Delivery app fraud shows the cost of frictionless growth

At a glance

What this is: This is an interview-driven analysis of fraud patterns in on-demand delivery, with the central finding that fraud has scaled as social platforms make abuse tactics easier to copy and coordinate.

Why it matters: It matters to IAM practitioners because fraud controls increasingly sit at the intersection of customer identity, device trust, verification workflows, and exception handling across human, NHI, and automated decision paths.

👉 Read SumSub's episode on fraud patterns in on-demand delivery

Context

Delivery fraud is no longer just a payments problem. In on-demand platforms, weak trust signals can be exploited at account creation, coupon redemption, refunds, merchant onboarding, and SMS verification, which means identity controls and fraud controls now overlap. The article focuses on how a delivery platform balances a smooth user journey with abuse resistance, rather than on any single technical fix.

The broader identity lesson is that fraud pressure grows when systems are optimised for speed and scale before trust boundaries are well defined. That makes this a useful case for IAM, fraud, and security teams that need to coordinate policy, verification, and response across customer identity and platform operations.

Key questions

Q: How should delivery platforms reduce fraud without hurting customer conversion?

A: They should use risk-tiered friction rather than blanket challenge. That means light-touch verification for low-risk activity, stronger checks for high-risk behaviour, and clear review paths for exceptions. The goal is to make abuse expensive while keeping legitimate users moving through the flow with minimal disruption.

Q: Why do delivery apps attract so much fraud?

A: Delivery apps combine fast onboarding, repeat transactions, coupon mechanics, refunds, and merchant relationships in one environment. That creates many low-friction abuse points. Fraudsters also benefit when tactics are easy to share, because one successful method can be replicated across regions and user segments quickly.

Q: What do teams get wrong about AI-based fraud detection?

A: They often assume the model itself is the control. In reality, machine learning only helps when it is paired with clean data, current fraud patterns, and operational escalation rules. Without those supports, teams can end up automating inconsistent decisions rather than improving trust.

Q: Who should own fraud governance in a delivery platform?

A: Fraud governance should sit across security, product, payments, and operations because the abuse surface spans identity, transaction logic, and fulfilment. If one team owns only part of the journey, the platform usually ends up with gaps between detection, investigation, and customer experience.

Technical breakdown

How delivery fraud spreads across the customer journey

On-demand delivery fraud tends to exploit several low-friction moments in the journey, not one isolated weakness. Common patterns include coupon abuse, refund gaming, account takeovers, fake merchant behaviour, and verification abuse through SMS or recycled identities. The important technical point is that these attacks often look like normal user behaviour until they are correlated across accounts, devices, payment methods, and timing. That is why rule-only detection becomes brittle when abuse is distributed and fast-moving.

Practical implication: teams need cross-signal correlation across identity, device, payment, and fulfilment events rather than isolated point controls.

Why acceptable friction is a control design choice

The episode frames the idea of a 'perfect level of fraud' as an acceptable friction threshold, which is really a governance decision about how much challenge the business can impose before legitimate conversion drops. In practice, this means verification depth, step-up checks, and manual review capacity all have to be tuned to the risk profile of the transaction. If those thresholds are too loose, abuse rises. If they are too strict, the platform starts harming conversion and customer trust.

Practical implication: define fraud friction thresholds by transaction type, geography, and risk tier instead of applying one blanket verification model.

How AI and machine learning change fraud operations

AI and machine learning are used here as real-time detection layers, which matters because delivery fraud patterns move too quickly for static review queues alone. These systems are valuable when they score behaviour, sequence, and anomaly in context, but they still depend on good training data and well-defined escalation paths. The technical risk is false confidence, where detection improves while governance remains inconsistent across regions and product flows.

Practical implication: pair ML detection with clear escalation rules and periodic model validation against current fraud patterns.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Fraud in delivery platforms is a governance problem, not just an abuse problem. The article shows how opportunistic users, organised fraudsters, and merchant abuse all target the same friction points in the customer lifecycle. That puts identity verification, payment trust, and exception handling into one operational control plane, which many teams still manage separately. Practitioners should treat fraud as a trust orchestration issue across the full order path.

