Problems of shopper fraud


When we think of the average mystery shopper, we think of a gig worker: someone who wants to earn money, but is not able to take on traditional full time employment (or, perhaps, someone who has a full-time job but wants to supplement their income).  Many Presto shoppers fit this profile.  They appreciate the value of this form of gig work, and they understand that it is in their best interest to conduct their shops in an ethical and professional manner.  This means:

  • Complying fully with shop requirements
  • Providing data that is accurate and completely
  • Maintaining client confidentiality at all times
  • Interacting with the mystery shopping company in a professional manner


Mystery shopping also attracts people who:

  • Are in a cash crunch and desperate for quick money
  • Don't understand the difference between mystery shopping reports and feedback surveys ("my friend told me that I can make money by filling out surveys")
  • Are unable to get hired because of a spotty employment history
  • Lack skills required for most jobs
  • Are grifters and scammers, completely uninterested in doing honest work

In short, mystery shopping fraud happens for a variety of reasons, ranging from ignorance to carelessness/laziness to deliberate intent.  Likewise, the tools and methods needed to counter fraud have to consider the various fraud methods and motives.  


Second line of defense: what the MSP sees


MSPs are responsible for making judgment calls on shop issues that can't be programmatically identified as fraudulent.  These include the following:

  • Shopper not at the shop location.  Presto's checkin feature requires the shopper to obtain a geocode before they can fill out the shop report.  We do not prevent the shopper from filling out the report if the shopper is far away, because we cannot know how far is "too far" for this project, and because of the limitations of location services: it is not always possible to get a high accuracy location.  Presto flags locations that are not close to the shop location and highlights possible issues in Review view, but it is up to the mystery shopping company to review the shop and decide if it is acceptable.
  • Duplicate photos.  Like SASSIE's PhotoDNA, Presto scans photos on completed shops and flags any that are duplicates of other images on the media server.  These alerts show up in Review view. The MSP must decide if a duplicate photo can be accepted.
  • Far away from other shops at the same IP.  If a shopper completed a previous shop at the same IP address that is a significant distance away, this may or may not represent a problem.  The MSP is presented with a notification with the distance and date of the other shop in Review view, and must decide if this is an issue.
  • Reviewing additional shops by this shopper. When looking at a shop in Review view, a link appears that goes to any other shops completed by this shopper for this company. These shops can be reviewed to see if there is a pattern of problem behavior.
  • Claims vs. completions. Using the filters on the Results -> Shops page, the MSP can see all shops ever claimed by this shopper and their statuses. This lets the MSP see at a glance if the shopper has a high percentage of rejected or abandoned (flaked) shops.
  • Blocks on other programs.  Presto provides tools for MSPs to block shops on individual programs or for all of their programs. Checking to see if the shopper has been blocked on another project (and why) can indicate if this shopper's shops should receive extra scrutiny.


In terms of prevention, MSPs can take additional action to control the availability of their shops.  While some MSPs believe that Presto's self-assign system means that they have no control over who can claim their shops, in reality Presto shop assignments can be as open or as restricted as the MSP wishes.  These include:


Outside of Presto, there are additional tools that the MSP can use if fraud is suspected:

  • Image analysis. This includes checking the image size for an unusual aspect ratio (which can indicate that the image has been cropped), reverse image search (to find images that have been downloaded from the web), and scrutinizing the image for indications that it has been altered (for example, changing information on a receipt photo).


First line of defense: fraud deterrence and prevention


The tools available to the MSPs are mostly reactive: a second line of defense.  The first line of defense is fraud deterrence and prevention.  Internally, Presto has many fraud deterrence and prevention tools and techniques that are designed to detect, deter, and ideally prevent fraud.  These have evolved significantly over time.  

