Podcast transcript

Lola (Ravelin): Hello and welcome to Ravelin’s podcast! Today, I have the pleasure of speaking with Shawn Colpitts, Senior Fraud Investigator at Just Eat Takeaway. Shawn's fraud fighting expertise knows no bounds and I'm very excited to have him on the podcast today. Today, we'll be discussing the fraud challenges faced by the Food Delivery Marketplace industry and the steps merchants can take to mitigate these risks to their business.

Hi Shawn, thank you for joining me today!

Shawn: Hi Lola, thanks for having me here for this opportunity.

Ravelin: It’s great to have you! So, to kick things off, could you tell us a little bit about yourself and how you got into fraud fighting?

Shawn: Yeah, absolutely! It almost seems like I was bred for this position. I started off in an accounting role, and got bored very quickly. From there, I moved into another desk position, being the inventory and logistics analyst for a large agricultural manufacturer here in the city with some global reach.

There, I was basically doing the same that I’m doing now. But instead of looking into people's patterns and behaviors and finding the fraud behind it, I was looking into inventory problems and how to make logistics deliveries more efficient.

From there I wanted to do something a bit different and I got into some physical security and loss prevention. And after a small altercation, life decided that I should get back behind a desk. Landed into an entry level position at Skip the Dishes and within one month I uncovered an organized crime ring just by happenstance.

"Within one month I uncovered an organized crime ring..."

I put myself forward to be part of the fraud team that was developing there, got in and now I’m the Senior Fraud Investigator for the Global Fraud Operation team for Just Eat Teakeaway.com.

Ravelin: That’s such a journey! I can't believe you managed to find a fraud ring within a month.

Shawn: It was fun! Back in those times, they didn't hide very easily – now they do.

Ravelin: So, it’s clear that you were very much meant to be in this industry.

Shawn: It’s almost like that!

Ravelin: So moving into Food Delivery fraud. Fraudsters are a whole new beast now, particularly in Food Delivery Marketplaces where food delivery apps are – for myself included – a mainstay of modern life.

The average consumer has at least two apps on their phone and uses them around three times a month. So, this obviously is going to have huge implications for fraud — more users, more places for fraudsters to hide. So, in your opinion, from when you first started to now, how has awareness of ecommerce fraud changed over the past few years?

Shawn: Oh it’s grown exponentially. The thing is, it’s double sided. It’s not only grown on the side of consumers and businesses realizing that “hey, you know what, there are some problems out there” – especially on the consumer side when it comes to ATOs and card fraud. And then on the business side, just the losses that have happened because of the increase in fraud and press exposure overall. But on the fraud side as well. The fraudsters have realized, especially during the time of the pandemic, that there’s been this turn towards online purchasing. So they follow the flow and are better able to hide themselves amidst the increased volume.

Ravelin: So fraudsters definitely like to hide in plain sight. So where there’s more activity, there is always more fraud. And the same can be said for difficult economic times. So how do you think the current economic climate is going to impact these types of fraud as the cost of living goes up and money is tighter for most people? Have you seen any changes recently?

Shawn: Yes, more of a turn towards fraud as a service. What you see is that in any hard economic time or any large-scale event across the world, you see an increase in fraud and whatever is most effective. And right now it appears to be fraud as a service.

"In any hard economic time, you see an increase in fraud..."

What we’ll see is customers looking for a deal basically and they find these offerings on the surface web right in front of their faces. Many different social media platforms, discussion sites where these offerings are happening, and “why not save a few bucks?”

They don’t realize often that it is actually a fraudulent service, using stolen credentials or some other fraudulent means to perpetrate these orders. They just see that “hey, I’m saving 20, 30, 50 percent on my order. Why not put it through?”

Ravelin: You mentioned here two different types of actors within this. So you have the professional fraudster, who is advertising their services online. And then you have the genuine customer, who is maybe being a bit more opportunistic or just doesn't really know that they’re committing fraud essentially. And this is similar to what we’ve seen in our research around Food Delivery Marketplaces, particularly when it comes to – like you said – fraud as a service and policy abuse.

Shawn: Yeah, absolutely an increase in policy abuse as well. You do have people just trying to make ends meet, as I mentioned. They’re in hard times and just want to save a few bucks – so what’s using some coupons and vouchers excessively or in breach of the terms and conditions?

