Ride-sharing services have been implicated in all sorts of fraudulent schemes from clean-up fees for fake vomit and credit card theft to elaborate foreign dark money networks. But one of the oldest and hardest-to-kill scams hurting drivers uses little more than old fashioned social engineering to steal their earnings.
Uber requires its drivers to input login credentials, and automatically requires two-factor authentication on an unfamiliar device—such as a phone belonging to a fraud ring. Phone numbers are also anonymized, routed through Uber’s system so that neither driver nor passenger know the actual number of the person they’re being connected to. Scammers need all of this is information to hijack drivers’ funds.
Sadly, they’ve found a dead simple way to do it, and dozens of incidents posted to driver forums and Reddit ride-sharing communities describe the scam in nearly identical terms.
From a driver in Manchester:
After accepting a ride request from a Tracey at Manchester airport, I received a call from what would have been the rider and I was told to cancel the ride and check “do not charge Rider” as the rider was using a fraudulent credit card. The call was said to have been intercepted by a Uber representative. I was then told to close the app. I was asked to verify my phone number, he would callback in under 1 minute. Then I was told I was going to get a $200 reward for good service and was asked to verify how much was in my account. Then I was asked to add a debit card.
Another in New York:
[I]t was early Sunday morning say around 2am; when I ride came through the uber app and the rider’s name is “Uber Technology Inc.” My first thought was; an uber staff is requesting a ride. About one minute; my phone rang; and this guy on the other end was like; hi this is Uber and I am sure you recognized it because the rider’s name said Uber Technology; I said yes; and he was like; this is the only way they could get in touch with me (red flag) Uber has my phone number and they can contact me any time they have the need to. This guy acted really professional. Asking me to pull over so I don’t get distracted on the road etc. Then he asked of my phone number to confirm my account with Uber; which I gave him; then he was like I got a $200 reward [...] later in the day sent me a text message; asking me for my Uber email and log in password to confirm my $200 reward.
A third, in Chicago:
Got a ping for a pax today in Chicago. Name was NESTOR. “pax” immidiatly (sic) calls asking if I am my name I say yes and they say they are with Uber Driver Outreach. They said the ride was Uber generated to get a hold of me and asked me to pull over and cancel the ride with a “no charge” for reason. THEN they tell me all uber drivers in Chicago with a rating above 4.5 are receiving a 200 bonus this week! My lucky stars! 👎 Promptly receive a text from PAX saying “congratulations on being a great driver, you’ve earned a reward. Please enter your email and PASSWORD to activate your bonus”. Really guy?
The script may have a few flourishes here and there, but the basic scheme is almost always the same: A phone rider hails a car. Then they or an accomplice, posing as Uber support, asks the ride be cancelled. Due to the company’s policy of anonymizing phone numbers, the driver has no way to know the person calling is likely the same one who hailed the ride. Dangling the potential for a bonus—something ride-sharing companies often give out to an often overworked and underpaid contract force—they ask for enough personal information to log in, change the given bank account, and steal their fares.
While the majority of drivers are apparently cautious enough not to fall for it, some have had their wages wiped out completely.
The scheme appears to have cropped up in New York, Chicago, Manchester, Houston, Tampa, Las Vegas, San Fransisco, as well as towns in New Jersey and Connecticut—targeting Uber drivers, and occasionally Lyft drivers as well.
A spokesperson for Uber noted in an email to Gizmodo that “the FTC has been tracking these types of ‘imposter scams’ for decades & our teams work closely with law enforcement to investigate these scammers.” She pointed me toward the 13 people operating around New York since approximately October of 2016 whom last November were charged by the Department of Justice for allegedly diverting “millions of dollars” from ride-share drivers. The spokesperson added that Uber’s anti-fraud team works to shut down accounts run by these sorts of fraudsters, and that the company will “periodically send reminders to drivers via email & in the app to remind them of basic security practices that can help them protect themselves.”
Problem solved, it would seem. But that third report from the driver in Chicago? That was posted to Reddit by a rider named Lee less than a week ago. He tried to report the scam to an actual member of Uber’s support team but, he told Gizmodo over email, “they didn’t even acknowledge what I was telling them at first, giving me just canned responses”—something echoed in posts elsewhere. He added that he hasn’t seen specific reminders being sent to drivers when localized scams like this crop up. He wrote, “They are certainly not saying, ‘Hey be careful they’re are some scam artists operating in your market, don’t give out your password to anyone.”
Drivers would likely be happy to report these scammers to the police, but behind fake identities and with only Uber knowing their real phone numbers, there’s little they can do. Gizmodo attempted to call all numbers listed on driver forums associated with these sorts of scams. Two appeared disconnected and a third was picked up by someone who claimed to have no knowledge of such calls.
Uber did not respond to a question regarding the recoverability of funds diverted from its drivers through these means, and Lyft has yet to respond to a request for comment.
For drivers for any ride-sharing service, it’s important not to give out sensitive information such as a real phone number or password, especially over the phone to someone whose identity you don’t know. Although, if you do get your money stolen by a fraud ring, sadly, you’re in good company.
Update 4/4/18 1:17am ET: Responding via email, Lyft told Gizmodo “As soon as we became aware of these attempts we worked to identify and prevent them in real time and took immediate action against the perpetrating users. We have communicated to drivers about these scams and steps they can take to best recognize them and protect themselves. We have also worked with drivers who have been victims of this scheme to make sure their earnings are recovered.”
Update 4/4/19 2:39pm ET: An Uber spokesperson got back in touch to add that “we routinely refund drivers who fall victim to these scams. We also notify drivers anytime account information is changed including password & payment method.”