Meal Kit Delivery Scams Increase with Phishing Campaigns

Attackers are sending phishing text messages which appear like authentic correspondence from famous brands, such as HelloFresh and Gousto, and thus are piggybacking from this booming marketplace for meal kit delivery services since the epidemic.

Centered in Berlin, HelloFresh SE is a German public-traded meal kit firm. The company is the biggest supplier of meal kits in the USA and operates also in Australia, Canada, New Zealand, Sweden, Western Europe, and Denmark. Whereas Gousto is a meal kit retailer based in Shepherds Bush, London, UK – established by Timo Boldt and James Carter and an SCA Investments Limited trading company. Gousto provides customers with ready-made, fresh ingredients, and easy-to-follow recipe kit boxes. 

The meal-kit phishing operations were uncovered by researchers of Tessian and then several variations of the phishing pitch were published. Some of them are sent via SMS, some via WhatsApp. Some people have been asked to assess their experience. In terms of complexity, messages are widespread, from very persuasive to a Tessian example called “easy to spot,” which has various spelling errors. 

“Your Gousto box is now delivered,” the phishing message read. “Enjoy the reoipej! Rate delivesy and enter wrize diaw at ‘URL’.” 

Tessian added that, usually, thousands of these messages are sent simultaneously via SMS and WhatsApp. 

Gousto however has alerted its clients of the scams by posting a message on their Twitter account: “We are aware that these emails/texts are in circulation, unfortunately, and we would advise against opening them. Our Info Tech team are looking into this suspicious activity.” 

The increasing popularity of meal kits coincides with an increase in phishing attacks focused on SMS, known as “smishing,” around the world. Digital devices lack a lot of safety, they are all there and the emotional dependency with which many devices have grown makes customers vulnerable to shaking down. Meal kits have been established as an important weapon for cybercriminals to leverage against targets like other pandemic-related issues. 

Commenting on the findings, Tim Sadler, CEO, and co-founder of Tessian said: “Throughout the pandemic, we’ve seen cyber-criminals jump on trending topics and impersonate well-known brands, with increasing sophistication. Often, scammers will register new web domains to set up convincing-looking fake websites, luring their victims to these pages using phishing scams, and then harvest valuable information.” 

He further added, “These scams are getting harder and harder to spot, with the perpetrators regularly coming up with new tactics to convince users to follow their link and input their confidential data.”