Crooks Are Hungry for Your Grubhub and Instacart Accounts

By Katherine Skiba   En español Published March 23, 2021

Consumers lost $56 billion to identity fraud in 2020, when a new hot commodity for crooks were stolen credentials for accounts such as Grubhub, Instacart, DoorDash and Uber Eats.

The pandemic-year trend emerges in a study that is silent on whether crooks crave haute cuisine or fast food. What is clear is that as consumers want the ease of having groceries delivered

and dinner dropped off at their front door, there is a thriving criminal marketplace for account credentials for contactless deliveries, an AARP-sponsored study shows.

Since there's a street value for the pilfered account info, “cybercriminals were willing to steal consumer credentials to tap into a stream of delivery services,” the study says.

The study examined several aspects of identity fraud, which is worse than identity theft since a person's sensitive data is not only stolen, it also is used to commit a crime.

One of the categories — and here's where the Grubhubs of the world come in — is called non-financial accounts. Delivery services accounted for 18 percent of all the identity frauds in this

category, surpassing compromised accounts for mobile phones, social media platforms, emails and utilities.

The findings emerge in an online survey of 5,000 adults last fall by Javelin Strategy & Research of Pleasanton, California. The firm has been examining fraud trends since 2003.

in 2020

These were the top identity-fraud scams in 2020. The percentages reflect the share relative to the pool of all such fraud victims last year.

Other key findings from Javelin's “2021 Identity Fraud Study":

Credit card numbers also were coveted by crooks. Twenty-four percent of people who were victims of identity fraud had credit card numbers pilfered, surpassing email addresses and passwords;

physical addresses; debit card numbers; dates of birth; mobile phone numbers; and Social Security numbers.Criminals tailor their tactics based on the age of the people they are targeting. If

they are seeking victims age 41 to 65, they will communicate in emails, robocalls and texts, with come-ons about interest rates, other financial information and parcel tracking. For victims

age 57 to 75, robocalls are the preferred method of outreach and the “trigger” topics relate to the Internal Revenue Service, Social Security and health care.The top target for "account

takeovers" were major credit-card accounts. In an account takeover, your username, logon information and the mobile number associated with the account are manipulated or changed in a way

that prevents you from accessing your account and receiving notifications about possibly fraudulent activity.In 2020 Javelin added two new categories for account takeovers: brokerage

accounts and retirement accounts including individual retirement accounts (IRAs) and 401(k) accounts. The additions are a signal that consumers should monitor their investment accounts

carefully, require two-factor authentication to access an account and take additional steps for good cybersecurity. Top fraud of 2020: Fake tech support