Gig Economy Edition

Incognia Frontline Report

In 2024, Incognia worked on major fraud and identity issues for some of the largest food delivery and ride sharing companies worldwide.

Through our experience collaborating with over half of the top platforms in this space, we’ve gained deep insight into their most pressing fraud issues.

That’s why our 2025 Incognia Frontline Report focuses on fraud in the gig economy.

Below, we analyze our data from 2024 to rank the most critical fraud challenges affecting this industry, illustrate leading fraud types with real examples, and break down the tactics bad actors use to carry out these scams.

Trusted by

gh freenow ifood rappi favor-1
Incognia-Wrapped-03-15Feb2025

Ranking of the leading fraud concerns in 2024

DRIVER-SIDE

Fake accounts
Account sharing
Device integrity
57% Fake accounts
19% Account sharing
11% Device integrity

CONSUMER-SIDE

Refund abuse
Promotion abuse
Device integrity
48% Refund abuse
48% Promotion abuse
7% Device integrity

Types of gig economy fraud

This report dives into the most common driver, consumer and merchant fraud from the variety of scams listed below.
Fake accounts Account sharing Device integrity Incomplete Delivery
Driver
Compensation Abuse Location Spoofing Ban Evasion Referral Abuse
Pickup validation Account takeover
Collusion
Delivery validation
Fake pickups Fake businesses
Merchant
Fake listings
Promotion abuse Refund abuse Device integrity
Consumer

Driver

Fake accounts Account sharing Device integrity Incomplete Delivery Compensation Abuse Location Spoofing Ban Evasion Referral Abuse

Driver + Merchant

Pickup validation Account takeover

Merchant

Fake pickups Fake businesses

Merchant + Consumer

Fake listings

Consumer

Promotion abuse Refund abuse Device integrity

Consumer + Driver

Delivery validation

All

Collusion

Fraud tactics

venn

Driver Fraud

Fake accounts

57% of driver fraud

Fake accounts are created with false or misleading information to deceive a platform for financial gain, manipulation, or other illicit purpose, including evading a previous account ban or bypassing identity verification checks. In the gig economy, fake driver accounts may be used by people who don’t have a work authorization, have a poor driving record, or have been previously banned. This practice can damage trust between a platform, legal drivers and customers and hurt the platform’s reputation. 

Frontline Story

On a food delivery platform, a fraudster leveraged a number of fake driver accounts to repeatedly scam consumers using a tampered portable Point-of-Sale machine. Through evading account bans, they were able to use a single device to scam users out of US$2,668 in just under a month. When one fraudulent account was banned, they would simply switch to a new account and keep going. The platform didn’t have the ability to identify that all the accounts being used to commit fraud were created and accessed by the same device.

Closely related to fake accounts is the issue of multi-accounting, or the creation and use of multiple accounts on the same platform to commit fraud. Multi-accounting becomes more complex when the technique is used simultaneously on both the delivery and consumer sides of a platform by the same bad actor or group of bad actors. With access to many accounts on both sides of a gig app, they can both request services and 'fulfill' them in order to cash out stolen credit cards. When the cardholder sees the unauthorized charge the account has already been abandoned and the platform is left to deal with the chargeback.

Fraudster Intel

In this post we found on a popular fraud forum, a fraudster explains how they exploit a well-known ride-sharing platform by accepting their own ride requests to cash out funds from a stolen credit card.

fraud-forum2

Account sharing

19% of driver fraud

For some types of platforms, multiple users sharing an account might be no big deal. But for gig economy platforms, unauthorized account sharing can undermine identity verification checks and introduce serious trust & safety risks.

Take the ride sharing industry as an example: If a verified driver starts sharing their account with someone else, the platform loses all oversight—the new driver’s driving history, criminal record, and work authorization status are all unknown. Unauthorized account sharing increases a platform’s liability and threatens to damage consumer trust. 

Frontline Story

In 2024, eighteen people were arrested for an account renting scheme on popular gig economy apps in the United States. The fraudsters used over 2,000 stolen identities from the dark web and other sources to create accounts which they then rented out to people who otherwise could not have passed verification. 

