If you work in trust and safety for a quick-service restaurant (QSR), you’ve likely noticed the dramatic uptick in identity-based fraud attempts. Why the increase? Because most online food and beverage companies have gotten good at blocking fraudsters at checkout, forcing fraudsters to pivot to the earlier stages in the customer journey. Many set their sights on customer accounts, where they see the potential for great profit.
Identity-Based Fraud Trends in the QSR Industry
QSRs have seen a dramatic increase in attempts by fraudsters to take over customer accounts, referred to as account takeover (ATO) fraud. They’ve also seen a rapid rise in fake accounts created on their online ordering platforms.
Account Takeover (ATO)
Within the food and beverage industry, ATO attempts have become more frequent:
- ATO attempts as a portion of fraud increased 79% YoY from 2021-2022.
- ATO-driven fraud pressure remained steady at about 4-5%, but new bursts of ATO attempts led to a 3X jump in normal fraud levels in Q2FY22.
Another interesting trend is fraudsters increasing their use of bots for ATO.
In Q1FY22, 7% of ATO attempts involved bots and scripts. However, by the end of Q2 2022, fraudsters’ use of bots increased to almost 11% (a more than 50% increase!)
Bad actors use bots in two main ways. First, fraudsters use them to quickly test stolen credit card numbers (more about this later). Second, policy abusers use bots to buy up limited stock, hoarding the items from drop sales.
Fake Account Creation
Fake accounts can happen in two ways:
- A fraudster uses a fake name and credentials, posing as a legitimate customer, to create a new account. Most fraudsters create many counterfeit identities to create new fake accounts.
- An existing user already in a retailer’s customer base creates additional accounts.
Our data shows that attempts to create multiple accounts on QSR industry online platforms increased by 37.5% YoY from 2021-2022. But the number of bad actors engaging in multiple account creation attempts only increased by 30% YoY. This tells us that more people may be trying to create more accounts on average than in the previous year.
What do fraudsters do with these accounts?
A fraudster can do many things once they’ve created or taken over an account. In the QSR industry, fraudsters will use accounts for things like:
Card Testing
Many bad actors take over accounts or create fake accounts for card testing. Card testing is where a bad actor makes small purchases to see if stolen credit card numbers work. They often use bots and scripts to test cards faster. Fraudsters usually target retailers for card testing. But many have expanded card testing attacks to other industries like food and beverage.
Coupon Abuse
One way QSRs can attract and retain customers is by offering coupons and promo codes. However, policy abusers often exploit these discount offers for financial gain. Some of the ways they abuse coupons and promotions include:
- Stacking them to get items for free or at a considerable discount.
- Reusing single-use coupons or promo codes.
- Opening a fake account so that they can take advantage of a “refer a friend” discount.
Forter’s data shows that in the QSR industry, coupon use has increased by 28.4% YoY from 2021-2022, and coupon abuse attempts have increased by 63% YoY.
Loyalty Program Account Theft
Another way QSRs can attract and retain customers is by providing a beneficial loyalty program. Most QSR loyalty programs include digital points or loyalty rewards with the same value as cash. Fraudsters use bots and scripts to access and take over loyalty program digital accounts. Most fraudsters will cash out the balances or sell the points through a dark web marketplace. Our primary research has found that accounts with loaded funds — like loyalty points or prepaid top-ups — are 6-7X more likely to attract fraud.
The Impact of Identity-Based Fraud on QSRs
Do you know how identity-based fraud impacts your business? To figure that out, you need to understand the associated costs, which go beyond the fraud or abuse losses:
- Cost of Abuse: Consider the cost of abuse. If you offer a free drink or meal discount for creating a new account, you can quickly figure out how much money you’ll lose for every new fake account.
- Cost of Friction: Many QSRs rely heavily on multi-factor authentication (MFA) to prevent bad actors from accessing existing customer accounts. However, a blanket approach leads to higher cart abandonment and drop-off rates. You should think about how friction impacts your customers.
- Cost of Fraud: Fraudsters target customer accounts because they store things of value, like loyalty rewards, digital points, and gift card balances. Consider the monetary value of these items and the total cost if fraudsters successfully take over many accounts through multiple ATO attacks.
- Operational Cost: How many people do you need to manage fraud and abuse effectively? Do you still use a rules-based fraud prevention system that requires many manual reviews? You should look at the number of people involved in trust and safety and how you could free them up so they could work on solving other critical business problems.
- Trust and Churn: What happens if your online ordering platform gets hacked? A data breach will hurt your business in many ways. It damages your company’s reputation, causes some customers to switch to a competitor, and hurts your bottom line.
- Regulatory Fines: Consider how much you stand to lose if your company has a severe data breach. You could face hefty fines from regulatory agencies like the SEC or FTC.
How You Can Fight Identity-Based Fraud Effectively in Real Time
Time is of the essence when it comes to completing and delivering QSR online orders. Consumers expect QSRs to deliver their meal orders within a reasonable time, typically within 30-90 minutes. That short timeframe means you need to assess the identity behind each transaction and potential riskiness incredibly fast. Any delays and you risk having to face the wrath of hungry customers.
By partnering with Forter, you get our Trust Platform, which includes our Identity Protection solution, helping to:
- Stop Account Takeovers: Forter Identity Protection detects ATO attempts in real-time at sign-in and other critical points before a transaction is initiated – including account profile modifications, loyalty point withdrawals, and transfers.
- Block Fake Account Creation: Our solution understands the “who” behind a transaction and helps keep your platform secure by ensuring bad actors are blocked and legitimate customers honor your account creation limits.
Interested in taking the next step in preventing ATO fraud and the creation of fake accounts? Calculate your ROI today and see the revenue you’re leaving on the table.
