Death by 1,000 Cuts: Why Even “Small-Time” Fraud Matters on Food Delivery Apps

If we think of fraud as a scale, criminal fraud where people steal identities or money from victims, is probably at one end, and policy abuse, which often isn’t even illegal, is at the other. Policy abuses and violations are tempting to think of as being small-time and to let fly beneath the radar, but as time goes on, it’s becoming more and more clear that “small-time” fraud might not really exist—especially not for food delivery and similar apps. 

Stopping fraud costs money, so addressing policy abuse has to save your company more money than prevention costs. When we imagine policy violations like promo abuse on the individual level—say, someone who signs up for the same promo twice using both their work and personal email—it’s hard to imagine it as a serious problem. But that’s an assumption that benefits fraudsters. The truth is, “small-time” fraud on delivery apps is rarely actually small-time. 

Food delivery app fraud happens at scale 

If you’ve ever heard the phrase, “death by a thousand cuts,” you can probably imagine why delivery app fraud at scale is such a problem. One or two or even a dozen people abusing a promotion wouldn’t be such a big deal, but promo abuse and similar violations rarely stay restricted to just a few bad accounts. Instead, fraudsters who leverage promo abuse, policy abuse, social engineering, phishing, and more spread their attack potential out over dozens or even hundreds of different accounts. 

Let’s look at an example. Say that your food delivery app offers a new user promotion for 50% off a user’s first order. A normal user who takes this promotion two or three times across different email accounts isn’t ideal, but it isn’t the end of the world. But fraudsters aren’t normal users. A fraudster might take that same promotion and claim it across over a hundred different accounts, draining your campaign budget and severely throwing off your marketing team’s metrics. 

This same system of multi-accounting to increase the scale of an attack can apply to many types of fraud, including collusion and using location spoofing to take advantage of fair pay laws. Multi-accounting and the scale it invokes is the main reason that “small-time” fraud can’t be assumed to actually be small-time—when fraudsters find that lever, they’ll pull it as far as they can for as long as they can. 

Gig apps are facing more profit pressures as time goes on

In the past, fraud and policy abuse have often been thought of as the cost of doing business in the gig economy. As the food delivery industry faces profit challenges, however, more and more are reassessing how much these abuses are actually costing them—and how much money and resources addressing them could save. 

The food delivery industry saw a historic rise during the pandemic as demand for the service skyrocketed. After the pandemic, the gig economy looks here to stay, but diners are also cutting back from pandemic-era spending on delivery services. The Financial Times reported in May of 2024 that four of the top publicly-traded food delivery giants lost a combined 20.3 billion in operating costs since going public. 

As food delivery apps focus on turning a profit for their shareholders, addressing fraud and policy abuse at every level reemerges as an area to reclaim some significant value. 

Even one bad experience can alienate a good customer forever 

This blog post has focused mainly on systemic multi-accounting challenges like promo abuse, but it’s important to also think about the impact of other types of fraud, specifically those that target regular consumers as well as the platform itself. 

As an example, Incognia has seen some couriers use social engineering and tampered point-of-sale devices to swindle diners out of thousands of dollars. The courier would pick up a diner’s food as normal, but once the food was in hand, the courier would then cancel the order on the app. After that, they would continue the delivery as normal. When they reached the customer’s address, they would blame the cancellation on a glitch and offer the POS system as a way for the customer to pay for the food—only the POS system had been tampered with to charge the customer much more than the amount shown. 

It’s easy to imagine how having an experience like this even once would be enough to ruin a customer’s trust in an app forever. Diners look to food delivery apps for convenience, and there’s nothing convenient about suffering from a social engineering scheme. 

This is another type of delivery app fraud that can’t be “small-time” because of the cost it invokes—even if it only happens a few times, that’s a few customers that could be lost for life. 

Most users use delivery apps in a way that’s completely above-board and compliant with all policies. For the ones that don’t, however, they’re usually looking to push any exploits they find as far as they possibly can. Even if the cost per offense is low, the number of offenses and offenders can multiply exponentially once fraudsters start using emulators, app cloners, app tamperers and other tools to maximize the number of accounts they can create. 

The good news is that even though food delivery app fraud often happens at scale, fraud prevention and detection can operate at scale, too. For example, with location intelligence, it’s possible to detect when hundreds of accounts originate from a single apartment unit and block all of those accounts at once. Similarly, device intelligence and behavioral signals can be used to detect when multiple sign-ins happen from the same device and to block that device, cutting a fraudster’s multi-accounting resources off at the knees. 

As more and more food delivery apps go public, pressure is higher than ever to stay efficient and turn as high a profit as possible. Effective fraud prevention can help ensure that all of your marketing dollars go where they’re meant to—growing that revenue and cultivating a user experience that keeps diners coming back for more.