here soon and if I felt like it, I could review the order. Did it raise a red flag that suddenly my work email address was signed up for Shipt Grocery Delivery? No, because like many people, I live with someone who sometimes does things and forgets to tell me or I forgot to listen.
Did the email confirmation have the same exact logo for the real Shipt, which is a green circle with a spaceship? Yes, it did. Was the email address that it came from super obvious? No, it wasn’t, it was only “Confirmation@delivery-shipt.com." For someone vaguely familiar with Shipt, both the correct logo and logical email address were not enough to cause suspicion.
I thought of my folks right away. Like many older folks, they have been Shipt users since the pandemic hit. If they got this email and saw an incredibly high charge had been made they would absolutely hit that green button without thinking twice. For everyone with someone in their life who may fall one of the sneakiest email scams going around right now, here is what they need to know:
Look at the actual email address to see if it’s suspicious. In this case, it’s not really that suspicious but Googling didn’t do me much help either, it only pulled up a lot of articles about how many people use Shipt to buy food now.
Look for spelling errors, because those are the easiest tell-tale signs that it's not a real email, the same way spelling errors can alert you to fake news articles. But again, in this case, there were no spelling errors, making this scam extra scammy.
Hover over the links/buttons within the email and see the destination they are going to but DO NOT click on them. Do you want to naively click into a site that takes you to CardPayments.MircoRansom.US? No. Any site with "ransom" in the URL is not something you want to click on. And do not be tempted by any link that asks, "Need Help?" or "Have Questions?" Of course you need help and have questions, you may have just been charged a lot of money for something you didn’t buy. Don't click.
Delete this email and don’t look back. It is a big 'ol scammy scam designed to grab your credit card information.
My company swiftly enrolled me in another phishing scam training because clearly, I failed the test. Had it come to my personal email address, though, no giant IT department would have been there to save me from my mistake.
Show everyone you know, even if you think they are very tech-savvy and unlikely to fall for such a simple trick. We are all overtired and distracted these days and a simple slip-up could create so much trouble.