/ Scams

Scam alert: Just Eat ‘gift card’ phishing email

We’ve received multiple reports of a fake email purporting to be from takeaway delivery service Just Eat. Here’s what you need to watch out for.

With so many people using takeaway delivery services during the pandemic it’s no surprise to see scammers looking to take advantage of those brands.

We know from experience that uncertainty around the ongoing pandemic is a magnet for fraud, with so many examples already shown here on Which? Conversation.

This fake Just Eat email may at first seem quite obviously illegitimate, but the email it was sent from has deceptively spoofed the ‘Just-Eat.com’ domain, which does itself redirect to the official site (https://www.justeattakeaway.com):

Attempting to ‘claim your £50 Just Eat gift card’ will almost certainly take you through to a phishing website that will attempt to steal sensitive information. Just Eat itself has confirmed that this email (and variations reported to it on Twitter) are fake:

We also made Just Eat aware of the email directly, a spokesperson said:

“Protecting our customers and brand from online fraud is of utmost importance to us and we take the safeguarding of customer data extremely seriously. We have been made aware of a phishing email that has been sent to a number of Just Eat customers and non-customers, and have taken immediate steps to mitigate this”

It also said it would never send an email asking a customer to follow a link and fill in their personal details in order to receive a voucher.

It emphasised that in no way have Just Eat’s systems been breached or compromised, but that anyone who may have clicked through should change their password and contact their bank, while reporting the incident to action fraud.

Phishing email advice

We agree that if you think you may have passed your bank details or any sensitive information to scammers, you should let your bank know immediately.

Our steps to getting your money back after a scam can be found here.

Anyone receiving phishing emails like this should report them to the National Cyber Security Centre on report@phishing.gov.uk

Suspicious emails can also be forwarded to Action Fraud on report@phishing.gov.uk

One of the most direct actions you can take immediately to ensure others do not fall victim to these scams is to share these warnings with friends and family.

Have you received this Just Eat phishing email? Have other takeaway delivery services been targeted? Let us know in the comments.

Comments

Once again the incentive of something free lures people into clicking on malicious links. 🙁

If I used Just Eat I would visit their website and look to see if there was a genuine promotion. I might miss out on an offer but I’d rather not be another scam victim.

Our steps to getting your money back after a scam can be found here.
I am sorry to say people who fall for this should not receive their money back from me (and other bank customers) unless the money can be recovered from the fraudster. People need to think, be responsible for their actions, and then learn from the consequences. There has been plenty of publicity about giving away personal information to anyone you do not know. But certainly let your bank or card provider know if you realise you have done something not sensible.

I absolutely agree that people should not automatically be refunded in all cases. For example, I have little or no sympathy for people who pay for non-existent items or services and pay by direct bank transfer, only to discover that the car, hotel or holiday do not exist. There have been SO many warnings over the past 5 years at least about this. There is no incentive for people to apply common sense or take responsibility if they are automatically refunded for co-operating with a scam.
There might be individual cases deserving of refunds, but I do not believe the liability should automatically be with the customer’s bank.

Is there any evidence that refunds are being made automatically? I hope that each case is determined on its merits.

A harsh judgement for those vulnerable people who may not be as sharp as others. A typical Tory view as well- uncaring and selfish.

Mike Cross says:
20 February 2021

How can you associate a particular view with politics. Or are you saying that only conservatives value a sense of responsibility?

Elizabeth Davies says:
20 February 2021

No hope of getting a reply as we are OAPs all these meals are far too expensive. Home cooking is always the best for the purse!! Keep up the good work.

I send all phishing emails I receive to the report@phishing.gov.uk website. If an email is trying to imitate a Bank, or amazon, paypal or whoever, I also send it to their fraud/phishing reporting address.
eg spoof@paypal.com .

One thing to emphasise. Do not simply forward the suspicious email using the “forward” function of your email program or app. You should start a new email and ATTACH the suspicious email< and send it like that. This can preserve header and routing information which can be useful if someone wants to investigate a particular phishing email.

It is a pity that Which do not seem to include this advice.

Little sign of any decline in this activity, ln fact it increases annually. Should the Government set up something like a Task Force to combat this type of crime. Criminals seem to be 1 or 2 steps ahead of fraud prevention measures taken by financial institutions & the fraud squad. World wide Web facilitates oppurtunities for World wide crime originating anywhere in the world.

Nicole King says:
20 February 2021

The rule to apply here is very simple. Unless you expect the message do not click on any link that appears on such. The NHS recently made a dangerous mistake by sending people a message about vaccination for the vulnerable containing a link and with no information about how to reach the registration web site directly.

I agree, Nicole. There is no need to put links in emails and text messages. I have suggested elsewhere that readers could have been directed to the GOV.UK portal and a safe link provided to the vaccination booking site.

Reputable organisations should not include clickable links, but if they require us to make contact refer us to the normal route. My financial adviser, for example, notifies me by email if they have been active on my account but I need to go through the normal log in process to find out.
Maybe Which? could start by asking banks to confirm they will do this in future?

I agree with Nicole here: “Unless you expect the message do not click on any link that appears on such.”

I find clickable links very helpful, not least if I have requested them for password resets and such like.

These links are certainly convenient but an alternative might be to provide something such as a six character passcode, active for ten minutes, to enable the user to gain access to their account and set up a new password. That would help deal with fraudulent activity.

Some sites, e.g. Amazon, already use that option. But, overall, I think a full ban on clickable links would risk making things worse for some users.

I respect what you say, Derek. You have mentioned helping people get to grip with computers and it is important that we consider the needs of people other than ourselves. My computer recognises my fingerprint and the laptop my face, so maybe we will not need passwords in future.

I always view emails in plain text so links show as text for the url not as a button. I can see if the link looks genuine and also tracking images do not track. Good senders provide readable form of the message, if I can’t read it I ignore it.

Sadly, I just fell for the Just eat scam – very clever they didn’t want any details until the end, with a very convincing survey to order a small purchase…
I too late had done it; cancelled my card right away, so little harm done (though too many details given) but I get lots of fake emails anyway – 99.999% spotted and reported.

John A says:
20 February 2021

I thought I was ‘scam-savvy’ but I came very close to falling for a similar scam purportedly from Morrisons. It looked pretty legit and was flagged-up as a customer survey. It was when I was offered very expensive ‘rewards’ for ridiculously low prices that I realised there is no such thing as a free lunch, not even from Morrisons! The moral for me is not to scan through emails when stressed or tired as it is really easy to make a serious mistake.

If something seems so good don’t do it!! SCAM

Lloyd Shepherd says:
21 February 2021

never click on a link you are unsure of. if it is a company name in the email google the email address or type the company name into your browser. no sign of the supposed discount/ promotion or deal etc its a scam