The mastermind behind the scheme is alleged to have made almost US$800,000 defrauding food delivery and ride sharing apps over a period of about two years.

One technique for preventing account sharing is to use methods like selfie verification at the start of shifts or randomly throughout the app experience to verify that the account holder is the one accessing the account. But bad actors are able to use app tampering tools to bypass the on-device camera and inject a selfie from their device’s stored photos instead, making this method easy to spoof. The image below shows what this method looks like using a popular fraud tool named App Cloner.

fake-camera

Tamper-proof device data and precise location data, on the other hand, can be highly effective signals for catching unauthorized account sharing, because they enable a platform to assess:

  1. whether the driver is accessing the app from their usual device, and

  2. whether the driver is accessing the app from near a Trusted Location, like their home or work.

Used together, these signals can help platforms more accurately detect when an account is being shared or rented. The same tools can also be used to identify account takeover fraud, which can be a serious issue for the courier and merchant sides of delivery platforms.

Incomplete delivery & compensation abuse

Bad actors also find ways to systematically abuse the good-faith compensation policies of these platforms. 

For example, in the food and grocery delivery space, a fraudster might falsely claim that the restaurant was closed or that the items requested were sold out in order to earn their wages without completing the job. In that case, the platform might unknowingly pay the driver a portion of the fee to compensate for their time according to policy, despite the fact that the driver didn’t actually make a fair attempt to complete the order. Fraudsters use trial-and-error to learn how often they can claim this type of compensation without being penalized, and then begin systematically exploiting it. 

Location spoofing (more on this in the next section) is one of the most common ways to take advantage of this kind of policy. GPS spoofing apps are low tech and enable the fraudster to fake traveling an order route without ever leaving their house. 

Frontline Story

In fact, Incognia has found that order cancellation and incomplete delivery rates can be 2x higher when drivers use location spoofing at order delivery.

These sorts of driver-side abuses can increase a platform’s cost per delivery, which negatively impacts its margins. In Incognia’s work with leading food delivery platform Grubhub, initial testing showed reduced care costs and increased order profitability.

incomplete_delivery_fraud_image

Location spoofing

Location spoofing occurs when someone uses a GPS spoofing app, developer mode, or other software tool to fake their location data. In the gig economy, it’s commonly used by dishonest couriers and drivers to extend routes, claim rides in higher-paying areas, abuse compensation policies, and more.

Location spoofing is a major area of concern in the gig economy–many gig apps rely on location to function properly, creating opportunities for location-based fraud. The presence of location spoofing is a key risk indicator because it signals that the user is trying to hide something.

Frontline Story

On a U.S.-based delivery platform, we detected a device with valid location signals in Central Asia spoofing their location to appear in New York and California. There's no valid reason for this behavior—it's a red flag for fraud.

Layer_1

Unlike solutions that detect location spoofing solely by checking if a spoofing app is installed on a device, Incognia detects spoofing attempts by leveraging multiple signals, including GPS, IP address, WiFi, Bluetooth, and cellular data, to create location environments used to fact-check a device's location data.

Fraud tactics

ven2n

Consumer Fraud

Promotion abuse

48% of consumer fraud

Promotion abuse (also known as coupon, referral or voucher abuse) occurs when a fraudster uses multiple accounts to exploit promotions, like repeatedly claiming a new user discount. This method of abuse can drain marketing campaign budgets, increase user acquisition costs, and distort growth metrics.

Frontline Story

On one platform, a fraudster was able to access 400 different accounts with a single device and consume over US$2,000 worth of promotions in just 30 days. If gone undiscovered, that one case could have represented US$24,000 per year in promotion abuse losses. And with fraudsters sharing knowledge freely on online forums, these fraud losses could have easily multiplied to six figures if the method wasn't discovered and prevented. 

Frontline Story

Promo abuse also hurts new user acquisition. On one ride sharing service, 65% of the referral discounts were going to high-risk devices. This was so concerning that the marketing team was forced to end the campaign in one large region. Over US$43,000 of allocated new user acquisition budget couldn’t be spent given such a high voucher abuse rate.