  • Ubercookies and IP addresses.  Presto uses a tracking mechanism called the "ubercookie". Logging to Presto (or most websites) establishes a "session"; the unique identifier for that session is stored in a web browser cookie that is associated with the Presto server (host).  The ubercookie is simply another, separate, unique identifier that is stored in a separate web browser cookie that is also associated with the Presto server (host). The difference is that when you log out (or switch accounts), your "session" cookie is cleared, but your uber cookie is not.  Unless the user explicitly clears it (which is not difficult to do, but you have to know how), the ubercookie persists across sessions.  This allows us to make some loose associations between different Presto accounts if they happened to use the same browser with multiple logins.   Internally, Presto monitors shopper accounts and notifies Presto Support if a shopper account is created or updated and the ubercookie of that event matches other events with a different shopper. Presto Support can thus proactively block shoppers who create duplicate accounts.
  • PayPal anomalies.  The large majority of Presto payments use PayPal, and are sent to the email address of the shopper's Presto account. Using PayPal tracking tools (and a fair amount of manual reconciliation), we can identify cases where the payment is redirected to a different email address, which helps us identify potentially duplicate accounts.
  • Presto collection of W9s.  Presto has always collected W9 information, as required by the IRS for tax reporting. Prior to 2025, this was done through third party provider Track1099 and a tedious manual process for ensuring that a W9 was entered. This process was far from error-free, with not even basic syntactical checking of W9s (thanks, Track1099), and no IRS verification.
    In January 2025, we released the Payz feature that allows us to collect W9 data directly from shoppers. Since this collection takes place within Presto, we were able to completely enforce compliance: if a shopper did not have a W9 on file, Presto would automatically block them from claiming shops. In addition, we were now able to perform a few basic checks based on the following criteria:
    • Syntactically incorrect tax ID (wrong number of digits, number out of range for tax ID type, using restricted ranges)
    • Name and address matches another shopper account
    • Tax ID number matches another shopper account

Collecting W9s initially allowed us to stop the more lightweight fraudsters: those who would commit fraud, but are intimidated by the idea of falsifying a legal document.  By collecting them in house, we were able to enforce compliance with filling out a syntactically valid W9.  In addition, W9 collection allowed us to spot and automatically block shoppers who create duplicate accounts and enter the same tax ID information (sometimes innocently, but often as a way of getting around MSP shopper blocks or shop limits).
W9 collection still had its limits.  We did not require shoppers to file a W9 until they already had earnings of $200, making it possible for a fraudster to earn up to $200 before they hit the limit.  If they had been detected and blocked by the MSP, they could simply create another account, shop until they were required to fill out a W9, then create another account, do more shops, lather rinse repeat.  The ubercookie check helped us to spot these, but was not perfect.  

