JACKSONVILLE, Fla. – The Zheng family, owners of Wok House Jax, are speaking out after losing more than $60,000 when their DoorDash merchant account was hacked. They hope their story will help other small businesses avoid similar financial losses.
RELATED: Another one: Nassau County deputy completes DoorDash delivery after arresting driver
Many of the restaurant’s orders come from food delivery apps, which makes this financial blow particularly challenging. “In July, we found out that our DoorDash merchant portal account was hacked,” Jennifer Zheng said. Speaking on behalf of her parents, who own the restaurant but are not fluent in English, Jennifer explained that hackers altered their account details, redirecting the earnings from March to the summer of 2024.
The family discovered the breach only after struggling to pay bills, despite receiving emails stating funds were being deposited. “[My dad] was like, ‘This is so hard to pay the workers or keep up with the inventory cost when we don’t have these profits coming into our bank account.‘” Jennifer shared.
Jennifer also said at times to keep the business afloat, her father would take money out of his retirement account or borrow money.
She suspects a phishing email played a role, as they received an email appearing to be from DoorDash around the time the hack occurred. It requested account updates.
The family contacted DoorDash about the situation.
Jennifer said a few hours later the family received an email from DoorDash. The email said in part “After a thorough investigation by our team, we have determined that the appropriate reimbursement amount is $3,806.72. We understand that this may be disappointing, especially given the significant loss you experienced. Our goal was to ensure a fair resolution based on all the information available to us.”
Jennifer said that response was not what they were expecting. “We were like left speechless because a year’s worth of money that’s a very large amount for a family owned business,” she said.
Cybersecurity expert Chris Hamer said if business want to prevent something similar from happening to them, he advises they limit their account access, use strong two-factor authentication, and avoid storing passwords in locations that are accessible to others.
He also warns against verifying identities through unsolicited codes or links.
The Zheng family echoes this advice and encourages other business owners to monitor their accounts frequently. “Check your information weekly,” Kevin Zheng, Jennifer’s brother, recommended, stressing the importance of early detection.
The Zheng family hopes sharing their experience will alert others to the risks and encourage vigilance among small business owners relying on digital platforms.
News4JAX reached out to DoorDash, and a spokesperson said, this is likely “a scam called an ‘account takeover’ - not a hack.
They sent a statement:
“Scammers are a threat everywhere, and unfortunately DoorDash isn’t immune. We are urgently investigating this incident but we know how frustrating this is for owners and we will be reaching out directly to help.
We’re constantly working to further strengthen our anti-fraud defenses to protect merchants’ hard-earned money, including recently rolling out new multi-layered account verification and further advanced training for our specialist merchant fraud tram.
Importantly, we also regularly remind owners about the steps they can take to keep their account secure. Our most important tip to owners is simple - if you see something suspicious, contact us immediately. DoorDash spokesperson
The spokesperson also noted an account takeover is a type of scam where a merchant is tricked by the fraudster to share account information which is then used to gain access to the account and steal earnings.
They said this is rare and does not indicate a hack or breach of their platform, and is unfortunately a relatively common scam not unique to local commerce platforms.
The provided some tips below for owners to lookout for and how to stay safe:
Misspelled Names: Look for errors like “DoorsDash” instead of “DoorDash.”
Fake Case Numbers: Scammers might mention a support case number you never requested.
False Stories: Scammers often create stories about why they need your documents.
Document Requests: DoorDash will never ask for documents unless you’ve started a support request.
- If you’re unsure, reach out to DoorDash support to confirm if the request is real.
- Protect Your Info: Keep your personal and DoorDash account details private. Never share your Dasher account or email password with anyone.
- If someone asks for your password or security code, don’t share them - even if the request seems legitimate.
- Check Email Domains: Always double-check the sender’s email for spelling errors or inconsistencies.