Fraud prevention for food delivery companies

Learn about common scams in food delivery, the methods fraudsters are using to do them, and how food delivery companies can fight back.

Food delivery fraud prevention concerns

Food delivery fraud is a growing threat to the success of food delivery companies. From fake accounts and multi-accounting to promo abuse and policy violations, there are many ways that malicious actors can take advantage of these platforms for their own gain. In order to combat this problem, it's important for food delivery companies to have strong policies in place as well as effective fraud prevention measures.

In this post, we’ll provide an overview of the various types of food delivery fraud, how they occur, and what steps can be taken to prevent them.

Taking a bite out of profits: biggest food delivery fraud concerns today

In order to protect their profits and ensure customer safety, food delivery companies need to be aware of the various types of fraud-related activities that can occur on their platforms. 

Policy abuse and policy violations 

Policy abuse and policy violations are two of the most common forms of abuse on food delivery platforms. Policy abuse involves taking advantage of loopholes in a company's policies or exploiting them contrary to their intended use for personal gain, while policy violations involve breaking the terms and conditions set by the platform. Unlike traditional forms of fraud such as account takeover or credit card theft, policy abuse and policy violations don’t usually rise to the level of illegality. That said, their consequences can be just as severe. 

Policy abuse and violations can be difficult to detect because they often involve the misuse of a legitimate existing policy, or they’re committed using multiple fake accounts to avoid accountability. Having a framework in place to monitor how policies are used and followed (or not) can help mitigate the effects of organized policy abuse. 

Fake accounts and multi-accounting 

Fake accounts and multi-accounting are a major fraud concern for food and grocery delivery apps. A fake account is any account made using falsified or manipulated information, like a phony name, while multi-accounting refers to the use of multiple accounts by one person to take advantage of the platform in various ways.

Both of these activities can be used by bad actors to take advantage of discounts and promotions offered by food delivery companies, resulting in lost business profits. Fake accounts can also be used to evade bans in the event that a fraudster is caught and barred from the platform. And multi-accounting is a gateway method that opens the door for many other types of fraud and abuse, like policy abuse and promo abuse.

The best way to reduce fake accounts and multi-accounting is to use a combination of identity verification and tamper-resistant user identification, like the verification made possible by device and location intelligence. 

Courier scams 

Courier scams are another serious form of fraud that occurs on food delivery platforms. These scams are particularly concerning in terms of user safety given that couriers engage with other users in person, often at their homes or workplaces.

In courier scams, malicious actors exploit the trust that customers have in couriers and use it to steal their money or personal information. They may provide false payment information to customers or trick them into making additional payments before delivering their orders.

Employing robust identity verification methods at new courier onboarding is one way to weed out bad actors, as many wouldn’t want their real names and information associated with a job where they plan to commit crimes. Others will be hesitant to put in the effort required to fabricate a synthetic identity simply to commit courier scams. 

Account sharing 

This type of fraud involves customers sharing their account information with other unauthorized users in order to help the unauthorized user skirt around bans or security measures, such as background checks for contractors.

Account sharing can be done by creating false identities, using multiple accounts, or providing access to accounts through third-party sites. Account sharing poses a significant threat to trust and safety because of its potential to undermine the platform’s ability to have oversight over who is using the platform and how.

Strong, spoof-proof authentication methods can help prevent account sharing. Unlike a password or SMS code which can be shared, some authentication methods–like those that rely on behavioral biometrics–are very difficult for someone other than the account owner to complete.

Promo abuse 

Promo abuse involves taking advantage of promotions or discounts offered by food delivery companies counter to their intended use. For example, say that a food delivery app offers five dollars in app credit for each new signup. A promo abuser could create dozens or even hundreds of accounts to repeatedly take advantage of these credits. These abuses cost the business resources that won’t be returned in the form of new customers onboarding to spend money. 

One of the best ways to prevent promotional abuse is to stop multi-accounting, as it’s the most common way that bad actors can take advantage of promotions and discounts. As mentioned above, stopping multi-accounting requires you to find a persistent, tamper-resistant solution for identifying individuals across accounts and devices.

How courier scams happen

As we discussed above, courier scams take advantage of the bad actor’s position as a courier to abuse customers’ trust for personal gain. In this section, we'll discuss how courier scams happen and what steps can be taken to prevent them from occurring.