Launching promotional campaigns without the right protections in place is a risky business. In another case, the fraud prevention team at a food delivery platform advised their marketing team not to run a particular promo campaign that was vulnerable to abuse. Unfortunately, the campaign went ahead. They later estimated that 90% of the campaign budget was lost to fraudsters.

Refund abuse

48% of consumer fraud

Refund abuse, sometimes referred to as chargeback abuse, happens when a customer commits fraud by asking for a refund for a product or service they actually received. 

Systematic refund abuse can quickly add up to significant losses for a gig platform. In 2024, two French men were arrested for allegedly defrauding a food delivery app of over 2 million euros between 2022 and 2024. The fraudsters created a Telegram channel called Fast Eats where they took food orders from customers and fulfilled them through the food delivery platform. They then used refund abuse tactics to get their money back from the platform, turning refund abuse into a scalable business.

Frontline Story

In one instance, Incognia detected that a fraudster using a single Samsung device accessed over 200 accounts, making $5,014 in transactions and reclaiming $4,163 of it through fraudulent refunds—an 83% success rate. If the ordered items were resold, the potential return on investment would be significant. In effect, $5,014 worth of inventory was obtained for just $851.

Fraud tactics

ve3nn

Merchant Fraud

Account takeover

On the merchant side of the gig economy (in the case of food delivery, that would be the restaurants), account takeover is one of the biggest fraud threats. Because merchants are making and holding significant balances in their delivery platform accounts, these accounts become account takeover targets. 

In one case, a restaurant lost US$60,000 in just three months after falling for a phishing email and compromising their account credentials. 

It's easy to imagine how this event could be devastating for an independent business, which is in turn bad for platforms who rely on these merchants to populate their app with options. Account takeovers not only increase the risk of merchants churning to competitor platforms but also drive up costs for the platform through chargebacks and payment processor penalties.

Incognia tackles the problem of account takeover attempts using a combination of tamper detection, device fingerprinting, and location intelligence. For example, if someone in Los Angeles tries to access an account that normally operates in New York, that's a high risk indication of an account takeover attempt. Likewise, our tamper detection layer identifies the presence of fraudster tools sometimes used to bypass 2FA and other authentication checks. Finally, Incognia's device fingerprinting layer can persistently recognize users linked to fraud despite device changes or factory resets. Using these signals in combination, Incognia can return a risk assessment indicating that a given login attempt is actually an ATO attempt.

Fraud tools

The presence of device or app tampering activity is a common indicator of fraud risk. Bad actors on both the driver and consumer sides leverage tampering techniques to either get away with or scale all of the fraud use cases we explore in this report. For this reason, the first layer of Incognia’s identity signal checks the security of the data coming from the device being assessed for risk.

In our analysis, we looked at how frequently different types of device integrity issues were detected in 2024. Here’s what we found:

FraudToolsTable02

As the data shows, 5% of devices determined to be risky by Incognia have at least one integrity issue present. In addition, high risk devices are 5x more likely to have a device integrity issue compared to the overall device population. The ability to detect these signals is critical to fraud prevention.

Examples

Rooting

Rooting a device (known as “jailbreaking” on iOS) means removing the software limitations placed on the device by the manufacturer. Rooting can allow users to access unofficial app stores, bypass built-in security features, and gain higher admin privileges. Because of its open source nature, Android OS is commonly considered to be less restrictive than iOS. While not all rooting is done with malicious intent, these modifications increase the likelihood that the device will be used for fraud. 

Emulators

Emulators are computer programs that mimic mobile devices in a desktop environment. This tool gives someone the ability to evade bans by creating many “new” digital devices. A fraud operation can scale exponentially when bad actors start running multiple emulated devices on multiple actual devices at once.

GPS spoofing

This technology was originally designed to help developers test their software in different markets simultaneously. However, apart from that use case there are few legitimate reasons why users would want to spoof their GPS location. This is especially true in the gig economy space where many apps are location-based. For example, using a GPS spoofing tool on a ride sharing app could enable a driver to spoof their location to claim higher fares, fake pickups and dropoffs, or artificially extend their routes.

