Many investors have asked us about fraud in the startup landscape. In fact, most investors are aware that there are always guys who find creative ways to game the system, and this often leads to a bump in the GMV and higher valuations; but they are not sure to what extent.
For people on the ground, the question asked is “What’s the big deal with fraud? It’s part and parcel of the ecosystem”.
In Momentum Works’ opinion, fraud is more than bumping up KPIs. We’ve been digging in to understand how big the problem is– we first wrote about how Pinduoduo lost millions (and some say billions) of dollars over one night when some creative users and criminal syndicates exploited a bug.
Another question (often Chinese) investors have asked us is “is fraud also common in Southeast Asia, as compared to China?”. In this piece we focus on ride-hailing in Southeast Asia to shed some light on this topic.
Fraud in ride-hailing- what’s the big deal?
Fraud in ride-hailing is not new. Where money is thrown in, scammers are bound to follow. When ride-hailing first came to Asia, it was mainly customers gaming the system. For example, gaming an unlimited $3 voucher promotion by breaking down a $21 ride into 7 journeys. As businesses grew, participants in the ecosystem started to understand the system better and fraud evolved into both sides of the platform.
Starting with simple means such as drivers colluding with passengers, creating fake accounts, colluding with a few other drivers, it slowly evolved into sophisticated, criminal syndicates.
In Singapore, where fraud is more sporadic, we hear of drivers clocking in unreasonable number of rides to hit certain incentives. A recent discussion on Facebook during Chinese New Year involved disgruntled GOJEK drivers suggesting that many gamed GOJEK’s system to hit higher incentive targets because multiple people could operate via the same driver account.
In Indonesia where the market is much bigger, fraud is much more rampant.
Just a week back, four drivers in Jakarta were arrested for manipulating GOJEK’s platform. Each driver had up to 30 fake accounts from which they placed multiple fake orders over a two month period. They made Rp 10 million (US$678) each per day.
In our opinion, this is just the tip of the iceberg. These are only 4 drivers. A little math can tell you how compounded the problem is when larger syndicates operate. Access to fake driver accounts is as easy as going to a shopping mall where scores of stores sell them for up to $70.
To get a sense of the scale, a survey done in 2018 by Indonesia-based Institute for Development of Economics and Finance (INDEF) found that more than 80% of drivers in Indonesia admitted to manipulating orders to meet their targets and 61% know fellow drivers who do the same.
A more recent survey by Spire Research and Consulting in early 2019 estimated that 30% of GOJEK total orders and 5% of Grab total orders in Indonesia were fake. Drivers admitted that they found GOJEK’s system easier to exploit.
We spoke to people from both Grab and GOJEK. Grab informed us that they have been taking proactive measures in H2 of 2018 which has led to cleaner GMVs and fraud on their platform is now below 1% across the region. GOJEK also mentioned that they take the issue of fraud very seriously. More on some of anti-fraud measures they take below.
In Momentum Work’s opinion, consequences of fraud extend well beyond just monetary loss. There is serious collateral damage such as the innocent bystanders – passengers who see cars on the platforms but don’t get rides, and honest drivers who get a bad name or who keep seeing jobs appearing and getting cancelled. When done in small numbers, the effects are isolated.
But when it scales- it hurts more customers, honest drivers are shortchanged in their income. The trust in the system is dented.
What are the big players doing?
Foo Wui Ngiap, Grab Head of TISS (Trust, Identity, Safety and Security) told Momentum Works that fraud is an adversarial problem – i.e. it keeps evolving.
When Grab first started, they built simple anti-fraud rules. “We’ve learnt and our anti-fraud systems now are built around more complex machine learning algorithms with variable thresholds,” Foo says.
It is obvious that one use case of analytics is to automatically sift through millions of data points to uncover fraudulent patterns – something that the banking & payment industry has been doing.
As fraudsters evolve their tactics, machine learning algorithms come in place, as they can evolve and learn to adapt with the new patterns. Different data sets (including manual feedback from customer service) are fed into the system to catch up in a bid to stay one step ahead of fraudsters.
Interestingly, the fastest Grab saw fraudsters adapt to new platform rules was 3 hours! “So you can only imagine if you don’t constantly evolve your mechanisms, how fast they will outclass some of the safeguards.”
On tackling fraud, Foo shared some insights with Momentum Works that in addition to technology, Grab was focused on (i) having the right team, (ii) working with partners, and (iii) keeping real ears on the ground.