Point-of-sale scams 

In this social engineering scheme, a driver takes an order using the official app only to cancel the order after picking up the customer’s food. They then show up at the customer’s address with their food and claim that the app had a glitch which canceled the order and payment. They then present a point-of-sale (POS) system and tell the customer that they can make payment now in-person and still get their food.

If the customer agrees to pay for their food using the POS system, they could suffer any range of consequences from being charged a hundred times what they agreed to, all the way to having their credit card information stolen and sold to other fraudsters over the dark web.

Location spoofing 

Location spoofing is a type of fraud that occurs on food delivery platforms where malicious actors manipulate GPS data to benefit their own interests. Untrustworthy drivers often use location spoofing to report false information to the app in order to take advantage of higher-paying orders or claim credit for orders they never completed. 

For instance, a driver might accept an order and then use location spoofing to make it appear as though they’ve arrived at the customer’s home. They can then claim the customer never came to meet them, or that they dropped off the food at the front door, securing payment despite never moving. In the same way, fraudsters can also use location spoofing to change their operating radius to include higher-paying fares—even if it’s far enough away from where the fraudster actually operates to cause massive inconvenience to the customer. 

Location spoofing can also be used by 'fraud farms', which are locations where fraudsters use up to hundreds of devices at a time to maximize their earning potential. Location spoofing helps bolster the strength of fraud farms by helping them evade detection—if the devices can be manipulated into reporting to the app that they’re all in different locations, fraud prevention teams have no reason to believe they’re actually all part of the same operation. This use of spoofing can also make it difficult for fraud fighters to enforce blocks on locations that have been associated with fraud in the past. 

Fake accounts and multi-accounting 

Fake accounts and multi-accounting are the lever fraudsters can use to turn a small-time fraud scheme into a much larger, more profitable operation. By multiplying their earning potential across numerous accounts, fraudsters maximize their profit (and maximize losses for the platform and its customers) while also reducing risk to themselves. The more accounts a bad actor has, the less impactful it is when one account is caught and banned.

Sharing is caring? Account sharing on food delivery apps and its impact on Trust & Safety

Account sharing on the driver side 

Food Delivery Account Sharing

Account sharing between drivers is a policy violation for most food delivery apps. This practice presents a huge Trust & Safety vulnerability because it removes the app’s oversight into who is interacting with their customers in real life.

Driver account sharing involves one driver creating multiple accounts under different names, using another person's information or ID to establish an account, or providing their login credentials to other drivers. This practice presents significant risk to both the customer and the platform. Account sharing enables fraud by providing drivers with an expendable ‘burner’ account and by allowing ineligible drivers to skirt around the platform's screening process.

Account sharing on the consumer side 

Account sharing on the consumer side can be used for ban evasion by abusive customers, for example those who commit promotional abuse or act inappropriately towards drivers. Another common violation occurs when an account is shared with people who are outside of the account-holder’s immediate household. This allows unauthorized individuals to access a household-limited subscription that eliminates delivery fees or provides discounts to members.

What to know about promo code abuse and coupon fraud in food delivery apps

Promo code abuse and coupon fraud on food delivery apps is a growing problem that involves malicious actors taking advantage of promotions or discounts in a way that wasn’t intended by the business (e.g., claiming a one-time discount multiple times). This is enabled through the use of stolen accounts, multi-accounting with fake accounts, or by abusing good-faith refund or reimbursement policies.

Promo code abuse and coupon fraud can lead to significant losses for food delivery companies. To prevent this kind of fraud from occurring, food delivery companies should monitor suspicious activity on their platform and take action against violators quickly in order to protect the integrity of their promotional programs.

How does promo abuse in food delivery work? 

There are a few different ways that a bad actor might abuse a promotion on a food delivery app.

For example, imagine there's an app providing a 10% discount in exchange for new users providing their email address. A promo abuser with dozens of email accounts could download the app on multiple devices or use tools like emulators and app cloners to claim that discount many times.

In that example, even though the promotion was intended for many people, a good chunk of its budget would now have been used up by just one person. And for every additional bad actor that takes advantage of the same loophole, the damage can scale exponentially.

How does promo abuse hurt delivery platforms? 