In those instances, a lot of people don’t feel that they're committing anything fraudulent. That they’re not really doing anything wrong because the platforms and the allowances are accepting these and letting it happen. Unfortunately, it does breach T&C, it does lead to potential company losses, so it is something that businesses don’t want.

And then on the other hand, yes, you have your professional fraudsters, who are taking advantage of the situation as well. They know that people are in hard times, so they’re going to put themselves out there – of course, behind masks to keep their identities safe and their businesses going. But they’re still reaching out and offering these services in places where just average ordinary people can see them. And of course, in these hard times, they’re picking up on them and placing orders through them.

"[Fraudsters] know that people are in hard times, so they're going to put themselves out there."

Ravelin: With these customers, this kind of behavior, I guess, can be quite a slippery slope. It’s one thing to refund something that you maybe shouldn’t have refunded, but once you see it’s easy to do it becomes habitual behavior. In your opinion, do you think it’s possible to reform opportunistic customers?

Shawn: In many instances, I think you can. Basically, these people don't necessarily realize that they’re doing something that’s wrong. There are those, of course, who are absolutely malicious in this and they’re trying to find ways to work around, so they can always keep doing some form of policy abuse. But a lot of them you see that they’re not doing so with a really high velocity to the point where it is what’s sustaining them. They’re just doing it because it’s there and it’s available and they have that opportunity to.

So in those instances, if you do find some way to prevent it from happening, there is that opportunity for them to perhaps reform as you mentioned. These people want to keep placing orders, getting their food or parcels – whatever the service may be – they're just trying to save a few bucks. But if they can’t save a few bucks, although they may order a little bit less, they’re still going to do so with you.

So if you can allow them to continue placing orders or continue getting refunds or, at some point, use vouchers or coupons again, then why not give them that opportunity?

Ravelin: What would you recommend merchants do in this situation? How can they go about balancing mitigating this fraudulent behavior while also retaining these customers who, like you said, will probably still go on to still spend money and make orders?

Shawn: If we’re speaking specifically about policy abuse, it’s a little bit easier. When it comes to a lot of policies, you’re the one that determines what that threshold is – where someone becomes bad for business, where someone is considered a bad actor. With that, they obviously have met your set criteria of xyz and, at that point, you don't want them to be able to abuse the system anymore.

"You're the one that determines what the threshold is - where someone becomes bad for business..."

So if you action them in the way that you choose to, whether it’s prevention or denial of some form of service – be it a refund or the acceptance of vouchers or coupons. At some point if they continue placing orders with you and they’re not abusing anything or trying to abuse anything, you can then set an additional criteria where you’ve recouped your money or whatever the case may be. They meet xyz criteria, well why not give them the opportunity to continue to be on this path of goodness – being a genuine customer – and see how they go.

And of course, if they do fall back into their bad habits again, you’re going to want to action them a little bit more harshly than you did in the first place. Perhaps a permanent ban from placing orders or using vouchers, coupons, getting refunds. Whatever the case may be.

Ravelin: Tackling policy abuse presumably can't be handled by the fraud team alone. You mentioned Terms & Conditions, that's something that would require input from the Legal team. Or the actual initiative themselves when it comes to promotions, it’s the Marketing team who comes up with these initiatives. So, what in your opinion is the most ideal way to work with the wider company when it comes to tackling policy abuse and similar fraud types that do require investment from other teams within the business?

Shawn: A lot of different fraud involves additional teams getting in there with you. There's Developer time that you need to help create tools to help you prevent fraud, detect fraud. There’s your Business Intelligence teams, as you mentioned, Marketing, Legal…you have to go through Finance…all sorts of different pillars within the company. You have to work with your Ops teams. With that, you really have to speak their language depending on who you’re talking to. So, for example, if you’re speaking to Finance, you really want to put everything in dollars and cents because that’s what they’re interested in. When you’re speaking with Ops, you really want to keep it customer-centric. Keep it focused on the customer, the output that you’re having, your false positive rates, how much is this costing us. You really have to speak to your audience, which is something my manager has really worked hard to teach me. And it’s gone a long way because our reach has grown exponentially as the team learns that you really need to play to the audience and who you’re speaking to.