Suspicious app downloads

Apps downloaded from unofficial sources present an integrity risk because they might be modified versions of the original application, which makes it easier to violate app policies or commit fraud.

Code injection

A cyberattack that allows attackers to insert malicious code into a program. The injected code can then change how the program runs, potentially leading to identification failures, malware, or unauthorized account access. For example, virtual camera injection can be used to insert a photo from a mobile device’s stored images, instead of using the live camera during facial verification checks.

Cloned apps

A program called an “app cloner” duplicates app instances and allows many of them to run simultaneously on a single device. App cloners are popular among fraudsters because they allow them to scale; accessing different accounts on the same app is much easier when all the bad actor need to do is switch between app windows.

Fraud-as-a-Service

Many FaaS products are app tampering tools, like image injectors and app cloners. The wide availability of these tools means that a fraudster doesn’t need to be tech savvy—they can simply purchase the tools they need rather than building it themselves.

Fraud trends to watch for in 2025

Refund and promotion abuse

Abusive refund claims cost retailers US$103 billion in 2024—that’s over US$282 million lost per day. According to Merchant Risk Council, 48% of merchants experienced refund abuse in 2024, and 34% experienced promo abuse.

Refund and promotion abuse

Refund and promo abuse can be difficult fraud problems to address because the fraudulent behavior mimics the behavior of normal users. According to The Paypers, refund fraud and promo abuse were among the most challenging fraud types for businesses in 2024, and we’re likely to see that trend continue into 2025.

background image

Deepfakes

The usage of deepfake technology is growing as generative AI lowers the barrier to entry. Fraudsters can use deepfakes and other tools to bypass liveness detection, fool facial recognition solutions, and even facilitate account takeovers.

Deepfakes

Using this technology, bad actors can create fake videos or images of another person, and then use them to pass facial verification on many platforms. When the app asks for a verification video, they can use a tampering tool to inject the deepfake that’s stored on the phone and pass successfully.

Incognia prevents deepfake attempts by identifying hidden root packages that indicate deepfake programs and flagging these devices as high risk.
background image

Remote access tools (RATs)

Remote access tools (RATs) are software tools that can be used to remotely access and control a user's device. When users are tricked into granting full screen access to unsafe apps, the bad actors behind them can install RATs and execute account takeovers.

Remote access tools (RATs)

RATs are particularly dangerous because they can be used without the device owner’s knowledge. This is another area where Incognia’s tamper detection layer provides critical protection. We identify any installed RATs and monitor their active status during app usage (as some remote access tools are legitimate, such as TeamViewer).

background image

Fraudster collaboration and knowledge sharing

Fraudsters are finding ways to connect and exchange knowledge without being identified by using anonymous forums and messaging platforms like Telegram and Discord.

Fraudster collaboration and knowledge sharing

On these platforms, bad actors share a wide variety of knowledge, ranging from how-to guides for targeting specific platforms to creating free, in-depth guides for circumventing particular fraud prevention solutions. In one instance, we saw a fraudster post a 2,000-word free guide to help beginners start doing refund abuse on a major marketplace. 

To combat the advantage fraudsters gain by sharing tactics, Incognia created the Platform Integrity Network (PIN), an exclusive community where fraud & risk leaders at gig economy platforms exchange insights, benchmark strategies, and network with peers.

background image

Fraud-as-a-Service

There’s a big market for the tools, intel, and methods that enable fraud, and bad actors know it. The Fraud-as-a-Service (FaaS) market profits off fraud trends by selling the tools fraudsters need to power them.

Fraud-as-a-Service

Deepfake videos of models performing common verification poses (like turning the head) are one example of a product a FaaS vendor might offer. There are also FaaS software vendors, like the ones that develop app cloners.

Even fraud itself can be the product. In Buy-4-You (B4U) schemes, a fraudster will commit systematic refund or promo abuse on a delivery app so that they can resell the delivery app’s services to their own customers at a steep discount. 

