A decade ago, it would’ve been hard to imagine the extensive delivery infrastructure consumers enjoy today. Now, it’s hard to imagine life without it.
During the lockdowns and quarantines of 2020, food delivery apps became a major lifeline for small restaurants and chains alike, with many deciding that if their customers couldn’t come to them, they would come to the customers. Users spent an astounding $26 billion on food delivery in 2020, and that number is only expected to grow in the coming years.
Courier and package delivery companies have enjoyed similar success, thanks in no small part to the steady rise of eCommerce over the last few years. Shipping giant UPS generated over $84 billion in revenue in 2020 alone.
With such a substantial market available, it’s no surprise that people with less than stellar intentions would find their way to food delivery and courier services. By knowing about the most common types of delivery and courier fraud, merchants and consumers alike can protect themselves from fraudsters.
Fraudsters are always on the lookout for new ways to take a bite out of the food delivery industry. Here are just a few ways bad actors can commit food delivery fraud.
In account takeover fraud or ATO fraud, a fraudster gains access to a user’s account on a restaurant website or food delivery app. From this point, the fraudster can either order food for themselves and charge the victim’s credit card, or they can charge other interested parties a small fee to use the compromised account to the same end.
In the worst case scenario, an innocent user can find themselves out hundreds of dollars or more in fraudulent food charges, or they may file a chargeback through their bank, passing those losses onto food delivery apps and restaurant owners.
App users can protect themselves from ATO fraud by enabling multi-factor authentication (MFA), using strong, unique passwords, and avoiding saving credit card information to their delivery apps. Restaurant owners can protect themselves and their customers by being on the lookout for unusually large orders, orders for expensive goods, and unusual buying behavior from regular customers.
Also known as chargeback fraud, friendly fraud happens when a customer places an order using their own account and then, after receiving their food, requests a refund or files a chargeback. In some cases, a customer may have a legitimate reason to request a refund through their delivery app, such as extremely long wait times, incorrect order fulfillment, or poor quality experience. In other cases, patrons just want to eat for free, and take advantage of restaurants and apps to do it.
The consequences of friendly fraud can be anything but–one restaurant in Los Angeles was even forced to close its doors forever after fighting against numerous fraudulent chargeback disputes. Whether it’s the restaurant itself or a third-party delivery app that foots the bill, friendly fraud losses can have serious consequences.
To prevent chargeback abuse, restaurant owners should ensure that they partner with delivery apps who have a policy of reviewing available information before automatically granting refund requests. Some delivery apps, such as UberEats, will prevent accounts with excessive refund requests from making similar requests in the future. In addition, merchants should practice good record-keeping in the event that they need to present a card issuer with evidence that a transaction was legitimate.
CNP or card-not-present fraud occurs on platforms wherein a physical card isn’t necessary to complete the transaction, such as on a food delivery app, a website, or over the phone. Credit card numbers and other information can be exposed during data breaches, where they’re posted or sold for hackers and other bad actors to get their hands on. Fraudsters can use a stolen credit number to place food orders for themselves or to loan out to the highest bidder.
As with ATO fraud, this method of food delivery fraud can result in losses for cardholders or for the restaurants and apps when victims dispute the charges with their bank. Consumers should watch out for any unusual or unauthorized activity on their cards and call their issuing bank immediately if they notice anything suspicious. Likewise, merchants and apps have a responsibility to be on the lookout for suspicious activity and to follow fraud prevention best practices.
Much of the common food delivery scams happen between patrons and providers, but fraud can also occur between employee and employer. Delivery drivers with limited technical skills can use location spoofing to defraud the apps who pay them for deliveries. In one example, a delivery driver may use location-spoofing to scope out higher-traffic, higher-paying areas for jobs.
Though the delivery driver might get paid more for making these trips, this practice decreases the user experience. After all, few people care to wait over an hour for their food delivery as their driver travels from another area to pick up a little extra pay.
In another example of delivery driver fraud, a driver can use location spoofing to make it appear as though they’ve picked up a customer’s order and arrived at their house–only to then claim that the customer never showed up to take the food. The delivery apps will typically compensate the driver for their time and refund the affected customer, all while the delivery driver never completed the order to begin with. This type of fraud results in poor user experience, wasted food, and significant losses for the delivery app.
Delivery apps can safeguard themselves from location spoofing by using spoofing-resistant location intelligence, device intelligence including emulator detection, and location blacklists that can prevent fraud farms from gaining a foothold on the platform.
On the non-food end of the delivery service spectrum, consumers and merchants can be vulnerable to courier fraud.
As with food delivery services, merchants can also face chargeback abuse when shipping their goods out to customers. In the delivery-specific version of friendly fraud, a customer will simply claim that the shipping company never delivered the product and request a refund while keeping the product for themselves. In this scenario, merchants lose out on shipping fees, merchandise, and revenue.
Fraudsters can also take advantage of everyday people by sending an SMS message or email claiming to need information for an important delivery. While the victim believes the message came from a legitimate shipping company, this is actually a phishing or smishing scam designed to social engineer people out of sensitive information like residential addresses, email addresses, phone numbers, full names, and even financial information.
The fraudster then sells or uses this personal information to further scam their victims out of money and other assets. In the worst cases, this type of fraud could lead to identity theft.
In another version of this delivery fraud, a fake delivery notice may urge the recipient to download an attachment or click a link, at which point the fraudster can infect the computer with malware.
People worried that they may miss a real delivery should navigate directly to their shipping company’s official website to check their notifications or tracking code and update their delivery preferences.
Informed delivery fraud happens when someone enters another person’s address into the USPS “Informed Delivery” service with their own contact information. Using this service, fraudsters can essentially spy on a given person’s incoming mail. They can use this information to steal incoming packages, time phishing messages more accurately, or even open a credit card account in the victim’s name and steal the new card when it arrives in the mail.
Residents can keep themselves safe from this type of fraud by creating their own Informed Delivery account–essentially taking the option away from a fraudster. People who suspect that a fraudster is monitoring their mail should reach out to USPS for help.
There are a few fraud prevention best practices that can protect merchants and consumers alike from scams.
Users should enable two- or multi-factor authentication on their food delivery and financial accounts for an extra layer of protection. Additionally, people should be wary of any unexpected email or text message, even if it appears to be from a legitimate source. For example, in the case of the fake delivery notification scam, it would be wise to call the post office or shipping company named directly to verify the information.
It can also be helpful to report any incidents of fraud to the bank, app, or shipping company involved. Using the phishing/smishing scams as an example, if a certain shipping company knows that their customers are being targeted, they can send out official communications warning people of the scam. Delivery apps may be able to red-flag or ban certain driver accounts if they receive reports of wrongdoing.
Merchants can be on the lookout for unusual buying activity, large orders, or orders with many expensive menu items. In addition, merchants can protect themselves from chargeback abuse by keeping thorough records and working with delivery apps that take friendly fraud seriously.
Lastly, delivery apps can protect themselves and their customers by using spoof-resistant location technology to reliably verify the location of their drivers.
The food delivery and shipping economies have undoubtedly made life easier, but that ease doesn’t have to come at the expense of safe transacting. Following best practices and investing in spoof-resistant location identity solutions is one of the best ways to keep merchants and clients safe.