"A lot of different fraud involves additional teams getting in there with you...With that, you really have to speak their language."

Ravelin: That’s great advice and I think it can help anyone in any industry. It’s about knowing your audience and what their goals are, and communicating that in a way that’s meaningful to them.

Shawn: Absolutely! Otherwise, they’re not going to be able to make sense of it and you’re not going to get the result that you desire because not everyone knows fraud like you do. So if you go in there and you just start talking about fraud – “we need to stop this and we need to stop that” – you’re going to have a lot of questions. And, unfortunately, even if it’s not meant, a lot of pushback. But if you can translate everything to their language, what they need to hear to get the outcome you desire, it’ll really help you a long way.

Ravelin: Great advice. You mentioned social media and its impact on fraud earlier as well as fraud as a service. What are the main methods you’re seeing from both professional fraudsters and opportunistic customers when it comes to social media and professional fraudsters advertising their “skills”, if you will, to everyday people?

Shawn: That’s one area where the fraudsters really have us beat – communication. They have these open channels of communication that us as fraud fighters don’t have and can’t utilize. And it makes sense that we can’t in a lot of instances.

"That’s one area where the fraudsters really have us beat – communication."

But they’re on social media platforms, be it Facebook, even LinkedIn…I haven’t seen any advertisements on LinkedIn but they do use LinkedIn for fraudulent means. You’ll see them post offerings on Discord. There’ll be discussions amongst customers and fraudsters alike in Reddit explaining how to do certain things. Telegram has blown up exponentially. With it being anonymous, it’s really really hard to trace back to put in any preventative measures in place.

So with that, you see everything right on the surface web in front of you. So when it comes to the professional fraudsters, of course, they’ll have their advertisements up – “hey I’m offering this, contact me with this, pay me with this”.

And then when you move on to discussion groups, like say Reddit, that’s where you see more of your customer base, opportunistic people, discussing what’s worked for them in the past. If a fraudster ends up within one of those chains, then it starts becoming monetary offerings. So fraud as a service, for example. Offering to get refunds for customers, offering to explain how to get some sort of workaround. But that all comes at a cost, of course.

And then you’ll also see marketplaces set up that offer not only services, but credentials even. And that’s right on the surface web. So, for example, sites kind of like Shopify (but not Shopify). A couple sites that were exposed before were Shoppy and Sellix. And there were marketplaces that people had set up that were selling anything from just simple orders and gift cards, and then I saw things on there for guns and drugs. So it’s right there on the surface web for anyone to find.

"You'll also see marketplaces set up that offer not only services, but credentials even"

Ravelin: Oh wow, that’s actually very scary. It’s so public and accessible to the average person, but I’m curious as to what you see from your side. What patterns stand out when looking at fraud as a service or triangulation fraud?

Shawn: What you end up seeing there depends on how they’re doing so. But typically what you’ll see is either ordering a lot of the same stuff or from a lot of the same locations. Like, for example, when you’re looking at food delivery, you’ll probably see a lot of the same locations used over and over again that are having, say, chargebacks hitting them. Or you’re tracing some sort of fraudulent activity and it keeps leading to the same location. Their offerings aren’t necessarily your entire service set, not all your suppliers, so you see these triangulation fraud happening at limited amounts of locations.

But then when it comes to physical products, you’ll see them ordering the same things quite often. I hate to bring it up – I love them – Sony with the release of the PS5. Those bots picking them up, that wasn’t all just to get the inventory to sell later but some of that was already sold.

Ravelin: And what can you do? When it comes to these ads across social media, is this something you can track and stop or are you at the whim of these platforms and you have to wait until it hits you essentially?

Shawn: Unfortunately, when it comes to stopping it, it’s up to that platform themselves. We can expose things and report them as much as we want, but ultimately it’s not on our side. A lot of them do have their support or report email addresses or contact that you can get a hold of to take these things down. But as soon as they do, another one pops up. So really when it comes to the prevention of these services being offered as they are, they have to be fought by the platform that they’re showing up on.

Ravelin: These fraudsters are so adaptable and so quick to change up their MO. It’s a wonder how you’re able to stop any of them at all!

Shawn: You really have to keep educating yourself. As a fraud fighter, get out there and be part of what you can. Get involved in the community, join different organizations, go to roundtables, watch webinars and panel discussions, take courses. Keep learning because, if you stop, you’re going to miss a lot of the fraud that’s going on.