Social media has lowered the cost of fraud replication. When tutorials turn abuse into repeatable playbooks, organisations face an industrialised version of opportunistic fraud. That changes the threat model from isolated bad actors to scalable patterns that can be copied across markets and platforms. Teams need to assume that once one abuse method works, it will spread quickly through shared channels.

Delivery platforms expose a named concept we can call friction budget. This is the amount of user challenge a business can impose before the product starts losing legitimate conversions or engagement. The article makes clear that fraud prevention is now negotiated inside that budget rather than outside it. Security leaders should stop treating friction as a binary and start managing it as a scarce control resource.

Customer fraud and merchant fraud are converging under the same identity assumptions. Coupon abusers, refund cheats, money-laundering merchants, and verification scammers all exploit trust decisions that were designed for growth, not adversarial behaviour. The discipline now required is not only stronger detection but tighter lifecycle thinking around accounts, merchants, devices, and regional verification rules. Practitioners should align fraud operations with identity governance, not leave them as separate workflows.

From our research:

• Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
• Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
• For practitioners looking at identity-adjacent abuse patterns, the Ultimate Guide to NHIs – The NHI Market provides the broader market context behind control fragmentation.

What this signals

Friction budget: delivery businesses are learning that trust controls have to be tuned like product features, not bolted on like afterthoughts. When abuse methods are easy to copy, the programme needs fast feedback loops between fraud detection, customer identity, and payment review so controls can adapt before the pattern spreads.

The strategic signal is that fraud teams and IAM teams will increasingly share the same operational data, even if they report separately. That makes identity assurance, behavioural analytics, and exception handling part of the same governance conversation, especially when social platforms can turn one abuse technique into a repeatable playbook overnight.

For practitioners

• Map fraud touchpoints across the full delivery journey Inventory where abuse can occur at signup, coupon use, refund requests, merchant onboarding, and verification. Tie each point to the identity, payment, and fulfilment signals that should trigger review, then measure where those signals are missing or disconnected.
• Set friction thresholds by risk tier Define different verification rules for low-risk, medium-risk, and high-risk transactions. Use geography, velocity, device reputation, and order value to decide when to step up checks, rather than forcing the same challenge on every user.
• Correlate abuse signals across systems Combine customer identity data, device intelligence, payment history, and merchant behaviour into one review path. Fraud that looks minor in one system can become obvious when the same pattern repeats across multiple accounts or markets.
• Validate ML decisions against current fraud patterns Test detection models against the latest abuse methods, not just historical labels. Review false positives, missed cases, and regional drift regularly so automated scoring does not create a false sense of control.

Key takeaways

• Delivery fraud is a lifecycle issue because abuse can enter through signup, coupons, refunds, merchant onboarding, and verification, not just through payments.
• The article shows that fraud grows when social media makes abuse tactics easy to copy, which raises the speed and scale of repeated attacks.
• Teams need risk-tiered friction, cross-signal correlation, and tight ML escalation paths to reduce fraud without breaking legitimate customer journeys.

Key terms

• Friction Budget: The amount of challenge an organisation can introduce before legitimate users start abandoning the journey. In fraud-heavy environments, it becomes a governance constraint, not just a UX preference, because every extra step has both security value and conversion cost.
• Risk-tiered Verification: A verification model that applies different levels of identity challenge based on transaction risk, user behaviour, and context. It is more effective than blanket friction because it preserves usability for low-risk activity while reserving stronger checks for suspicious patterns.
• Fraud Signal Correlation: The practice of combining identity, device, payment, and behavioural events into one decision path. It helps teams spot patterns that appear harmless in isolation but become obvious when viewed across the full journey and multiple systems.

Deepen your knowledge

Fraud governance across identity, verification, and customer journey design is covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building controls for a high-volume consumer platform, it is worth exploring.

This post draws on content published by SumSub: fraud in on-demand delivery platforms and the changing abuse landscape. Read the original.