A lot has changed since the first online ordering and delivering service was launched in 1994. Now the global food delivery industry is worth over $150 billion. And this is expected to rise above $200 billion by 2027. Lockdown, demand for convenience, technology, and the convergence of the on-demand and sharing economies have boosted the food delivery ecosystem. But this rise in traffic has made it a tasty target for online fraudsters.

Almost 60% of food delivery merchants say that account takeover is one of their top fraud risks. And around 70% have seen an increase in attacks in the past year. Unfortunately, this surge isn’t too surprising. At the start of the pandemic darknet mentions of major food delivery apps increased 230%. And fraudsters don’t seem to have had their fill.

Why are fraudsters targeting food delivery accounts?

It seems unlikely that attacks on food delivery businesses will slow down. In fact, many argue that the problem will get worse before it gets better. But why are your customer accounts so susceptible to account takeover?

Demand for a more frictionless customer journey means that food delivery app users usually face fewer security hurdles. The worry is that too many steps could discourage legitimate customers from placing orders. This combined with the fast-paced nature of the industry makes food delivery accounts a satisfying treat for fraudsters. Once in, they have access to card information, addresses and any loyalty points the customer might have. So it can often be quite the payout!

Greedy fraudsters also know that they can exploit relaxed security to commit refund abuse. One of the easiest ways to commit refund fraud is by taking over an established customer account with a high reputation. This is because companies want to provide trusted customers with the smoothest experience possible. Fraudsters can request refunds on dispatched items with little trouble and make use of the money credited to the account.

How might PSD2 fuel the rise in account takeover?

As part of PSD2, European merchants must enforce Strong Customer Authentication (SCA), or multi-factor authentication. This has made some types of fraud more difficult, but fraudsters are always quick to sniff out new opportunities.

Exploiting SCA exemptions

There are exemptions to SCA that you can use to support a more frictionless customer experience. These exemptions reduce the number of times you need to authenticate a customer. For on-demand businesses, where speed is a critical part of your model, these exemptions are incredibly valuable. But fraudsters are just as knowledgeable about new regulations as merchants are – if not more.

Fraudsters are very aware of which transactions are less likely to have SCA applied. It would make sense that food delivery merchants try to make the most of Transaction Risk Analysis (TRA), Low Value Payments, or Trusted Beneficiaries exemptions. But what are these exemptions and how might fraudsters exploit them?

The TRA exemption applies to all transactions deemed low risk, based on a TRA assessment. Where this isn’t possible, you can apply a low value exemption on any transaction below €30. With trusted beneficiaries, customers are able to “safelist” certain merchants.

By taking over the account of a legitimate trusted customer, fraudsters could potentially benefit from their clean record. So long as the transaction doesn’t look drastically out of the ordinary. If that doesn’t work, food delivery transactions are often low value. So fraudsters can get away with up to five transactions before authentication is required. Or they can take the chance that hungry customers will safelist their favorite food delivery apps.

Accounts with a free pass on authentication are a big draw for fraudsters. As merchants develop SCA exemption strategies, we might see a surge in account takeover attacks.

Social engineering on call centers

Studies have found call centers to be a weak spot of choice for account takeover attacks. And PSD2 regulations are sure to make them even more inviting. With higher barriers to entry, fraudsters are likely to turn to tried and true tactics – namely, exploiting human error. In the case of food delivery merchants, this is likely to be customer support services.

Customer support often uses knowledge-based authentication to grant access to customer accounts. By using social engineering techniques to target call center agents, fraudsters are able to completely bypass technology solutions to get access to customer accounts.

As we’ve already seen, there are lots of shady actors with information to sell. From there, it doesn't take much for an enterprising fraudster to manipulate an agent into helping change a password or email address on a food delivery account.

How are merchants monitoring account takeover?

Our research has shown that food delivery merchants are most likely to track password and email changes. While these activities can be big red flags, we have found that attackers are more likely to change the phone number than the email address. Around 10% of attackers changed the email address, while 48% changed the phone number. In around 15% of attacks, the phone number on the account was changed twice or more. But, only 52% of merchants say they track phone number changes.

In general, the percentage of food delivery merchants that report tracking user activity across the board is worryingly low. Password changes were the most tracked activity and this was only at 60%. With account takeover on the rise, making a concerted effort to monitor these factors could make a huge difference. That said, 80% of food delivery merchants say they have a specific account takeover tool. But is this alone enough?

Why account takeover could be deadly for the industry if left unchecked

The pandemic may have supersized the food delivery industry, but many businesses in this space have remained unprofitable. For food delivery merchants, the leading risk factors when it comes to account takeover are revenue loss and the fines associated with data theft. UK and EU GDPR and Data Protection Act fines can reach £17.5 million and €20 million respectively, or 4% of annual global turnover. So the financial threat that account takeover poses to food delivery businesses cannot be overstated.

What’s more, account takeover can very quickly turn your relationship with customers sour. An attack can destroy your business’ reputation, particularly if victims complain publicly. With multiple high-profile players competing in the food delivery market, headlines about delivery accounts being hacked are deadly.

Fraudsters are smart and adapt quickly, so you need to be on the ball. PSD2 will protect your business from many types of fraud. But it could also leave you vulnerable to new creative fraud types if you get too complacent. Small changes like implementing a breached credential database, expanding your user activity monitoring and training your customer service staff could make a world of difference. Find out more about how you can protect your customer accounts.