Top 5 mobile app fraud schemes affecting restaurants and QSRs
Consumer use of mobile and online ordering has surged in the restaurant and quick-service restaurant (QSR) space. Accelerated by the pandemic, this digital adoption is here to stay – and grow even more.
Restaurants have responded with more digital-first offerings like curbside pickup, contactless payments, mobile order-ahead, and app-only rewards. But this response has left them with a new burden of liability and greater digital fraud losses.
Restaurants have long operated in a card-present transaction environment where fraud liability is on the customer’s credit card issuer. However, when restaurants start accepting orders and card-not-present (CNP) payments via mobile apps, the fraud liability shifts.
Few business owners and franchisors can manage such a burden. As a result, restaurants will shoulder more chargebacks and greater financial risks and losses.
In addition, a mass digital migration has compounded the problem and opened businesses to digital fraud schemes from criminals and consumers.
5 mobile app fraud schemes that expose QSRs to digital fraud
Business owners must first understand why they have a digital fraud problem to combat malicious activity amid the industry’s digital transformation. And they must be watchful of the following mobile app fraud schemes.
1. Account takeover (ATO) fraud
ATO attacks happen when a bad actor uses stolen credentials to access and take over legitimate customer accounts. They often do so to loot loyalty points or stored payment information.
Physical punch cards are now a relic in the restaurant sector. Loyalty programs motivate customers to keep coming back. But customers don’t want the nuisance of keeping a paper punch card.
Digitally integrated loyalty programs will soon become an industry standard. So restaurants need to adapt their offerings to remain competitive. But adapting to the new norm will put restaurants and QSRs at greater risk of account takeover attacks.
2. Card testing
As more restaurants undergo a digital transformation, fraudsters will have even more opportunities for card testing. Card testing happens when criminals make small purchases via mobile app to validate stolen credit card numbers.
QSRs are prime targets for this activity. It’s not unusual for fast-casual restaurants to see transactions with low dollar amounts. Unfortunately, that means rapid transactions of low dollar amounts from criminals easily blend in with orders from good customers.
With high-volume orders and customers frequenting QSRs primarily for convenience, restaurants don’t have time to comb through orders for fraud. It’s not until after the fact, when thousands of dollars in credit card processing fees appear, that businesses realize the problem.
3. Digital dine-and-dash
Digital dine-and-dash is a new form of fraud that restaurants need to be extra wary of. Customers and bad actors can conduct this activity in many ways, and it’s extremely difficult to fight.
Mobile order-ahead and delivery apps are rampant with digital dine-and-dash fraud. One of the most common forms of abuse is when diners receive items but report them missing or incorrect. Businesses that offer mobile order-ahead are most likely to side with the customer and issue a refund.
Large, high-dollar orders through these apps can also signal fraud. But they can be good customers too. Distinguishing between the two is tough, especially around holidays when large orders are common and fraudulent ones are most likely to blend in. Restaurateurs often only realize orders were fraudulent after banks issue chargebacks.
Successfully disputing these chargebacks or food refunds is nearly impossible. It even put one LA restaurant out of business. After spending hours on the phone fighting chargebacks, the business was bleeding cash and had to close its doors.
4. Promo abuse
Promo codes are another ripe target for fraudulent activity. Promo abuse fraud primarily happens in two ways. First, customers may take advantage of a system weakness by happenstance. And bad actors may launch targeted attacks to exploit vulnerabilities.
In both instances, promo abuse can lead to massive financial losses. For example, one fried chicken chain lost $30,000 to a university student who manipulated a promotional voucher in the QSR’s ordering app.
For six months, students exploited an app glitch that allowed them an unlimited amount of free food. They then resold that food to classmates and friends at discounted prices.
Promo codes do a lot to foster customer loyalty. And QSRs are wise to invest in the promotional area. But this is one interesting case of how promo abuse by happenstance, which is already costly, can quickly turn into targeted attacks with massive financial consequences.
5. New account fraud
New account fraud is another scheme on the rise. Account creation fraud occurs when someone creates a new account to take advantage of another person or business.
Bad actors may commit new account fraud to make purchases with a stolen credit card, mask credential stuffing attacks, or open accounts with stolen credentials. They may also use new accounts to gather large amounts of sign-up bonuses, promo codes, free trials, or gifts for resale.
Consumers may also commit new account fraud. In many cases, they create a new account to take advantage of a promo or discount code. Or they may provide a fake email address to avoid a business’s promotional messages.
New account creation in the restaurant industry boomed during the pandemic, as dining rooms closed and consumers flocked to digital platforms. As a result, food and drink app downloads increased 20% from 2020. Specifically, fast-food app downloads grew 21% in 2020, and fast-casual downloads grew 23%.
With so many new downloads, it stands to reason that new account creation will be on the rise in the restaurant industry for the foreseeable future. But so will its fraudulent counterpart. A tell-tale sign of this activity is a quick uptick in new accounts over a short time.
Restaurants need to be vigilant for this difficult-to-detect activity. New account fraud can cost restaurants and QSRs significant ad spend and revenue.
Digital fraud prevention solutions mitigate mobile app fraud
Customers are looking for speedy and reliable service. And fraudsters are well aware that restaurants and QSRs don’t have the resources or time to review every order manually.
They also know the restaurant industry is becoming increasingly digital. Both make restaurants — QSRs, in particular — prime targets for fraud.
Strong digital fraud prevention tools can stop fraudsters and happenstance abuse of system weaknesses. Prevention, rather than reaction, is key here. As the industry becomes increasingly digital, rules-based fraud detection can’t keep up. QSRs can battle fraud with a digital solution that is backed by AI and machine learning.
An AI-driven digital fraud prevention solution reduces false positives, improves customer experiences, automates decisions, and protects those thin QSR margins in real time. The right solution also detects and prevents existing and emerging fraud, which keeps restaurants and QSRs ahead of the competition and fraud.