Following the outbreak of COVID-19 in the early months of 2020, the world has gone through one of the most dramatic shake-ups in recent memory. Global panic, government-enforced lockdowns, combined with social distancing practices, have resulted in drastic changes to the global economy and customer and business behaviors worldwide.

With “non-essential” businesses shut down and customers migrating in greater numbers to digital services, consumer behaviors have a massive impact on e-commerce. One of the industries that has experienced significant shifts in consumer behaviors and market dynamics is online orders from Quick Service Restaurants (QSRs), which increased by 134%.

Recent Trends

Recent months have seen the following trends:

  • A significant increase in new customer accounts. Before the outbreak, only 5%-7% of transactions were done by new users. Now, almost a year into the crisis, this figure has increased to 15%-20%, indicating that consumers in different age groups and demographics have adopted new online services and have changed their consumption habits.
  • An increase in average order value. A 22% increase in the average value of each transaction was seen throughout this period. Meaning, not only did more people consume online, they also spent more money per order.

With Increased Volumes, Comes New Kinds of Fraud

As transaction volumes increased, low threat awareness and poor fraud prevention systems in the online food and beverage industry has become increasingly frequent and fraudsters have grown more sophisticated. A variety of attack techniques have become more common in this space:

  • Account Takeover (ATO): Account based attacks have become more common, and fraudsters use a variety of manual and automated techniques to hack into customer accounts. The most common technique is buying stolen credentials that have leaked to the dark web, or harvesting credentials directly from the victims.
  • Delivery Fraud: Cyber criminals commonly attempt to fraudulently receive free food by buying stolen promotion codes or system exploits for QSRs or online grocery services. Surprisingly, the demand for these “products” is quite high.
  • Loyalty Program Fraud: Loyalty programs remain a favorite target for fraud. Fraudsters use various fraud techniques to defraud loyalty programs, including: new account fraud or ATO attacks. Later, the fraudsters leverage the loyalty accounts to steal points and resell them or gain rewards against program policies.
  • Gift Card Fraud: One of fraudsters’ favorite monetization techniques is buying prepaid gift cards for QSRs and grocery delivery services. Prepaid cards are usually untraceable and it is nearly impossible to know who is in possession of the card at any given time. This makes illegal trade in the dark web or in hidden Telegram channels much easier.
  • Automated Card-Testing: Similar to other automated attacks, a malicious script is activated to automatically test stolen cards in checkout pages, usually charging very small sums ($1-$2). Afterwards, the script labels the cards that are still active, allowing the fraudsters to use the cards for high-value follow-up fraud.

The following are examples of QSR-specific fraud MOs and tools sold in dark web marketplaces and underground forums:

Subway Loyalty Account

Subway loyalty accounts (w/ 500 points+) for sale in a dark web marketplace.

Domino's Promo Code

Stolen Domino’s Pizza promo codes for sale in a dark web marketplace. Source: Daniel Shkedi/Forter.

Arby’s gift cards sold in a dark web marketplace. Source: Daniel Shkedi/Forter.

Applebee's Gift Code

An automated gift code generator and checker for Applebee’s gift cards. Source: Daniel Shkedi/Forter.

Don’t Let Fraud Take a Bite Out of Your Margins

Many QSRs are beginning to realize that online fraud poses a serious threat to their margins. These risks result in increased operational overhead and diminished revenue. This is especially true with QSRs which have razor-thin margins. Moreover, this industry relies heavily on operational efficiency and lightning-fast processes. For instance, an online order from a QSR usually takes anywhere between 30-90 minutes. These short cycles force payment processing systems to decide in real-time, without postponement, without a “second chance,” whether a transaction is legitimate or suspicious and should be declined.

It seems that the quick technological adoption seen during COVID-19 along with the high-level of uncertainty of what the future holds, will make the trends in this industry persist or even grow. As online fraud and cyber threats become more sophisticated, we can also expect the players in the food and beverage industry to adopt new fraud solutions as well. Solutions that can provide decisions in a split of a second with maximum accuracy, without adding friction to the process.

3 minute read