In today's digital era, food delivery apps have become an essential part of our daily lives, offering unparalleled convenience and variety. However, this surge in popularity has also led to a rise in fraudulent activities, specifically ban evasion and account sharing. These practices, perpetrated by crafty fraudsters, pose significant reputational and financial risks to these platforms.
On the driver side, food delivery apps are hiring contractors to deliver food to their customers. Just like any other hiring process, that comes with some responsibilities on the part of the delivery app to ensure that individuals who are applying have the right to work in that jurisdiction. From a Trust & Safety policy perspective, platforms might also want to ensure that their drivers have a clean background check, e.g. no violent crimes or history of reckless driving.
Not everyone that wants to work with the delivery app can pass these sorts of identity verification or background checks, but that doesn’t necessarily stop them from finding a way to take orders and make money on the platform anyways.
Even if someone can’t personally pass the checks to work with a platform (or simply doesn’t want to, in the case of someone looking for quick or occasional cash), they might know someone who already has.
Imagine this scenario:
Person A wants to work as a driver for a food delivery app, but they have a history of traffic violations that would make them ineligible. But they’re friends with person B, who already has a verified account. In this case, Person A might offer Person B a portion of the money they make on the app in exchange for being allowed to use Person B’s account to take and fulfill orders.
Persons A and B both get money out of this arrangement; the people who lose out in this scenario are the food delivery platform and the customers, as we’ll explore in more depth below.
Unauthorized account sharing, just like any other violations of an app’s policy, naturally comes with consequences up to and including account termination. But just because a bad actor gets banned once doesn’t mean they’ll stay away. That’s where ban evasion comes into play.
Many fraudsters who target food delivery platforms rely heavily on multi-accounting; that is, violating the app’s policy by creating and using multiple accounts under different credentials. If one of their accounts gets caught and banned for committing fraud or abuse, they can easily switch to another and keep up the same scheming as before. Account sharing is another way for fraudsters to evade bans: if they don’t have fake credentials to sign up for another driver account, for instance, a fraudster might find and pay someone else for the use of their legitimate account.
Ban evasion presents a problem for a delivery platform’s Trust & Safety efforts, but the problem doesn't necessarily start after a ban happens. Sometimes fraudsters take advantage of advanced knowledge of a platform’s penalty system to skirt the line and commit as many offenses as possible without reaching the account termination threshold.
First example, say that a platform uses a three strike system for violations like not delivering customer orders, showing up late with an order, or getting caught spoofing location. The three strikes also need to happen within a given time frame in order to lead to a ban, such as within two years. Fraudsters who know the system will purposely keep track of the time and of their strikes. When one account gets close to the “ban” line, they’ll switch to another preemptively, to conserve as many active accounts as possible. This way, fraudsters can effectively start ban evading before a ban even comes down the pike.
There are some obvious problems one can imagine when platforms can’t stop unauthorized users from accessing their app and working as couriers, but there are also some less obvious causes for concern involved.
In Incognia’s own research, we’ve found that the risks of poor driver performance are much higher on accounts that are being shared or used for ban evasion. On one food delivery app, we found that the rate of incomplete deliveries among drivers that had switched accounts at least once was about two times higher than the average. We also found that the rate of incomplete deliveries for shared accounts was around 65% higher than the average. What does this show us? When fraudsters have accounts to spare or they’re under someone else’s name, they're much less careful with their performance.
To a certain extent, people are willing to order from delivery apps because they trust that the app has done some due diligence in choosing couriers to deliver food to someone's home or work address. If customers thought that just anyone could sign up to deliver for the app, they might feel differently about getting a late night craving dropped right at their front door... but that’s exactly what happens when someone shares their courier-side account with an unknown individual.
The reputational and liability risks are two times higher when a stranger is operating as a courier than when it’s a properly vetted driver. In one example from California, someone using another person’s UberEats courier account made headlines when he dropped off the customer's food but then stole packages out of their apartment building’s lobby.
Things get sticky when it comes to insurance, as well; if someone using another person’s account gets into an at-fault traffic accident, the platform could end up paying through the nose on liability insurance payouts for the victim(s).
When a fraud team or system makes the decision to ban someone, it’s typically for a good reason. When fraudsters can effectively disregard that ban as though it never happened, fraud fighters have no choice but to expend more resources getting rid of the same individual again—not to mention the fact that the company has to eat any fraud or reputational damage the fraudster can cause before they’re caught for the second time.
Every dollar that’s spent dealing with a previous offender is a dollar that could’ve instead gone to addressing new threats or incorporating stronger prevention signals. Instead, ban evaders force fraud teams to use their resources inefficiently.
Apps have measures in place to try to prevent these practices, but when it comes to combating the constant innovation of creative fraudsters, there’s always room for improvement.
Using a device to interface with the food delivery app means that fraudsters have at least some element of anonymity in their favor. If they can find a way to skirt a platform’s device ID and fingerprinting measures, they can use the same device but look like a new user over and over again. When it comes to legacy device fingerprinting solutions, it isn’t technically hard to do either. By wiping or factory resetting their phone, fraudsters can rejoin the platform as easily as if they went out and bought a new phone.
By using signals that can more closely tie an individual to the device they’re using, despite the usage of factory resets and other spoofing techniques, platforms can more accurately identify repeat offenders and prevent them from onboarding again.
Related to the above point, legacy device fingerprinting isn’t strong enough to stand up to the demands of today’s fraud world, but that doesn’t mean that device fingerprinting on the whole has gone by the wayside.
For instance, Incognia uses device fingerprinting in combination with location to create a more resilient approach to identifying individuals. Even if a device is factory reset, we've developed a way to analyze the device’s parameters (make, model, OS version, etc.) in combination with its precise location in order to identify that it’s the same device as before. This means that it can be blocked preemptively before the fraudster uses it to rejoin the app.
The precise location signals from our solution can even be used to earmark locations that have been associated with fraud in the past, down to the apartment level. This means that, even if fraudsters were willing to buy entirely new devices to rejoin the platform, we could still recognize that these new devices were being used in the same high-risk location. With this information, the platform could block the new devices before the fraudster ever had the chance to use them for fraudulent activity.
It’s not that food delivery apps don’t already use tools to combat ban evasion and account sharing. The problem is, fraudsters know about these tools, and they're constantly searching for and implementing new workarounds. One example is the factory resetting to evade device fingerprinting, as mentioned above. Implementing additional signals, like location, can help make device fingerprinting stronger.
However, signals like location should also be evaluated for how tamper-resistant they are. For example, GPS isn’t enough for fraud prevention because it’s easily spoofed by downloading an app or entering developer mode on the device. Instead, Incognia uses a combination of environmental signals to map locations, meaning that our solution can’t be easily tricked or spoofed by fraudsters. This is just one example of how to ensure fraudsters can’t find easy ways to get around the measures put in place to stop them.
The ongoing battle against fraud in the food delivery industry requires a multi-pronged approach. While fraudsters continue to innovate in their methods, it's imperative that these platforms remain a step ahead, constantly improving their security measures.
Stronger device-to-identity binding, persistent device fingerprinting, and tamper-resistant tools are key elements in this fight against fraud. Although traditional methods like GPS can be easily circumvented, next-generation solutions like Incognia's offer a more robust defense. Ultimately, maintaining integrity and trust in food delivery apps is crucial not only for the safety of users but also for the sustainable growth of these platforms.