Food Delivery Fraud: Challenges in Ensuring Security for Platforms, Drivers, and Consumers

The U.S. is the second-largest online food delivery market​ and generated an estimated $218B in revenue in 2022. And experts predict the market will increase close to $500B by 2027. Due to the growth and increased demand, leading food delivery platforms such as Uber Eats, DoorDash​, and Grubhub are also facing the growing threat of fraud and abuse on both the customer and driver sides as scams and scammers become more sophisticated. This threat encompasses both sides of the transaction: customers and drivers, requiring collective vigilance and adaptive strategies to counteract evolving scams.

Amid this situation, there's been a crucial change. Seattle has put forward new rules, being the first in the U.S. to protect gig workers from sudden “deactivation.” This change shows how the industry is dealing with security, the economy, and how gig work works. This is different from what's usual, leading to a careful struggle between keeping workers' rights safe and finding real cases of fraud.

The job of telling apart real bad behavior from regular problems becomes a puzzle for delivery apps. Situations where workers are kicked off platforms for reasons like saying no to too many orders or facing delays that aren't their fault are now looked at more closely. Finding the right balance between catching real fraudsters and making sure workers aren't wrongly kicked off needs a good understanding of how the industry works.

As a starting point, there is a clear difference between consumer fraud and courier fraud and there are well-known techniques used by each. 

Consumer Fraud

Friendly Fraud: Also known as Chargeback Fraud, Friendly Fraud happens when a customer claims that they did not make an order or didn’t receive it. In both instances, the customer requests a refund, even if they did, in fact, receive the order. To prevent chargeback abuse, restaurants should ensure that they partner with delivery apps that have a policy of reviewing information before automatically granting refund requests.  In addition, restaurants should practice good record-keeping in the event that they need to present a card issuer with evidence that a transaction was legitimate. 

CNP Fraud: CNP, or card-not-present fraud, occurs on platforms where a physical card isn’t necessary to complete the transaction, such as on a food delivery app. Credit card numbers and other information can be exposed during data breaches or through an account takeover (ATO), where they are posted or sold for hackers and other bad actors who get access to the information. Fraudsters can then use a stolen credit number to place food orders for themselves or loan it out to the highest bidder. To help avoid CNP, consumers should watch out for any unusual or unauthorized activity on their cards and call their issuing bank immediately if they notice anything suspicious. In addition, businesses and food delivery apps should be on the lookout for suspicious activity to avoid CNP.

Account Takeover (ATO): With ​A​TOs, social engineering is used for phishing account information from customers or drivers. Fraudsters gain access to their account for financial gain and can steal funds, place fraudulent orders, or steal credit ​​cards and personal information for other use. In a ​worst-case scenario, a user can find themselves hundreds of dollars or more in fraudulent food charges, or they may file a chargeback through their bank and pass their losses onto food delivery apps and restaurant owners. Customers can protect themselves from ATO by enabling multi-factor authentication (MFA), using strong, unique passwords, and ​​avoiding saving credit card information to their delivery apps. ​For restaurant owners, they can protect themselves and their customers by being on the lookout for unusually large orders, expensive menu items, and unusual buying behavior from regular customers.

To help protect themselves against fraud impacting their food delivery experiences, customers should enable additional authentication methods  on their food delivery and financial accounts for an extra layer of protection. Additionally, customers should be wary of any unexpected emails or text messages, even if it appears to be from a legitimate source. Lastly, it’s important that incidents of fraud are reported to banks, apps, shipping company or any other companies that are involved.  and that delivery apps red flag or ban drivers if there are reports of wrongdoing.  

Courier fraud: GPS Spoofing: This is when delivery drivers use device and app tampering tools to scam the platform to earn more money. For example, a driver might use location spoofing technology to falsely extend the length of their deliveries and be paid more or appear in a location where delivery jobs are more lucrative. 

Fake Account Creation (also known as multi-accounting): As its name suggests, this is when drivers create more than one account and may use app cloning to run them all on one device, which gives them a higher chance of securing the jobs of their choice. 

Account Sharing: When drivers illegally lend their verified account to another person who either cannot get approved or does not want to go through the verification process.

Collusion Fraud: This happens when drivers work independently or in conjunction with other actors​, such as fake customers, grocery stores, and restaurants​, to create and complete fake orders using stolen cards. 

Incomplete Delivery: In this instance, drivers claim to deliver orders and receive payment for orders that customers didn’t receive.  

On the courier side, this changing situation brings a special challenge to delivery platforms. They need creative solutions to collect detailed information that can prove supposed "bad behavior." Delivery apps may be able to red-flag or ban certain driver accounts if they receive reports of wrongdoing. The need to distinguish genuine fraudulent activities from operational issues requires  accurate software solutions. 

Given this delicate balance, signals that enable delivery companies to passively distinguish between the two are critical.  For example, the ability to combine insights on real-time location data, transaction patterns, and user behavior has been proven to deliver accurate detection with low false positives.r. By collating these diverse data points, platforms can proactively build a case against fraudulent activity, providing the evidence needed to support 'egregious behavior' claims.

Staying Protected through Continued Growth

As Seattle pioneers this  legislation, the food delivery ecosystem must collectively rise to the challenge – not merely by complying with the regulation, but by embracing technology that redefines the boundaries of fraud detection. While food delivery is undoubtedly convenient and a great source of revenue for restaurants and food delivery apps, certain best practices, such as consumers enabling additional authentication methods and adopting a combination of precise location and device intelligence can keep all parties safe. 

This critical moment requires a collective effort from the entire industry to achieve a balanced state where security is upheld without unintentionally affecting workers' rights or impeding the ability to provide exceptional customer experiences.