"As a fraud fighter, keep learning. If you stop, you’re going to miss a lot of the fraud that’s going on."

Even things that are happening in industries that aren't related to your own. A lot of elements of those, even if it isn't the full blown fraud, are going to be landing on your platform as well. So educate yourself, so you can be prepared and try to keep up.

Ravelin: That makes sense. Keeping an eye on what’s happening in the wider market and not necessarily just your industry is probably very helpful because eventually it will reach you and you don’t want to wait until that point. Then it’ll be too late.

Shawn: Yeah, you really have to and you have to be creative as well. A good friend of mine, Mr Alexander Hall, has a saying – “think like a fraudster”. And you know what? That is absolutely true. Everything you can be witness to and learn about – if you can imagine it happening, there’s a good chance that it is happening. If not on your platform, somewhere else. So get those ideas in your head, grab the data and test it out and see what might be going on. And if you don’t find anything, at least you have an idea of something you can do to protect yourself in the future.

"If you can imagine it happening, there’s a good chance that it is happening. If not on your platform, somewhere else."

Ravelin: That is a terrifying thought, so I will make a little transition to supplier fraud, which is a pretty unique challenge to marketplaces. I’d be interested to hear a bit more about what you're seeing when it comes to supplier fraud? In particular, courier fraud.

Shawn: When it comes to courier fraud, there’s a lot of different things they can do. And this is known through what’s been in media, and what fraud fighters and groups have discussed already. Thanks to Pokemon Go, there’s GPS spoofing of course, which can happen. There’s taking a lot of opportunity to abuse policies as well.

So, for example, if you’re offering some form of referral or some form of bonus, you’re going to see that couriers may try and take advantage of that. Do some form of self-referral or find some sort of workaround, so that they get some bonus for not actually having to do the work, or for doing the absolute minimum or finding some way to weasel around it. You have to keep your eyes open because they’re going to try and get what they can. Not necessarily anything that’s extremely volatile but, if it’s possible, there’s a good chance that it might be happening.

They can be opportunistic as well, not even realizing that they’re doing something fraudulent. For example, there’s a lot of third party apps out there that are used by all the couriers for the different food delivery services that’ll grab shifts. Now these couriers are necessarily doing anything malicious. They want to potentially just work more, so they’re trying to get these shifts assigned to them. But unfortunately it breaches T&C, it exposes their credentials to third parties who aren't verified in any security type manner. So there’s the potential for them to be malicious themselves in gathering all this data. And then there’s also potential loads on the system. You don't want the system to crash.

Ravelin: What would you say are key indicators of supplier fraud in a network? What should other fraud fighters in the food delivery space be looking out for?

Shawn: When it comes to couriers, I would suggest just the same with customers. Keep an eye on the activity. You want to be careful of account takeovers for one - you want to try and keep your driver safe. So if there’s any social engineering that’s going on through contact, you have to make sure that there’s policies and procedures in place ,so that there’s proper verification of the person who’s talking to you from the other end.

"When it comes to couriers, I would suggest just the same with customers - keep an eye on the activity."

With the threat that’s coming from these third party applications that are using courier details, you want to make sure that you’re monitoring for any sort of anomalous account changes – banking information being changed just before payouts, names, phone numbers, email addresses… Anything that’s being changed on an account. Just make sure you’ve got things to monitor anything anomalous that might be suspicious.

With GPS spoofing, luckily there are ways of detecting that, so make sure that you have protections in place. And again, you can thank Pokemon Go for everything that’s come about for that one! And then just keep an eye on their behavior. What are they doing because a lot of the workarounds when it comes to bonuses is just a matter of how they are traversing. So keep an eye on what they’re doing there.

Referrals - look for duplicate accounts, information, make sure all your documents and everything are all in check. Just keep on top of your side and you should be able to prevent as much as you can.

Ravelin: Do you think that working with courier services is a possibility to help curb this type of fraud?

Shawn: Absolutely! When it comes to policies, you need to have that communication with them because they’re the ones who are going to be able to affect any sort of real policy change. They’re part of that approval process. They know more about the courier pool than you do as a fraud fighter because when it comes to courier services that is their job.

