The trustworthiness of couriers on a delivery app is crucial to that platform’s success. Even a single bad experience with a courier can be enough to make a customer swear off using that app for future purchases, creating both reputational and financial damage to the company. When contracted couriers commit scams against a delivery app or its user base, that poses a threat to the company’s reputation and longevity.
Courier scams happen when employees or contractors for food and grocery delivery apps take advantage of consumers’ trust in the app for personal gain. Couriers can also run scams that affect the platform itself.
One simple example of a courier scam might look like a driver who accepts an order, picks up the food, eats it themselves, and then cancels the order or falsely claims that someone else took the food. While this obviously creates a bad experience for the individual customer and is a nuisance to the platform, it’s not the worst of the worst.
For courier scams, the “worst” might look like a point-of-sale (POS) scam, in which drivers pick up a customer’s food, cancel the order, and then show up at the customer’s address anyways, claiming that a glitch in the app canceled the order. They then produce a POS and say that the customer can use it to pay for the food.
But what the customer doesn't know is that the scammer has modified the POS. When the customer swipes their credit card, it might look like their total is “$30.00” when in fact they’re actually authorizing a transaction for $3000.
Courier scams are insidious because they take advantage of the trust consumers have in the mutually beneficial relationship established through the platform. When courier scammers act, there are three victims: the consumer, the platform, and the trust that previously existed between the two.
Here's a short clip explaining more about the importance of trust and reputation on delivery platforms:
Courier scams pose a significant challenge for delivery apps, but what tools and techniques do bad actors use to make them possible? Here are a few examples.
Put simply, location spoofing is when someone tampers with their device in order to manipulate the location signals being shared with applications collecting this data. Using this technique users can make it appear as though they are in a different location.
Though it may sound technical, all someone needs to do to edit the GPS location of their device is to download an app from the Google Play or Apple App store. Putting a device into “developer mode” is another popular way to spoof location data. It is also worth noting that the vast majority of applications consider GPS Spoofing to be a violation of User Terms & Conditions.
Once transmitting false location data to the app, couriers can carry out several different scams. In one example, a courier who gets paid by the mile might artificially inflate the mileage it takes them to complete an order.
Couriers in an area with cheap fares and tips might also spoof their location data to place them in a higher-paying area, allowing them to access orders they otherwise would’ve been too far away to see. They may also take things one step further and use spoofed location data to claim payment for orders that they never actually completed.
Location spoofing has a low barrier to entry with a high potential payoff. In addition to location-focused courier scams like those listed above, location spoofing can also act as the first step towards enabling other types of policy abuse.
Because location is one of the signals that platforms use to identify users, being able to spoof it enables bad actors to more easily mask their identities. This opens the door to other forms of fraud and abuse, such as multi-accounting.
Importantly, location spoofing is also linked to higher rates of undesirable courier behavior, like late or incomplete deliveries:
Multi-accounting, also known as multiple accounting or multiple account fraud, happens when an individual opens more than one account on the same platform with the intention of using them to exploit that platform for personal gain.
A bad actor will often use multi-accounting to abuse new user promo codes or referral programs. Regardless of the end goal of the scam, multiple accounts are almost always needed to scale illicit behavior. This ability to multiply is what makes multi-accounting a particularly potent threat; it allows what would be a limited instance of scamming to grow using dozens or more accounts.
Organized fraud rings, also called fraud farms, can have dozens of team members all creating and operating multiple accounts, multiplying fraud losses and reputation damage exponentially for the affected platform.
Similarly to location spoofing, bypassing the device identification capabilities of an organization enables individuals to mask their identities by making one device look like many or many devices look like one. Essentially, bypassing device ID can rob a platform of its ability to identify the same person under different names or account details.
If a platform catches one of its couriers committing policy abuse and bans them, that person could manipulate the parameters used to identify specific devices — such as OS version, screen resolution, etc.— use new identity information, and rejoin as though they were a completely new courier. This maneuver can turn fraud fighting into a constant cycle of rebanning repeat offenders.
Sometimes, policy abuse can happen when users take advantage of good-faith policies intended to ensure drivers earn fair pay for their work despite the intervention of circumstances outside of their control.
In the fourth episode of the Trust & Safety Mavericks podcast, Vishal Kapoor of Shipt described how such abuses can happen, giving the example of policies intended to pay grocery delivery workers even in the event that many of the customer’s requested groceries are out of stock.
However, when dishonest actors join the equation, a good-faith policy can become a point of vulnerability.
“If [there was] a genuine case where somebody went to the store and items were not available, we are liable to pay that independent contractor, that gig worker. We are liable to pay them, because it's the right thing to do… But then there are bad actors who pretend that they are at the store, and they can mark everything out of stock, because the [app] allows it. Now what do we pay them? Do we not pay them?”
This example illustrates how bad actors can take advantage of a platform by abusing good-faith policies in a way contrary to their intended use.
When fraud and abuse occur on delivery platforms, there are often three different types of victims: the customer, the honest couriers, and the platform itself.
When a legitimate user is the victim of a courier scam, it’s obviously an unpleasant experience. But the buck doesn’t stop there—not only does the platform take a hit to its reputation, customer satisfaction, and potentially user retention goals, but the customer will likely also request a refund or report a chargeback.
Lastly, the livelihood of honest couriers may be negatively impacted because they are unable to compete with bad actors using multi-accounting techniques to vacuum up all of the most high-value orders available.
Because delivery customers are used to sharing their location data in exchange for restaurant recommendations and a better UX, , using geolocation to confirm identity information is a natural solution for courier apps. That said, industry-standard technologies, like GPS, aren’t enough to prevent bad actors from defrauding the platform.
The first problem with GPS is that it can be easily manipulated. Spoofing methods don’t require a high level of technical expertise, and they can be expanded to all of the devices and accounts in a fraudster’s arsenal, making GPS an ineffective tool to pin down and ban repeat offenders.
The next challenge is accuracy and, more specifically, the false positives that result from a lack of accuracy. The last thing a platform wants to do is block a good user by accident. When GPS isn’t accurate enough to differentiate different people in the same household, or different apartments within a building, false positives are the result.
In order to be an effective fraud prevention solution, location technology needs both high accuracy and resilience against spoofing. Incognia’s tamper-resistant location uses a combination of different signals including GPS, cellular, WiFi, and Bluetooth in order to make a unique location fingerprint for each individual user, even if they switch or reset their devices.
This combination of signals also makes this solution more accurate than GPS alone, reducing the chance of false positives. For example, Incognia’s false positive rate is 0.0013%, meaning good users don’t become casualties in the fight against courier scams.
It’s clear that courier apps need a way to link individuals with accounts and devices if they want to prevent scams and other abuses, but current industry standard solutions aren’t doing enough against spoofing and other circumvention techniques.
By relying instead on new solutionds that use a combination of different location signals and have built-in tamper detection features, platforms can enjoy strong fraud prevention that doesn’t increase frustration or false positives for good users.
If you’d like to learn more about location and how Incognia uses it to achieve results like 97.5% reduction in social engineering fraud can read our food delivery case study here.