It’s hard to think of something more physical and tangible than the food you put in your mouth. You hold it, smell it, taste it, and it gives your body energy. However, the convenience that quick-service restaurants (QSRs) bring to this process adds a digital aspect, leading to digital fraud.
Physical Food, Digital Money
In the early days of digital commerce, fraud in the food and beverage industry was minimal, mostly the result of amateur fraudsters with an attack of the munchies. As online fraud became more sophisticated, card testing became common, causing a new headache for fraud teams. Cheating good customers who are looking for deals has also become a challenge.
One aspect of QSR fraud that doesn’t get enough attention is how fraudsters now target accounts with money stored. This has become a popular feature for many food-related apps; customers who load money into their account are often eligible for more loyalty advantages and also benefit from the sheer convenience of instant, easy ordering.
From the fraudster’s perspective, an account with money in it is an account with free money for the taking. There are two main ways they leverage these QSR wallets:
- Create multiple accounts, and then add funds using stolen payment methods. The accounts can then be sold at a “discount” to unsuspecting real customers.
- Account takeover (ATO). Fraudsters love to take over accounts with money and then use it or change the password and sell the account at a “discount.” As well as potentially costly for the business, this can also be terrible in terms of reputation and customer experience, as this cautionary tale shows.
The accounts are usually sold on social media, particularly in groups specializing in lean living, discounts, coupons, etc. There is often a story attached as to why the person can’t use the account themselves anymore and, therefore, is selling it to get most of the money back; they may claim to be moving to a different state or country, etc.
Fraudsters Are Greedy for QSR Wallets
You might think that there would be a limited market for this kind of fraud in this industry, and therefore, fraud of this type would be restricted as well. Unfortunately, that’s not the case. QSR fraud attacks have increased 45% in the last year or so.
Moreover, accounts with funds loaded up are a significant part of the attack landscape regarding QSRs. In fact, accounts with funds are 6.5x more likely to be targeted.
A couple of reasons stand out to me for why this fraud has become so prevalent. First, it effectively turns physical goods with a relatively short shelf life and often relatively low dollar value into digital goods that are easy to move around, have no upper-value limit, and barely need monetization. Second, even though this kind of fraud is usually a one-person show, it can be scaled up by effectively becoming the basis for a “business.”
Fast Food, Fake Business
In the last year or two, it’s become much more common to see fraudsters setting up social media pages or messaging groups with “businesses” offering simple and attractive services. They take orders for either QSRs or groceries via simple chat messages and get the goods delivered to the customers at discounted prices. The excuse is usually that buying in bulk means they can get more discounts.
If that sounds too good to be true, indeed it is. What really happens is that the fraudster uses the ATO’d account or one of the accounts they’ve set up and funded with stolen payment methods. (If it’s the latter, they might be using an aged account.) They can offer discounts for the goods, because they’re not paying any of the price.
It’s a fresh take on triangulation when fraudsters set up a business/website/marketplace seller account and use it to take orders, which they fill using stolen payment methods on legitimate retailers’ sites. It’s also a great way for fraudsters to scale up their crimes.
If it Works, the Fraud Keeps Coming
QSR fraud can be lucrative for fraudsters, which means that when they’ve found something that works, they keep coming back. Over 85% of fraudsters trying these tricks on QSR sites and apps are “returning fraudsters” — fraudsters who’ve been there before and are trying again.
It’s a daunting statistic. But it also offers an opportunity. The better your fraud team can get at accurately identifying fraudsters who are returning, even if they’re using a different name, IP address, device appearance etc., the more easily you’ll be able to block these food-focused fraudsters.
