A new wave of phishing emails impersonating Grubhub has surfaced, tricking recipients with promises of massive cryptocurrency rewards. The fraudulent messages claim to offer a “Holiday Crypto Promotion,” encouraging users to send Bitcoin with the promise of receiving ten times the amount in return.
While some observers speculated that the incident may have been caused by a domain or DNS-related compromise, Grubhub has not confirmed the exact method used by the attackers. However, the company acknowledged the incident and said it took immediate action to contain the issue.
In a statement to Bleeping Computer, Grubhub said it was aware of unauthorized messages sent to some users and confirmed that steps were taken to stop the activity and prevent similar incidents in the future.
This incident follows a previous security disclosure earlier this year, when Grubhub confirmed that an unauthorized party had accessed limited customer, merchant, and driver information through a third-party service provider. While there is no indication that the two incidents are directly connected, the events highlight how third-party access points can become a weak link in security chains.
As always, users are advised to be cautious of unsolicited messages promising financial rewards, especially those involving cryptocurrency. Legitimate companies do not ask customers to send money in exchange for guaranteed returns — and any message that does should be treated as a red flag.