Back to Insights
Threats4 min read8 July 2026

Fake DoorDash Calls Are Draining Gig Workers' Earnings in Australia

Criminals posing as platform support staff are using vishing and brute-force account takeover to steal wages from delivery drivers. The Transport Workers Union has already recovered more than $50,000 in stolen pay.

t2s
train2secure NewsdeskSecurity awareness team
A tired young man sitting alone in a parked car late at night, one hand holding a smartphone showing an incoming call, s

Scammers impersonating DoorDash customer support have stolen hundreds of dollars from a Gold Coast delivery driver and, in the worst documented case, at least $21,000 from a single gig worker across Australia.

What Happened

Andrew Rhodes, a 26-year-old Gold Coast man, had been driving for DoorDash for less than a week when a call came through the app at around 1:30 in the morning. An automated greeting introduced the call as coming from DoorDash. A live-sounding agent then explained that an order had been cancelled because of suspected customer fraud, and that Rhodes needed to confirm some personal details before receiving compensation for the distance already driven.

He handed them over. The following day, roughly $200 had been redirected out of his in-app earnings wallet. Weeks later, using the same account details already captured, the criminals took another $150 without placing a second call.

"It's like they have a script. They're super confident in everything they say," Rhodes said.

How the Attack Is Designed

The scam relies on a deliberate setup before the phone ever rings. A criminal places a delivery order from a location with no accessible road route, making it physically impossible for the driver to complete the delivery and trigger an automatic cancellation. The driver receives a call instead, told the order is cancelled, and is walked through a fake compensation process that harvests their login credentials.

The Transport Workers Union (TWU) believes those credentials are then used in brute-force attacks, where automated tools cycle through password combinations until an account opens. The union told reporters this activity appears to happen directly inside DoorDash and Uber app systems.

Cybersecurity researcher Troy Hunt was pointed about where accountability lies. "The question is always: what controls are in place by the provider to limit brute force?" he said, adding that those controls are clearly not working well enough in this case.

The Scale Is Bigger Than One Driver

The TWU says it has helped gig workers recover more than $50,000 in stolen earnings over the six months to mid-2025. Australia's Consumer Competition and Consumer Commission (ACCC) issued a public alert about scammers specifically targeting food-delivery drivers, and its Scamwatch data shows Australians lost more than $2 billion to scams across 2024 overall. Phishing alone, covering fake calls and messages designed to extract personal information, accounted for $97 million of that total.

National TWU secretary Emily McMillan said delivery workers are "incredibly vulnerable", not only because the theft itself can wipe out a week's income, but because platforms often suspend driver accounts while investigating the complaint. The driver loses access to their only income source at the exact moment they need it most.

"They're being penalised for being the victim," McMillan said.

Australia's gig economy covers an estimated 250,000 app-based workers in food delivery and ridesharing alone. Many treat it as a second job to manage rising living costs, which means a $200 theft is not an inconvenience. It can be the week's grocery budget.

Which Controls Failed

This incident illustrates a failure stack that starts long before any brute-force tool runs. The root cause is a successful vishing attack, voice phishing, where a caller convinces a tired, distracted worker to surrender credentials voluntarily. No technical control stops a person from reading out their password to someone who sounds official. That is the gap that security-awareness training is designed to close. When workers understand that no legitimate platform will ask for login or banking details over a phone call, the social engineering script loses its hook.

Once credentials were captured, the second failure became visible: brute-force rate limiting on the platform side was either absent or weak. Well-configured identity controls block repeated failed login attempts, alert account owners by SMS or email, and flag unusual payment-destination changes for manual review before funds move. The NIST Digital Identity Guidelines (SP 800-63B) specifically recommend rate limiting, account lockout thresholds, and monitoring for credential-stuffing patterns. None of those appear to have interrupted these attacks.

A third failure sits in the payouts flow. Changing an earnings destination inside a financial app should require re-authentication, ideally through a second factor the attacker cannot harvest in a single phone call. If a platform allows a payout-account change with nothing more than a password, it has removed the last checkpoint between a stolen credential and a stolen wage.

What Defenders and Drivers Should Do Right Now

For individual drivers, a few habits reduce exposure sharply. Watch for orders whose pick-up pin sits in a remote or road-inaccessible location. Be suspicious of any call arriving just before a pay cycle. No genuine support team will ask you to confirm account details or banking information over the phone. If something feels wrong, report it through the app's official help function rather than responding to the caller.

For platform operators, the ACCC alert and the TWU's $50,000 recovery figure together make a clear regulatory and reputational case for action. Rate-limiting login attempts, requiring multi-factor authentication [MFA] before payout-destination changes, and sending real-time push alerts when wallet redirects are requested would collectively raise the cost of this attack significantly.

For enterprise security teams whose organisations use gig-economy couriers or contract workers on app platforms: your supply chain now includes human endpoints who may have no formal security training at all. Workers who understand security basics and compliance principles spot social engineering before credentials are ever typed in. That is a risk-reduction investment worth making. See how your team stacks up with a free trial of Train2Secure's awareness platform.

Andrew Rhodes got his $350 back after filing a formal complaint. Many drivers do not. And the one case where a single worker lost $21,000 is a reminder that the ceiling on this scam is determined only by how much money happens to sit in an account when the attackers get in.

How this attack could have been stopped earlier

  • Train gig workers and contract staff to recognise vishing scripts: no real support team asks for passwords or banking details over an inbound call.
  • Require multi-factor authentication for any payout-destination change inside app-based financial wallets.
  • Enforce login rate limiting and real-time wallet-change alerts so credential theft cannot silently convert into wage theft.

Train2Secure delivers short, role-relevant security-awareness modules that help workers at every level spot social engineering before it costs them their income.

Start free, no card required

Frequently asked questions

How do scammers get access to a delivery driver's earnings after a vishing call?

After tricking a driver into revealing their login credentials over the phone, attackers use brute-force tools or the stolen details directly to access the app account and redirect the earnings wallet to a different payout destination. The change often happens within hours of the call.

Why are gig workers especially vulnerable to this type of scam?

Delivery drivers often work late-night shifts alone, have limited formal IT security training, and rely on the same app for communications and pay. A call that arrives through the platform itself feels official. Fatigue and financial pressure reduce the mental bandwidth needed to spot manipulation in the moment.

What should a driver do if they receive a suspicious call claiming to be from their delivery platform?

End the call and report the interaction through the app's official in-app help or support function. Do not call back any number the caller provides. No legitimate platform asks you to confirm passwords, account numbers, or banking details over an inbound phone call.

What technical controls should delivery platforms have in place to prevent brute-force account takeover?

Platforms should enforce rate limiting and account lockout after repeated failed logins, require multi-factor authentication before any payout-destination change, send real-time alerts for wallet redirects, and monitor for credential-stuffing patterns. NIST SP 800-63B provides a widely accepted baseline for these controls.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress