Main policy violations & scams in food delivery apps Featured Image

Main policy violations & scams in food delivery apps

Are you a food or grocery delivery app? Find out what policy violations & fraud are on the rise, and steps for protecting your app.

What food & grocery delivery apps need to know about policy violation

Policies are a critical part of a platform’s operations. By outlining how the app is meant to be used and by whom, the platform administrators can set guidelines for user behavior and outline potential consequences for violating those guidelines.

In an area like food and grocery delivery, both the consumer and courier sides of the app need a policy to ensure that users are treated fairly and safely by other users, and that there are consequences when that’s not the case. However, in order to enforce these policies, the platform needs to be able to detect users that are violating them, which can be easier said than done. 

What’s the difference between fraud and policy violations?

Fraud and policy abuse are related concepts, but there are important distinctions between the two. The word fraud implies a potential breach of legality in addition to breaking the platform’s terms of service—for example, doing an account takeover and then stealing funds using that unauthorized access. On the other hand, policy violations are abuses in which no laws are broken, but where the app is still used against its stated purpose for the violator’s personal gain.

For example, on a food delivery app, a driver might violate policy by allowing someone else to use their driver account or by using location spoofing to claim orders outside of their actual area.

In an About-Fraud webinar about gig economy scams, Vishal Kapoor, director of product at Shipt, explained the differences between the two in greater detail:

“That is the distinction. Fraud is really black and white, ‘This isn’t what you're supposed to do.’ You're doing something illegal, you're taking over somebody's account, you're switching bank accounts, you're scamming somebody out of their money.”

By contrast, Kapoor explains that policy abuse and violation of policy can be much subtler. As an example, he explains that some grocery delivery apps offer drivers credit for returning orders to the store in the event that a customer can’t be reached for delivery. This policy should be a win-win: the driver receives fair compensation for the work they put into the order, and the undelivered groceries don’t have to go to waste.

However, as Kapoor points out, unscrupulous drivers could easily take advantage of this policy by falsely claiming that orders were undeliverable in order to receive a partial payment without actually attempting delivery. “Sometimes a monetary policy may incentivize them to, instead of finishing the job, return [the order] and make an extra dollar.”

This is a prime example of policy abuse. In Kapoor’s example, the driver is taking advantage of a loophole in the policy for personal gain, but isn’t breaking any laws.

While much of the focus of fraud prevention centers around account takeover, identity theft, and CNP fraud, policy abuse can easily cause significant financial damage if left unchecked. It also has the potential to do significant damage to a brand’s reputation, revenue, and Trust & Safety efforts. 

The widespread impact of policy violations 

While policy violations aren’t illegal, their impact can still be severe. Bad actors violating a platform’s policy can have a tremendously negative effect on the platform and its policy-abiding users.

For example, bad actors creating fake accounts to take advantage of new user promotions can impact a platform’s user acquisition metrics and its ability to budget for promotional campaigns effectively. Fake account creation at scale can also make it difficult to discern how many discrete users are actually joining or using the platform. 

The impact of policy violations also extends to other platform users. For example, a driver using location spoofing to claim orders outside of their actual area may cause customers to wait an unreasonably long period of time for their food to arrive. Those customers might also be left hungry if the driver chooses not to show up because of the distance.

But it’s not just drivers abusing policies. Customers do it too. Some consumers offer artificially inflated tips to entice drivers to accept their order, only to switch the tip to a lower amount after order completion. This process, known as “tip baiting”, is a policy violation in apps like InstaCart.

Like traditional fraud, these experiences of abuse result in frustration and negative associations with the platform for the users that are affected. In these scenarios, the platform gets impacted twice: first by the direct monetary consequences of policy violations, and second by the reputational and user retention damage. And unfortunately, the negative effects of policy violation don’t stop there.

If left unchecked, violations of policy can easily escalate to more severe forms of fraud. This is true because many policy violators use the same methods as fraudsters to avoid detection and accountability. For example, a common form of policy violation is the creation of multiple fake accounts to take advantage of promotional codes and other perks. However, the fake account method is also used for common forms of fraud, such as social engineering scams in which  good users are conned out of their money.

In both instances, the fake account isn’t associated with the bad actor’s true identity, so even if the account is banned, the fraudster can just make a new one to replace it.

In addition to all these negative effects, policy violation also undermines an app’s underlying integrity. Policies exist for a reason. If a platform has a widespread policy abuse problem, they’ve effectively lost the ability to govern and execute their application in the way they intend, something that no app developer wants. 

Which policy violation schemes are on the rise in food and grocery delivery? 

While violation of company policy happens on both the consumer and the courier side, many of the most prevalent abuses take place on the courier side.

Here are just a few policy violation examples from couriers in the food delivery market:

1. Location spoofing 

Untrustworthy drivers often use location spoofing to report false location information to the app to take advantage of higher-paying orders or claim credit for orders they never completed. Location spoofing can also be used to mask the location of “fraud farms,” or locations where fraudsters use up to hundreds of devices at a time to maximize their earning potential. 

2. Fake account creation and multi-accounting

Having multiple fake accounts allows policy violators to take an exploited policy from a one-and-done event to a profitable, scalable scheme. Multi-accounting also helps bad actors avoid accountability by providing them with numerous burner accounts to switch to in the event that one of their accounts gets caught and penalized.

By using multiple accounts, bad actors can commit promo abuse, expand their location spoofing potential, and avoid a permanent ban by jumping from account to account. 

3. Promo abuse

In promotional abuse, bad actors take advantage of coupons, promo codes, referral bonuses, and other types of promotional discounts or credits by using tools like app cloners and creating multiple accounts to claim the same promotion multiple times. 

4. Unauthorized account sharing 

Most delivery apps conduct background, work authorization, and ID checks on contractors that sign up to work on their platform. These checks are used to keep the app in compliance with labor laws and to ensure that the company has some level of knowledge of the people who will be interacting face-to-face with the app’s consumer-side users.

When drivers allow unauthorized people to use their driver account, it removes the app administrators’ control over who does business using their app, and it can create a potentially dangerous situation for users. In one example from Chicago, an unauthorized person using someone else’s UberEats account leveraged that access to steal packages out of an apartment complex mailroom.

5. Taking advantage of good-faith policies 

Policy abuse can also look like bad actors taking advantage of a policy that’s actually established to protect couriers or consumers, as in the earlier example provided by Vishal Kapoor about drivers claiming an order was undeliverable in order to falsely claim money.

Here’s another example: A grocery delivery app might have a policy to partially pay drivers when a customer’s requested groceries are out of stock. In this instance, a policy abuser could falsely claim that all groceries were out of stock in order to claim the partial credit without ever attempting to fulfill the order.

How can platforms protect themselves from policy abuses and violations? 

In most cases, waiting until policy abuse occurs to respond to the threat means unnecessarily sacrificing valuable resources and increasing risk. A more proactive approach can dovetail with existing fraud prevention strategies and provide a more efficient solution to the problem of violated policies. 

1. Solid upstream intervention can prevent bad downstream outcomes 

Knowing who users are can go a long way in preventing fraud or policy violations before they occur. An appropriate form of identity verification (IDV) at onboarding can help prevent negative downstream outcomes by increasing the risk and effort needed for a bad actor to join the platform. A bad actor who is forced to either use their true identity or find a way to circumvent an IDV check is much more likely to leave that platform in favor of an easier target.

One of the main concerns with implementing IDV at onboarding is the possibility of increasing friction and frustrating users, which can hurt new user acquisition and user experience. Fortunately, some types of IDV–like real-time address verification using a precise location intelligence solution–can occur passively, meaning there’s little to no increased user friction required in exchange for increased security.

Leveraging a location intelligence solution for address verification also has the added benefit of increasing a platform’s ability to prevent fraud and policy violations. For example, Incognia’s Suspicious Locations feature identifies locations that contain a high density of devices with concerning risk signals, which allows platforms to proactively block activity from those locations. The additional context that precise location data provides can help platforms do better risk assessments and take action before abuse occurs. 

2. Stopping multi-accounting and ban evasion gets at the root of the problem

Creating multiple fake accounts is a lever that bad actors can pull to turn a policy violation scheme into a small-time abuse, and eventually into a profitable, scalable venture. Any person can sign up for the same promo code twice by using both their personal and work emails—but it’s the dedicated, organized fraudster that uses multi-accounting, multiple devices, and multiple app instances on one device to scam hundreds or more dollars out of a platform.

Multi-accounting also has the potential to drastically reduce the efficiency of user moderation by allowing ban evasion. To a bad actor with dozens or even hundreds of accounts, being caught and banned on one account means essentially nothing. In these cases, the individual can simply switch to an unbanned account and continue on as if nothing happened. Without a way to track users across different accounts and devices, the platform has no reliable way to link suspicious activity and ban the offender for good.

Tamper-resistant location intelligence and device intelligence are both proven solutions for identifying individuals across accounts, app instances, and devices. These solutions ensure that banned users stay banned and that multi-accounting is difficult or very inefficient to do. Combining these approaches, as Incognia has done with the Location Fingerprint solution, creates an even more sticky, persistent method of identifying users.

By using location with place-level accuracy as an identity signal, platforms can identify suspicious individuals even if they switch devices, do a factory reset, or manipulate their existing device’s ID parameters to evade detection. Device intelligence combined with location behavior can also uncover early risk signals that point to the presence of app cloners, tampering tools, and GPS spoofing capabilities on user devices.

Policy violations may not violate the letter of the law, but they violate terms and conditions that platforms set to protect themselves and their user base. Without a solution for preventing policy abuses from spiraling out of control, platforms risk all of the reputational and revenue damages that are caused by traditional fraud.