Incognia's layered device, tampering, and location signals, along with continued innovation, allow us to stay ahead of FaaS scams.

background image

Fraudster Intel

In a Buy-4-You (B4U) scheme on a food delivery platform, a fraudster uses fraudulent methods to get deeply discounted or free orders so that they can resell them at a profit to their own customers.

The first image below shows the search results for “B4U services” on a fraud forum. The second image shows an example of what you would find if you clicked on one of these links: the instructions for how to place an order through the FaaS service.

unnamed (1) 1 B4U food delivery ad_edit 1
background column

Incognia’s innovations

The fraud landscape is constantly evolving, and so are we. In 2024, we released over 30 new detections to keep our customers on the cutting edge of fraud prevention. Here are a few that stand out:

Environment Linked to Fraud

It’s important to stop fraudsters from coming back to a platform again and again under new accounts, but recognizing returning bad actors has been a challenge for many gig platforms. That’s because fraudsters use app tampering, device resets, device changes, and other tactics to avoid being re-identified.

That’s why Incognia has developed tools like our Environment Linked to Fraud (ELF) detection, which flags devices as risky when they become associated with indoor locations previously linked to confirmed fraud. That way, if a fraudster switches devices, resets their device, or uses an app tampering tool to rejoin the platform, the platform can still be notified of the user's previous suspicious activity.

Tools like ELF give stakeholders more insight into the connections between accounts and devices and when further verification might be needed.

Integrity Checks

Device integrity issues are a key indicator of gig economy fraud. In 2024, we implemented many improvements to the device integrity checks that are part of every Incognia risk assessment. Some of these include:

  • 52x improvement in an already minuscule false positive rate
  • Improved detection for advanced app security issues like the presence of cloners and virtualizers
  • Increased flexibility in detecting GPS spoofing
  • Detection of privacy and obfuscation tools on web browsers

Transaction Velocity

When fraudsters steal a credit card number, they have to ensure that it works. This is where “card testing” or “cycling” comes into play. Bad actors can write a script to charge each stolen card in their collection a small amount—not enough to alert the cardholder, but enough to confirm that the card works.

Gig apps like ride sharing platforms often place pre-authorizations on cards to ensure users have enough funds to cover the cost of a ride, so they can sometimes be used by fraudsters as card testing resources. This leaves the app vulnerable to chargebacks and payment processing fees.
To combat payment fraud precursors like card testing, Incognia has developed Transaction Velocity Detection (TVD), which connects transaction activity to a device ID in order to identify suspicious patterns.

Incognia’s TVD works by measuring the number of transaction attempts from a single device (and the number of accounts associated with those attempts) in real-time. If the number of transactions exceeds a predetermined threshold, Incognia’s API returns a high risk assessment.

Our results

Chargeback detection model

Chargeback abuse and other types of first-party fraud can be hard to predict, but Incognia has seen results with our Chargeback Detection machine learning model. Incognia research studies have shown that the model can reduce chargebacks by as much as 30.84% in a single month.

Rectangle 71

Fraud prevention wins by the numbers 

Fraud in the gig economy is constantly shifting, with bad actors adapting their tactics as platforms implement new defenses.This past year, we saw fraudsters scale their operations through fake accounts, unauthorized account sharing, refund abuse, and promo exploitation—all while leveraging tools like location spoofing, app tampering, and Fraud-as-a-Service products to maximize their profits.

And we developed new detections to help our clients in the gig economy deal with these present and emergent threats.

We’ve seen big results in gig economy apps, including a 64% reduction in suspicious account accesses. 

10x

return on account-related driver fraud

12x

return on consumer-side promo abuse

7x+

overall return on investment across fraud and identity use cases 

Fraudsters will continue to evolve, but so will Incognia. In 2025, we remain focused on delivering cutting-edge fraud prevention solutions that protect platforms, reduce fraud, and improve trust across the gig economy.

Schedule a Free Demo

One of our specialists will be glad to meet you and go over Incognia's capabilities.

To help us personalize our conversation for your business, please fill out the following form.