Some markets, you may have less couriers than others, so you’ve got to be a little bit more cautious. Every market could potentially have to be handled differently when it comes to any sort of fraud or abuse that’s exposed. So you absolutely have to communicate with them to make sure that everything is being done effectively, so it doesn’t negatively affect that market too much.

Ravelin: I have a question about, not a specific fraud type but fraud in general. So, most online merchants are fighting the battle between adding extra friction to curb fraud and offering frictionless and very seamless customer experiences. In your opinion, how can they find that balance between blocking fraud but letting genuine customers have the best experience possible?

Shawn: That’s a very difficult question to answer because it’s kind of a double edged sword. You absolutely want to have as frictionless an experience as possible. But, like I say, the less friction there is for customers, the more traction there is for fraud. So, with that in mind, there has to be some friction in place at key points.

"The less friction there is for customers, the more traction there is for fraud."

Where exactly to put it is really up to your company. There are certain ways you can do it. Some companies use risk-based friction. So if a specific activity happens, some threshold is met - be it a score of some sort even – then there’s some form of friction put in place because they don’t want to apply it to everybody.

Myself, personally, I say there’s a couple points where you need to apply friction – the main one being at account creation. You absolutely need friction there. Otherwise, right from the get go, you’re going to have bad data. I don't like having bad data to work with, it makes my job a little bit more difficult. So I would absolutely add some form of verification at account creation. Moving forward from there, payment addition, you may want to add some form of friction. But really it’s up to the company and where they see that they need it.

"There’s a couple points where you need to apply friction – the main one being at account creation."

Ravelin: And I think that’s the difficulty when it comes to this space and fighting fraud. That it is very much dependent on the company – there isn’t a one size fits all when it comes to fighting fraud.

Shawn: No, there really isn't. As a fraud fighter, you want to stop all the fraud possible and the best way to do that is to add as much friction as possible. But realistically, even as a fraud fighter, you know you can't do that. So you have to pick and choose where you can apply it. Do you want to apply it at a potential risk threshold which is scored? Do you want to apply it at an anomalous login? Account detail changes? Account creation? Where do you need to put it to make your job as easy as possible? And that’s what you fight for. Not everywhere or anywhere that you could potentially think of but honestly where it is most effective and efficient for you. Don't fight for everywhere.

Ravelin: Definitely. There are just so many external factors that really impact fraud and how it affects companies. We have the pandemic, which has seen just so many people go online and has increased activity in a way that many couldn't have imagined previously. You’ve mentioned social media and the way in which fraudsters are using that to really expand their reach, both in terms of reaching genuine customers and having them behave badly but also communicating to one another and sharing advice and sharing tips on how to get around different barriers. And with all of these external things that aren’t under your specific control, how do you think companies can continue to protect their bottom line? Particularly in difficult financial times like we’re seeing now and how do you think we can keep fraud high on the agenda?

Shawn: When it comes to protecting the bottom line, unfortunately, there has to be a lot of things that are put into place. Say, some restrictions or freezes. But the company, in my opinion, really has to focus on – instead of growth, they have to focus more on making things as best as possible for their current client base. If they can make it good for all the customers they presently have, then those customers are going to order more even in these difficult times. They want a good, clean, happy experience.

If you can optimize your product and focus on that, then you’ll have your customer placing more orders. But, at the same time, you’re also investing in making that same opportunity for fraudsters. So it’s a double investment that’s necessary that is outside of any sort of growth or expansion. Basically, making things good for your current client base and also investing in your fraud team and your Trust and Risk and Safety [teams]. All of these aspects to keep the fraud out. So at that, not only will you get happier customers ordering a bit more on your platform but you're also going to save money in the fraud that's prevented through those teams.

"If [you] can make things good for all the customers, then those customers are going to order more even in these difficult times."

Ravelin: That is really great advice especially as we move into the later part of the year and holiday season where fraud is really bound to kick up a notch. So hopefully that helps whoever is listening and merchants and fraud fighters protect themselves a bit more as things get a bit tougher.

Shawn: Those times aren’t just coming, they’re here already. And during the holiday season everyone is going to see a big impact from that. So be ready!

Ravelin: Well, on that note, thank you so much for that advice today Shawn and taking the time out to speak to me. It’s been great!

Shawn: Thank you for having me on.