Delivery Drivers Targeted in New “Support Call” Scam Exploiting Food Delivery Platforms

Drivers working for food delivery apps such as CityDish, MetroMeals and more are being targeted by a new scam that exploits one of the platforms’ most basic safety features: the ability for customers to call drivers without revealing their personal phone numbers.

Security analysts say the scheme relies on social engineering rather than technical hacking, allowing attackers to impersonate company support staff and trick drivers into handing over account verification codes.

The scam begins with what appears to be a normal food order placed through a delivery platform. Shortly after a driver accepts the request, the customer uses the app’s “Call Driver” feature to contact them.

Because the call is routed through the platform’s masked communication system, the driver’s phone often displays a number associated with the service itself rather than the caller’s personal number. To the driver, the call appears legitimate.

When the driver answers, the caller claims to be from the platform’s support team and says the driver’s account requires immediate verification. The caller often begins by addressing the driver by name, information that is visible to customers inside most delivery apps, which helps establish credibility.

The conversation then shifts to urgency.

Drivers are told that their account has triggered a security check or is at risk of being temporarily suspended. To resolve the issue, they are asked to confirm a one-time verification code sent to their phone.

In reality, the code is generated when the attacker attempts to log into the driver’s account. By convincing the driver to read the code aloud, the scammer is able to bypass the platform’s authentication protections and gain access to the account.

Once inside, attackers can change payout details, redirect earnings, or lock drivers out of their own accounts.

The tactic has begun circulating among driver communities online, with several workers reporting similar experiences during active deliveries.

What makes the scam particularly effective is the way it leverages built-in platform features designed to protect users. Masked calling systems allow customers and drivers to communicate without exposing personal phone numbers, but the same system can also make calls appear to originate from the company itself.

According to cybersecurity analysts, the attackers are not exploiting a software vulnerability they are exploiting trust signals built into the platform’s design.

By combining an official-looking phone call, knowledge of the driver’s name, and a request involving a familiar security code, scammers create a convincing scenario that many drivers do not question until it is too late.

Gig economy platforms typically warn users that legitimate support representatives will never ask for authentication codes or passwords. Still, the fast-paced nature of delivery work where drivers are often navigating traffic while managing orders can make it easier for social engineering tactics to succeed.

Security professionals say the incident highlights a growing trend across digital platforms: attackers increasingly rely on manipulating platform features and human behaviour rather than breaking through technical defences.

Drivers are being urged to treat any unexpected request for verification codes with skepticism, even if the call appears to originate from the delivery platform itself.

In an industry built on speed and convenience, experts say the safest response may be the simplest one: hang up, and contact support directly through the app.

On the ground, where infrastructure meets everyday life. — Marcus Tran