Consumers all over the world are feasting on delivery food—the industry is expected to reach $213 billion in market size by 2030. That’s a lot of takeout. It’s also a lot of room for fraudsters to make a quick buck at your platform’s expense.
Food delivery platforms are often multi-million or even multi-billion dollar enterprises. One policy violation here or there from an otherwise good user isn’t going to break the bank. It’s when career fraudsters get involved that we start to see significant losses.
Just like your company employs certain solutions to help with your business operations and infrastructure, career bad actors are also on the hunt for tools that make their lives easier. Sometimes, other fraudsters have already developed these tools, and they’re willing to sell them.
Fraud-as-a-Service (often abbreviated as FaaS) is what happens when one bad actor sells a tool or method to another bad actor.
In a webinar with About Fraud titled “Unmasking the Advanced Tools Powering Fraud-as-a-Service,” Incognia’s Global Head of Industry Eduardo Pires gave this expanded definition of FaaS:
“FaaS is a cybercrime business model in which bad actors sell tools, infrastructure, and expertise that enable others to commit fraud more easily and efficiently.”
FaaS products can look like a lot of things: written guides on how to commit fraud, software tools, generative AI products, fake documents, fraud someone else commits on your behalf, and more.
The biggest headline to keep in mind is this: Fraud-as-a-Service makes it easier, quicker, and cheaper for a larger number of fraudsters to attack your platform at scale.
For an example of how FaaS tools can supercharge fraudster operations, below are just three of the popular FaaS tools Incognia sees with our food and grocery delivery customers—app cloners, emulators, and image injection tools.
FaaS is a cybercrime business model in which bad actors sell tools, infrastructure, and expertise that enable others to commit fraud more easily and efficiently.
Fraud-as-a-Service makes it easier, quicker, and cheaper for a larger number of fraudsters to attack your platform at scale.
On a web browser, you can open the same website in two different tabs at once. But on a mobile app, you can normally only have one instance of that app open at a time.
This makes life hard for fraudsters that target mobile-based food delivery platforms, because they normally have to manage a large number of different accounts to commit fraud at a profitable scale.
As Eduardo says, “If you have fake accounts, you can do pretty much any type of scam.” Incognia has seen fraudsters create hundreds of fake accounts to abuse promotions and vouchers—in one instance, a single device accessed 400 different accounts and cost the company almost 2,000 euros over a 30-day period.
But if a bad actor wanted to control multiple accounts from one instance of the app, they’d have to log out and back in every single time they switched accounts.
Not only is this super time-consuming, but it could also increase the fraudster’s chances of having their device ID flagged and blocked, meaning even more time invested in device fingerprint obfuscation to keep their access to the app intact.
In short, multi-accounting on one app instance at a time is:
Theoretically, you could buy multiple devices and download the app on each of them. And to be clear, plenty of fraudsters do this to help maximize their reach.
But what if a fraudster could access multiple instances of the same app using just one device?
That’s basically what an app cloner does.
If I can normally only have one instance of App A running at a time on my phone, downloading the premium tier of an app cloning tool means I can now run as many as twenty instances at once, all logged in to different accounts. The more a fraudster pays, the better cloning features they can get.
Combined with other tools like emulators and virtualizers, this technology has the power to grow a fraudster’s pool of available accounts exponentially.
Having a large pool of available user accounts means scale. For example, if a fraudster is running a promo abuse scheme that relies on claiming as many new user discounts as possible, that means the more accounts they can create, the faster they can create them, the more money they can make—money that the victim platform loses.
As Eduardo sums it up in the About Fraud webinar, “Fraudsters calculate ROI all the time…This tool can definitely help them make fraud easier.”
Emulators are desktop software tools that have the power to create a virtual version of a device. They were originally created to help mobile app developers test their products on a variety of different devices and locations from a single location and computer.
In the hands of organized bad actors, however, they serve a different purpose—helping fraudsters get maximum reach for minimum cost.
In the image below, you can see an emulator being used to manage six virtual devices at once. If you look closely, you’ll also see that all of these virtual devices are also running an app cloner with ten instances of Telegram apiece.
Tool combinations like these are how fraudsters can easily get into the dozens or hundreds of fake accounts. Having this large pool of accounts at their disposal helps accelerate profits, but it also helps with ban evasion. If one of these accounts gets caught and banned, it’s no big deal. Your bad actor has about one hundred more waiting for them to get right back to work.
Driver fraud and unauthorized driver account sharing is becoming an increasingly visible problem for food delivery companies. In September of 2023, the New York Times reported on an underground economy of food delivery accounts “for rent” to drivers without work authorization in New York City. In July of this year, a Brazilian woman made headlines for running an account renting scheme on food delivery and rideshare apps that made her over $700,000.
Food delivery platforms have been quick to try and address the account sharing problem, and live selfie verification at the start of driver shifts is one of the potential solutions apps have started using. Unfortunately, there are FaaS tools that can exploit facial recognition, too.
In the same About Fraud webinar linked above, Incognia’s Global Head of Industry Eduardo Pires played a demo video for a FaaS tool that can map a victim’s face onto a fraudsters, defeating liveness detection. But it doesn’t even have to get that complicated.
Incognia has also encountered FaaS tools that allow fraudsters to inject images and videos from their camera roll into the selfie verification process—defeating the “real-time” element of selfies for driver authentication.
These tools are bad news for food delivery platforms.
But there’s good news, too. Fraud-as-a-Service tools can be countered.
Fraud-as-a-Service tools like the ones above aren’t invisible. They leave traces of their presence behind, and solutions like Incognia’s tamper detection layer can pick up on these traces and increase a given device’s risk assessment level.
Incognia also employs two other layers—precise location and device fingerprinting—to help link a user’s identity to the accounts they access, meaning increased visibility in multi-accounting and ban evasion attempts.
It’s important to note that while being able to detect Fraud-as-a-Service tools is necessary, it’s also only one piece of the puzzle when it comes to stopping fraud on food delivery platforms. These tools are only tools for enterprising fraudsters. Those fraudsters are the ones you really want to stop, and device, location, and tamper detection all work together to attack the fraudster problem at the root.
To learn more about how Incognia is helping food delivery platforms combat sophisticated fraud tools, visit our food delivery industry page.