Your meal delivery kit SMS might also be dropping off malware

meal delivery kit
(Image credit: / Monkey Business Images)

Scammers are spoofing popular meal delivery kit services to trick victims into giving away their details, security experts have warned.

A report from Tessian found a huge surge in SMS scams impersonating meal kit delivery companies as demand for the services grew significantly during lockdown.

The likes of Gousto and HelloFresh are among those used by the scammers, who according to Tessian are using a mixture of phishing and smishing SMS attacks to target victims awaiting their delivery.

Special delivery

Tessian highlighted one phishing campaign impersonating Gousto where messages were sent out asking users to rate their delivery to enter a prize draw. However the link within the message took them to a fake website designed to steal personal and financial information, or harvest all important account credentials.  

Although many of the scam messages appeared fairly convincing, some featured obvious errors or spelling mistakes, with one SMS message reading: “Your Gousto box is now delivered. Enjoy the reoipej! Rate delivesy and enter wrize diaw at ‘URL’.” 

“Spelling errors are a tell-tale sign that it is not from a legitimate source; brands will rarely make such mistakes in their marketing campaigns. Also, keep an eye out for business and customer messages from unknown numbers or numbers starting with a local area code such as +44, as these are regularly associated with scam texts,” noted Tim Sadler, CEO and co-founder of Tessian.

"Throughout the pandemic, we've seen cybercriminals jump on trending topics and impersonate well-known brands, with increasing sophistication. Often, scammers will register new web domains to set up convincing-looking fake websites, luring their victims to these pages using phishing scams, and then harvest valuable information."

Tessian noted that Gousto had acknowledged the scams, with the company responding to users via Twitter saying that its Info Tech team "are looking into this suspicious activity."

“These scams are getting harder and harder to spot, with the perpetrators regularly coming up with new tactics to convince users to follow their link and input their confidential data," Sadler added. "A general rule of thumb is that, if you’re ever not sure if something is a scam, then assume it is. You can always verify a message’s legitimacy with the company directly.”

Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.