Toronto woman wrongly billed for Uber ride in Poland says she feels 'violated'

A Toronto woman says she feels she was taken for a ride after beingbilled for an Uber tripordered on her account that she didn't take 7,000 kilometresawayin Warsaw, Poland.

Laura Hesp was at home in her apartment in Toronto on Mondaywhen she says she received a text saying an Uber driver would be there in five minutesto pick her up. The problem: she never ordered one.

Hesp says she thought it was it was a glitch and posted about the ride to theWeird TorontoFacebook group.

"Got a phantom text saying my Uber arrived I open the app and it's in Poland and for the next 10 minutes I can see this guy dropping someone off In Poland. What," Hesp wrote.

• Woman 'humiliated' after Uber driver allegedly offered to accept sex as payment
• 'He was being racist,' says Pakistani Muslim woman allegedly assaulted by Toronto Uber driver
• Police charge Uber driver with sex assault after Markham incident

Before long, Hespwas getting replies saying her account had likely been hacked.

'I kind of felt a little bit violated'

Hesp says she didn't know that was possible.

However, when the ride ended, she says she got an email with abill for the equivalent of about $3.75for the ride.

Hesp says she contacted Uber and told them what happened.

She says Uber refunded the trip, and told her tosecure her account bychanging her password and deleting her credit card information.

"I kind of felt a little bit violated, like someone else was impersonating me in an Uber And you can't really track down who that person was," she said.

In an email to CBC News, Uber security spokesperson Melanie Ensign said this type of fraud is usually caused by password reuse or phishing scams that trick a user into giving away their password.

Hackers target passwords, says security expert

The company says it doesn't store credit card information but nevertheless recommends users create a unique password not used for any othersitefor their Uber accounts.

Toronto-based security engineer Geoffrey Vaughan agrees.

A phishing scam, he explains, usually begins with an email telling a person their account has been compromised. The email will contain instructions for resetting a password and directs a person to a website that looks on the surface to belong to a legitimate company. When the user goes through the steps, they inadvertently give away their password, giving the hacker the keys to their account.

"It's not much different than any of your banking phishing emails or the Nigerian prince from however many years ago," Vaughan said.

"That's probably the easiest way that most people would go after targeting other Uber accounts," he said, adding the same kind of scams can compromise virtually any online account.

Vaughan recommends people use a password manager programs that generate and store unique passwords for a user's many accounts in asecure database, which can be unlocked by a single master password to keep their login information secure. He says that eliminates the needto remember every password and cuts down on the possibility of being hacked.

'You should be treating all emails as hostile'

Vaughan says keeping yourself safe from phishing scams all comes down to how much you trust the emails you receive.

"You should be treating all emails as hostile unless you can prove otherwise. You should never be clicking on a link until you're absolutely sure," he said.

Hesp may have learned that lesson the hard way, and now says she's changing all of her passwords.

Despite her experience, she says she was impressed with Uber's customer service and will continue to use it.

Even so, she says she'd like to see Uber put in place a way of confirming that the rider getting into the car is indeed the one the ride was meant for.

• Tech-savvy millennials getting scammed more than seniors
• 'Invulnerability illusion' leaves younger people exposed to web frauds

"It's hard because a lot of us order Ubers for other people but we definitely need to figure out a different way to make sure that that's the person that ordered it," she said.

As for who might have ordered a ride on her account halfa world away, Hesp says that, because there aren't generally cameras in Ubercars, there's likely no way to trace the person's identity.

"I guess we're never going to find out."