A new way to spend $10 on a 12-ounce coffee just dropped. Starting today, Starbucks is accepting delivery orders right inside its app. Delivery is handled by DoorDash, and right now, it’s limited to “participating stores” in the US and Canada. But if you’re in the delivery area and willing to pay a small fortune in fees, getting your Starbucks order into your hands has never been easier.

Starbucks has been offering delivery through DoorDash in the US since early last year, but only within Doordash’s app. Previously, order ahead options in the Starbucks app were limited to in-store and drive-through pickup. Now, you can toggle between pickup and delivery. Placing a delivery order brings up an interface identical to the one on DoorDash’s app.

Whichever app you use, you can also expect to pay DoorDash’s service fees. There’s a $1.99 delivery fee, and if your order subtotal is under $10, you might see a $2.00 small order fee. There’s also a 15 percent service charge that goes to DoorDash, and where I live in Seattle, an additional $4.99 fee because the company decided to pass on the cost of paying drivers a living wage to customers. Add a $1 tip for the driver (and nothing for the barista making the drink, apparently), and my $6.55 12-ounce peppermint mocha now costs $19.23. Convenience doesn’t come cheap, unsurprisingly.

Depending on where you live, you probably won’t see such steep fees, and the delivery option is likely more practical if you’re ordering coffee for the whole office and not one person. Personally, I’m deleting that $20 mocha order from my cart. We have coffee at home.

Phishing emails are one of the most common tricks scammers use, but they’re usually easy to catch if you pay attention. Awkward grammar, random details and, most importantly, an unofficial email address are dead giveaways. For example, you might get an email saying your Apple ID’s been disabled, but the sender’s email won’t actually be from Apple. Now, though, scammers are finding ways to get around this.

According to the FBI, there’s been a recent rise in cybercriminal services using hacked police and government email accounts to send fake subpoenas and data requests to U.S.-based tech companies.

I’M GIVING AWAY A $500 GIFT CARD FOR THE HOLIDAYS
Enter by signing up for my free newsletter!

What you need to know

The FBI has seen a spike in criminal forum posts about emergency data requests and stolen email credentials from police departments and government agencies. Cybercriminals are getting into compromised U.S. and foreign government email accounts and using them to send fake emergency data requests to U.S.-based companies, which exposes customer data for further misuse in other crimes.

In August 2024, a popular cybercriminal on an online forum advertised “high-quality .gov emails” for sale, meant for espionage, social engineering, data extortion, emergency data requests and more. The listing even included U.S. credentials, and the seller claimed they could guide buyers on making emergency data requests and even sell real stolen subpoena documents to help them pose as law enforcement.

Another cybercriminal boasted about owning government emails from over 25 countries. They claimed anyone can use these emails to send a subpoena to a tech company and get access to usernames, emails, phone numbers and other personal client info. Some con artists are even hosting a “masterclass” on how to create and submit their own emergency data requests to pull data on any social media account, charging $100 for the full rundown.

Illustration of a scammer at work (Kurt “CyberGuy” Knutsson)

WINDOWS FLAW LETS HACKERS SNEAK INTO YOUR PC OVER WI-FI

How this phishing scam works

When law enforcement, whether federal, state or local, wants information about someone’s account at a tech company, like their email address or other account details, they typically need a warrant, subpoena or court order. When a tech company receives one of these requests from an official email address, they’re required to comply. So, if a scammer gets access to a government email, they can fake a subpoena and get information on just about anyone.

To bypass verification, scammers often send emergency data requests, claiming that someone’s life is at risk and that the data is needed urgently. Because companies don’t want to delay in case of an actual emergency, they may hand over the information, even if the request turns out to be fake. By portraying it as a life-or-death situation, scammers make it harder for companies to take time to verify the request.

For example, the FBI reported that earlier this year, a known cybercriminal posted pictures on an online forum of a fake emergency data request they’d sent to PayPal. The scammer tried to make it look legitimate by using a fraudulent mutual legal assistance treaty, claiming it was part of a local investigation into child trafficking, complete with a case number and legal code for verification. However, PayPal recognized that it wasn’t a real law enforcement request and denied it.

Illustration of a person receiving a phishing email (Kurt “CyberGuy” Knutsson)

CYBERSCAMMERS USE AI TO MANIPULATE GOOGLE SEARCH RESULTS

What can companies do to avoid falling for these phishing scams?

1) Verify all data requests: Before sharing sensitive information, companies should verify every data request, even those that look legitimate. Establish a protocol for confirming requests directly with the agency or organization that supposedly sent them.

2) Strengthen email security: Use email authentication protocols like DMARC, SPF and DKIM to block emails from unauthorized sources. Implement anti-phishing filters to detect suspicious content in messages.

3) Train employees on phishing awareness: Regular training sessions on phishing scams can help employees recognize red flags, such as urgent language, unusual requests or emails from unknown addresses. Employees should be encouraged to report suspicious emails.

4) Limit access to sensitive data: Restrict who can view or share sensitive customer data. Fewer people with access means fewer chances for accidental or intentional data leaks.

5) Implement emergency verification procedures: Have a clear verification process in place for “emergency” data requests, including steps for double-checking with higher management or legal teams before responding to any urgent request for customer information.

Illustration of a scammer at work (Kurt “CyberGuy” Knutsson)

Is there something you need to do?

This particular phishing scam mostly targets big tech companies, so there’s not much you can do directly. However, it’s a reminder that you shouldn’t automatically trust an email, even if it comes from a .gov address. Here are some steps you can take to stay safe.

1) Double-check email addresses and links: Even if an email looks official, take a moment to check the sender’s email address and hover over any links to see where they actually lead. Be cautious if anything looks off. The best way to safeguard yourself from malicious links is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

2) Enable two-factor authentication (2FA): Use 2FA for all sensitive accounts. This extra layer of security helps protect you even if your login credentials are compromised.

3) Stay updated on phishing scams: Keep an eye on the latest phishing tactics, so you know what to look out for. Regular updates help you spot new types of scams before they affect you.

4) Verify suspicious requests: If you get an unexpected email asking for sensitive info, contact the sender directly through an official channel to confirm the request.

Illustration of a scammer at work (Kurt “CyberGuy” Knutsson)

DON’T LET SNOOPS NEARBY LISTEN TO YOUR VOICEMAIL WITH THIS QUICK TIP

Kurt’s key takeaway

Scammers are taking phishing emails to a whole new level. I often recommend checking the email carefully when you receive anything suspicious to see if it’s legit. But now, since scammers can even access government emails, you need to be extra cautious. This phishing scam seems to target mostly big tech companies, so it’s on them to strengthen their security and verify every request thoroughly before sharing any user information. It’s also up to governments worldwide to protect their digital assets from being compromised.

What’s your stance on how governments are handling cybersecurity? Are they doing enough to protect sensitive data? Let us know by writing us at Cyberguy.com/Contact.