Promotions are meant to do what they say on the tin: promote the app and its products. The goal of a promotional campaign is to provide incentives to new signups and existing users that will encourage engagement and spending—by nature, casting a wide net is an important part of that equation.

By abusing promotions intended for legitimate users, bad actors could siphon available budget away from users that might've joined the platform or spent more on the platform as a result of the promo code or coupon. Additionally, if people are using dozens of fake accounts to sign up for discounts, it's hard to know whether the campaign's success metrics are trustworthy or not, affecting the marketing team's decision making capabilities.

How can food delivery apps reduce promo abuse? 

Using fake accounts and multi-accounting are two of the main ways bad actors commit promo abuse. By limiting their ability to use fake email addresses and create multiple phony accounts, food delivery apps can take back control over their campaigns.

Location and device intelligence are two signals that can help identify individual fraudsters even in the event that they switch devices or accounts to take advantage of coupons or discount codes. Tamper-resistant location intelligence can identify users across devices, and device intelligence, including device integrity checks, can identify the use of tools like app cloners and emulators.

Video: What is promo abuse, and how can Incognia help you fight it? 

How food delivery apps are countering fraud (and how their efforts could be improved)

Despite the youth of the industry, fraud prevention is nothing new to food delivery companies. Even so, many fraud prevention solutions at work in the food delivery space aren’t measuring up to the task of keeping up with ever-evolving threats.   

Solutions being used today

Food delivery apps today are using a variety of fraud prevention solutions to protect their users, including two-factor authentication, biometric authentication, identity verification, and machine learning.

Two-factor authentication helps ensure that the person accessing an account is indeed who they say they are by requiring a second form of identification in addition to a username/password combination. Biometrics such as facial recognition and fingerprint scanning can further verify the identity of users.

Identity verification solutions usually require users to provide more information than just a username/password combination, such as a phone number or address. This additional data ensures that the user is who they say they are, helping to reduce fraud. Finally, machine learning algorithms can detect fraudulent behavior by analyzing patterns of user activity across the platform.

How food delivery apps could improve their efforts

Despite the various solutions being used by food delivery apps to counter fraud, there are still cracks in their approach.

For example, two-factor authentication is easily bypassed if an attacker has access to a user's device or messages. Biometric authentication can be fooled using artificial intelligence tools or still images made to resemble users—at least in cases where no liveness detection is used. Identity verification adds user friction and can be attacked with stolen or synthetic information, while machine learning algorithms struggle to keep up with the ever-evolving strategies of fraudsters.

To improve their efforts, food delivery apps should look into more advanced solutions that combine multiple methods of fraud prevention.

For example, Incognia's Location Fingerprint uses a combination of tamper-resistant location technology and device intelligence to assess the risk of a given user based on provided location information, device integrity, association with suspicious locations or risky devices, and more.

Building the ultimate solution

Building the ultimate fraud prevention solution demands more than just a strong risk assessment; it also requires ticking all of the boxes related to resiliency and user-friendliness that are best practices in fraud prevention.

In addition to combining signals for the strongest solution possible, Incognia's Location Fingerprint triumphs over the tampering, friction, and efficacy concerns of other fraud solutions.

Tamper resistant

Incognia's geolocation technology uses a variety of signals, including Bluetooth and WiFi, to build a comprehensive and spoof-resistant measurement of a device's location. In conjunction with device intelligence, this makes it very difficult for bad actors to tamper with device or location attributes in order to commit and conceal fraud.

Proactive response vs reactive response

Upstream risk signals allow platforms to react to threats proactively rather than reactively. A fraud detection solution that works after the fact may be effective for catching fraudsters in the aftermath of an abuse, but ultimately, the platform still has to absorb any associated reputational or financial damage.

When platforms can effectively screen for risk at onboarding, they can proactively decide what level of risk they're comfortable with assuming based on their risk mitigation policies and needs. Incognia's solution also works passively, meaning that it can provide risk assessments at onboarding without adding additional friction to the user journey.

Food delivery apps are quickly becoming a staple of everyday life for millions of users globally, and with that massive market size also comes massive risk and responsibility to protect against it. When platforms can take measures to detect and prevent fraud without compromising user satisfaction, they can have their food delivery and eat it too.

Schedule a Free Demo

One of our specialists will be glad to meet you and go over Incognia's capabilities.

To help us personalize our conversation for your business, please fill out the following form.