Hackers Are Stealing Your Delivery App Payouts

A Brooklyn restaurant owner logged into her Grubhub account in April and found $7,000 missing. The money had been redirected to a hacker who changed her banking details, and Grubhub told her whatever was lost was lost. She only got traction after a local news crew got involved.

This is not an isolated incident. Delivery app account takeovers are hitting independent restaurants across the country, and the platforms' default position is that you are responsible for keeping your account secure. That means if a scammer gets in and redirects your payouts, you may not get that money back.

What Is Actually Happening

On April 7, 2025, Miguel Tufino and Elsa Zamora, owners of El Nopal in Park Slope, Brooklyn, received an email from Grubhub notifying them of changes to their account. They called immediately to flag it. Three days later, they confirmed they had been hacked and $7,000 in payouts had been stolen. For two weeks, they were locked out of their own account. Grubhub only engaged after News 12 reached out on the restaurant's behalf.

The same scheme has hit Uber Eats merchants. Two Chicago restaurant owners, Jackie Jackson of Fatburger in Chatham and Patricia Gonzalez of Healthy Substance in Garfield Ridge, each lost nearly $20,000 after scammers accessed their Uber Eats accounts and changed the banking information. Jackson had warned Uber Eats before the payment was issued. They sent the money to the hacker anyway. Uber Eats' response: merchants are responsible for keeping their accounts safe.

Grubhub also disclosed a separate data breach in February 2025, in which a hacker accessed customer and merchant data through a third-party contractor. The breach exposed names, email addresses, phone numbers, and partial payment card information. That created a fresh pool of compromised credentials that bad actors can use to target merchant accounts.

The attack pattern is consistent across platforms. Scammers gain access to a merchant account through phishing emails, credential stuffing, or social engineering, then change the bank account details in the payout settings. The platform processes the next payout cycle and sends your money to the fraudster's account. By the time you notice, the funds are gone.

Why Platforms Are Not Going to Save You

Uber Eats told ABC7 Chicago that both Chicago restaurant owners had fallen victim to an imposter scam outside of their platform and that merchants are responsible for keeping their account information safe. Grubhub told El Nopal's owners that whatever was lost was lost, until a TV news crew called.

This is the standard playbook. Platforms process thousands of payout transactions daily. When a bank account change is made in the merchant portal, they treat it as a legitimate update. They are not verifying that the person who made the change is actually you. And when the money is gone, their terms of service give them significant cover to deny responsibility.

Account takeover fraud in the restaurant sector jumped 72% year-over-year in 2024, targeting more than 130 brands, according to Synovus. Restaurants lose 4 to 5% of their profit to fraud annually, up to $6 billion across the industry. For an independent operator running on 5 to 7% margins, a single account takeover can wipe out months of profit.

What You Need to Do Right Now

Log into every delivery platform you use, DoorDash, Uber Eats, Grubhub, and verify the bank account on file. Do this today. Check that the account number, routing number, and account holder name match your actual business account. If anything looks off, contact the platform's merchant support immediately and do not wait for the next payout cycle.

Change your passwords on every platform. Use a unique password for each one, not the same password you use for email or other accounts. If a platform offers two-factor authentication (2FA), turn it on. DoorDash and Uber Eats both support 2FA. This single step makes it significantly harder for a scammer to access your account even if they have your password.

Train anyone on your team who has access to your delivery platform accounts. The most common entry point for these attacks is a phishing email, a message that looks like it's from DoorDash or Uber Eats asking you to verify your account or update your payment information. The link goes to a fake site that captures your login credentials. Tell your team: never click a link in an email to log into a delivery platform. Always go directly to the website.

Set a calendar reminder to check your payout amounts weekly. Compare what you received against what you expected based on your order volume. Most operators only notice something is wrong when a payout does not arrive. By then, one or two full payout cycles may have already gone to the wrong account. Catching it early is the difference between losing one week of revenue and losing a month.

If You Have Already Been Hacked

Contact the platform's merchant support immediately and document everything. Screenshot the unauthorized bank account details before you change them back. Note the exact date and time you discovered the change. File a report with your local police department, this creates a paper trail that can support a reimbursement claim. File a complaint with the FTC at reportfraud.ftc.gov.

Contact your bank as well. If the fraudulent payout was sent via ACH transfer, there may be a window to reverse it, typically 24 to 48 hours. Your bank's fraud team can advise on whether a reversal is possible and help you file a claim.

Escalate if the platform stonewalls you. Both El Nopal and the Chicago restaurants only got movement after media coverage. If you are not getting a response through normal support channels, file a complaint with your state attorney general's office. New York's AG secured a $16.75 million settlement from DoorDash in February 2025 over separate violations. These platforms do respond to regulatory pressure.

The Bigger Picture on Delivery Platform Risk

Account takeovers are one category of delivery platform risk. But they sit alongside a broader problem that most restaurant operators are not actively managing: unauthorized refunds and unpaid canceled orders. Platforms process these adjustments automatically and deduct them directly from your payouts, often without a clear explanation. Most restaurants never push back.

That is what Jelly handles. Restaurants using Jelly recover thousands of dollars per year in revenue that platforms deducted without authorization, refunds that were never legitimate, canceled orders that were never paid out. The recovery rate is 91%, there are no contracts, and there's a free trial. It does not protect against account takeovers, but it does recover the money that platforms quietly take through the normal course of operations.

The common thread across all of these issues, account hacks, unauthorized refunds, unpaid cancellations, is that delivery platforms are not designed to protect your revenue. They are designed to process transactions at scale. Protecting your money is your job. The operators who understand that and act on it are the ones who stay in business.