publishing date icon
November 12, 2021
read time icon
5 min. read

Deliveroo feedback survey phishing email

We came across a phishing email that, while basically resembling one of the many marketing emails that flood your inbox, is still cleverly enough disguised as a feedback survey from a trusted source that it's hooking victims. The attack leads to a credential harvesting site, and the phishing email was made to look like it was coming from a well known online food delivery company, Deliveroo.

Author image
Milla Viitala
Junior Threat Analyst
Post hero image

Table of contents

share this post

You may be one of those people whose email box is always flooded with marketing messages, discount coupons, feedback surveys, and other spammy content. It becomes a blur of stuff, and often goes unread. That’s the reason phishing emails are rarely sent in the form of marketing messages. They are not as effective as other techniques.

However, this week we came across a phishing email that was more cleverly disguised as feedback survey. The phishing email was made to look like it was coming from a well known online food delivery company, Deliveroo.

Let’s have a look:

Subject: Congratulations ! You've been selected by Deliveroo Rewards Program

This email looks like a typical marketing email from Deliveroo that requests user feedback on the service for improvements. In return for the feedback, the customer will receive a gift card. All the user has to do is rate how likely they are to recommend the service to a friend or family member by clicking a number from 0-10 provided in the below scale.

But this isn’t a legitimate Deliveroo email. It’s a phishing email in which clicking the number scale leads to an ominous path. Here is what happens after clicking:

1. User is taken to a fake Deliveroo survey page

Example of a fake Deliveroo survey

This page contains a simple survey with four questions. After the user has answered all the questions and pressed “Finish” they will be sent to a malicious website.

2. After finishing the fake survey, user is taken to a credential harvesting page

After submitting the fake survey, the user is redirected to a different page that is actually a credential harvesting page. In this page, the user is asked to submit their billing details to claim the promised gift card. The billing details include credit card number, card expiration date, and CVV number. The site claims that the information is needed for authentication purposes.

Once the user submits these details, they are sent directly to the malicious actor.

There are quite a few steps before the credit card details are actually harvested, which makes this technique not extremely effective. To begin, many users won’t even bother with the phishing email itself in the first place as they'll likely see it as just another annoying marketing email. Some users might click the rating scale but, once they see that they still have to answer a bunch of questions, they might leave the survey.

But it's a clever enough phish to hook a few victims.

The unfortunate ones who do answer the survey and end up on the credential harvesting page hopefully see the red flags on the site:

  1. Big companies like Deliveroo would never ask your credit card details in return for a gift card
  2. Deliveroo is misspelled on the harvesting site (Delivero)
  3. The URL address has nothing to do with the company
  4. Spacing and commas are off in the top text

Some details however are clearly thought-out in this phishing scam, which creates a sense of authencity:

  1. There are actual Deliveroo links in the phishing email; only one link takes to the phishing site
  2. The navigation bar links in the credential harvesting website redirect to the actual Deliveroo website too

How to stay off the hook!

Marketing emails may seem harmless, but when navigating the wild frontiers of Internet you can never be too careful. This is a good example of an attack email that seems completely innocent but ends up stealing your credit card information.

Gift card rewards aren’t that rare in marketing emails but the way they are handed over to you is something you need to pay attention to. Never give out your credit card details in exchange for a gift card!

To spot a phishing email, pay attention to these red flags:

  • Bad grammar
  • Links that point to a URL address that is not related to the company (hover on the links, don’t click!)
  • Request for personal information such as credit card details
  • Unprofessional implementation
  • Email sender address has nothing to do with the alleged company (but watch out, addresses can be spoofed!)

If you do come across some internet survey with a tempting reward that tickles your fancy but something seems off, contact the company first to make sure it’s legitimate.

Stay safe!

Read more phishing examples

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Subscribe to All Things Human Risk

Subscribe to our newsletter for a curated digest of the latest news, articles, and resources on human risk and evolving phishing threats in the ever-changing landscape.

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.