The Grab anti-fraud team started off at the size of 2 a few years ago, and has now expanded to 120 people that covers all verticals in Southeast Asia. Grab can boast of anti-fraud talent who previously worked in similar fields at Ola, Microsoft and Google. 60-70% of team comprises of tech experts such as engineers, data scientists, designers and product managers. Foo said “investing in talent is a key element because the system is only as good as the brains behind it”.
GOJEK, on the other hand, has an anti-fraud team of 60 people as of 2018 June. They are spread across Jakarta, Singapore, Bangalore, and San Francisco and are heavy on data analytics and software engineering.
It is worth noting that sophisticated syndicates also hire very smart people. Therefore, rightly so, platforms need to hire better brains than their adversaries.
Working with partners
Grab works with various partners to exchange expert knowledge in anti-fraud. “Why wait to learn from your mistakes if you can learn from others?”. One player that Grab works closely with is Didi – their Chinese counterpart as well as key shareholder. One technology both Didi and Grab have is a facial recognition technology for drivers. This means drivers have to be identified by taking a selfie before they are able to drive for the platform. This prevents multiple users from sharing an account, or for syndicates to sell accounts to other drivers for illegal usage.
As mentioned above, criminal syndicates in China are very sophisticated and we are sure Didi has seen a lot. The two companies exchange expert knowledge and technology to make fraud more prohibitive.
Grab also works closely with local partners. An interesting example was the Indonesian police approaching Grab to help nail down criminal syndicates in the country that were, in addition to ride-hailing fraud, also involved in smuggling and drug trafficking. Using Grab’s data and tech capabilities, they were able to pinpoint fraud patterns and locations. This lead to successful sting operations that nabbed dozens of people across multiple Indonesian cities in 2018.
Actually this reminds us of a first hand account we heard many years ago – before smartphones became popular. Hong Kong police were looking for a criminal who went to a 7-Eleven but only showed his back to the CCTV. They realised the person paid using Octopus – Hong Kong’s transport card. Using the data of the transport network, they managed to track down the suspect’s travel patterns and nailed the person when he was exiting a station a few days later.
Now with more data platforms like Grab possesses, we are sure more of such collaborations will bear fruits.
Since the busting of the Indonesian syndicate, Grab has also cooperated with enforcement agencies across Southeast Asia to give better insights into how criminals are evolving in a sophisticated manner on the ground to thwart their undertakings.
Keeping your ears on the ground
Whilst data and tech are important, a key part of keeping pace with fraud is to really understand what people are doing on the ground. Foo emphasises that Grab spends a lot of time on the ground, talking to drivers, customers, working with different parties to understand what’s really hitting them vs what the system tells them and feeding it back for better protection.
So for instance, after working with the Indonesian police on nabbing the syndicates they got a deeper insight into how the syndicates (i) illegally access the Grab app and run fake order operations (ii) use fake GPS tools and modded phones to simulate driving behaviour and falsely complete rides. This helped them better their protection systems and launch appropriate tools and campaigns.
Last but not least…continually investing in technology
Both Grab and GOJEK are serious about anti-fraud technology.
Apart from advance machine learning algorithms, Grab has invested in a number of anti-fraud technologies. Other than the selfie authentication function, Grab said it has device intelligence technologies that screen for app abnormalities to prevent users or drivers from tampering with the app to circumvent security.
GOJEK, on the other hand, has tools such as (i) detecting phones that rotate through many accounts and a (ii) ‘fake GPS’ detection algorithm that sends automated warning message to drivers when suspicious activity.
Tackling fraud is no easy feat because it can come with grave consequences. Losing out on bigger GMVs, protests, and death threats are examples of the cost. For instance, Foo shared an anecdote with us that Grab had many internal arguments on tackling fraud vs compromising GMVs. But ultimately, Anthony Tan took a firm stand early on saying that sustainable business is key.
As the sharing economy moves outside ride-hailing into other verticals like food and payment, fraud has moved on from a two-sided interaction involving drivers and passengers to a three-sided interaction involving merchants as well.
In a world of adversarial attacks, companies that do better at adapting and increasing the cost of fraud will generally keep syndicates and fraudsters away.
Momentum Works’ view is that it takes several enablers in an ecosystem to thrive. So it all boils down to the stand companies take and the rigour with which investors and other stakeholders hold businesses accountable.
Ultimately, if fraud is not tackled effectively and the company does not take a firm stand in the beginning, the situation could become much harder to clean up and the company will risk losing much more through a simple mistake/glitch being exploited later on.
In the meantime, the mantra common across any industry- “tackling fraud is not about outrunning the bear, it’s about outrunning the slowest guy” – is still relevant today.
Thanks for reading The Low Down (TLD), the blog by the team at Momentum Works. Got a different perspective or have a burning opinion to share? Let us know at [email protected]