  • "Valid W9" qualification.  In April 2025 we released a global shopper qualification that can be applied to any Presto batch, and that requires shoppers to have submitted a valid W9 in order to claim a shop.  At the time this was released, this meant only that the W9 passed the "low-hanging fruit" tests described above.  This still had the effect of filtering out lightweight fraudsters.  More to the point, it gave MSPs the ability to place this as a requirement on their batches.  Now, rather than having to wait until a shopper had earned $200, an MSP could require all shoppers to submit a syntactically correct, non-matching W9 before they could claim shops.  
  • IRS verification of W9s. We began to submit W9s to the IRS for verification in August 2025. Initially this was done manually, as we worked through the backlog of unverified W9s that were already submitted by shoppers. In early November we began to submit W9s for verifications whenever a W9 was entered or updated. If the IRS returns a failure (name and number do not match, tax ID has not been issued), the shopper's account is automatically blocked.
    Together with the "Valid W9" qualification, IRS verification means that a shopper cannot claim even a single shop until they have entered a W9 that is verified by the IRS. This combination of features means that all but the most dedicated fraudsters were shut down.
    Unfortunately, we have encountered at least one truly dedicated fraudster, who is apparently willing to break multiple laws in pursuit of fraud. This evidently includes acquiring stolen tax IDs and using them to enter W9s in Presto. We believe this is an individual with a long history of claiming shops and flaking on them in order to drive up shop fees. As these accounts were blocked, this individual may have shifted their strategy from trying to make money to trying to disrupt the business of Presto and our partners (specifically Ipsos). We do not have any ability to detect if a W9 actually belongs to the person using an account, so we had to come up with another method to try and detect this kind of fraudulent activity.
  • Molasses trap.  Most Presto projects (and nearly all Ipsos projects) use qualifications: not just the "Valid W9" qualification, but also quizzes to determine if a shopper has the knowledge required to complete the shop (see Shopper Qualifications). If a shopper answers the questions correctly, they are automatically granted the qualification and can claim shops for the project. The goal is to require the shoppers to actually read the shop guidelines and demonstrate that they understand them. Thus, if a shopper is acting in good faith, they will not be able to complete the qualification test successfully in just a few seconds. If a shopper already knows the answers, however -- for example, if they have already taken the quiz using a different account -- they will complete the qualification quiz very quickly, be granted the qualification, and immediately claim shops.
    Using this pattern, we created a feature called the "molasses trap". This feature allows us to configure a qualification test so that if a user completes it in less than a certain period of time, they are placed in a "claim limited" table. Shoppers in this table are limited to a single shop claim at one time. This minimizes the disruption that such a shopper can create, while minimizing the risk of false positives.
    When the molasses trap was released, we initially added the qualification quiz for Ipsos' Shell program to the "molasses trap" table, setting it up so that it would "trap" any shopper who completed the qualification test in less than ten seconds.  This program had been extensively targeted by our fraudulent friend for over a year.  We notified Ipsos of this new feature and asked them if they wanted us to add additional qualifications, and added the XOM qualification at their request.  42 accounts were trapped by this feature, and then the fraudulent shopper seemed to go away.  
  • W9 details and revision history.  Since we began collecting W9s from shoppers, Presto Support has had an internal page to view some basic information about the information entered by the shopper. Two releases in October and December added additional information: shopper legal name, business name, TIN type, and revision history of name and tax ID (showing last four digits of the tax ID). This makes it easier to detect if a fraudulent shopper is attempting to use a stolen tax ID, as they try different versions of the name or business name (sometimes radically different).
  • Suspicious user report.  On December 19 Presto released the Suspicious User report, an internal tool that identifies recently created shopper accounts whose activity indicates that they should get a closer look.  Accounts are flagged if they claim their first shop within a30 seconds of when they created their account, or if there is a short time between successive shop claims.  Using this tool, we immediately noticed new accounts that showed a pattern of behavior that matched our fraudulent shopper found another program to target: the Ipsos Smartphone Recommendation shops. This problem could have been addressed by adding the Smartphone Recommendation qualification to the molasses trap -- but Ipsos had not created any such qualification.  The shops for this program were available through public batches with no qualification except for the "Valid W9" qualification, which was only applied to less than half of the batches.  We notified Ipsos and urged them to create a qualification quiz, apply both that qualification and the "Valid W9" qualification to all batches, and allow us to place the new qualification in the molasses trap.  As of now, we are still waiting on action from Ipsos.


What to do (and not do) if an MSP wants to know what we're doing about fraud

  • Don't simply copy and paste the contents of this article.  This article is for internal use only, and contains more details than we share with MSPs.  
  • Calm them down.  Shopper fraud is not a new issue, and all MSPs should be aware of it.  It is a fact of life in this industry that some shoppers will attempt fraud (see the first section of this article for specific examples that you can provide to the MSP).  Reassure them that although shopper fraud happens, Presto provides a strong suite of tools to detect and prevent shopper fraud as much as possible, and that the Presto Support team is always watching for fraudulent activity.
  • Get context.  Ask about the concern that is driving this conversation.  
    • Is their concern about a specific incident, or is it more general?
    • Is this concern driven by a client who wants reassurance?  If so, what specific concerns has the client raised?
  • Gather information:
    • Why do they think fraud is happening?  What indicators have they seen?
    • What typeof fraud do they believe is happening?
      • Shopper falsifying photos or receipts?
      • Shopper misrepresenting their demographics (usually age, in order to get compliance shops)?
      • Shopper creating multiple accounts in order to circumvent blocks or shopper shop limits?
      • Shopper taking actions (typically flaking) that are intentionally or unintentionally disruptive to a program?
    • What specific shopper accounts are involved?
    • Is there a specific program where this is happening?  
    • Are there specific locations where this is happening?
    • Is the MSP using the "valid W9" qualification and a knowledge-based qualification to secure their project?
    • What process is the MSP using to detect fraud?
      • Are they aware of the tools that we provide them with (see "Second line of defense", above)?
      • How are they reviewing their shops?  Are their reviewers paying attention to:
        • "Far from shop location" shops
        • Duplicate photos
        • Photos that appear to be cropped or altered
    • Have they checked to see if this shopper is blocked on other programs?  Have they blocked the shopper from the programs where they believe fraud is taking place?
    • Have they contacted Presto Support with the information above?
  • Contact the Presto team re: specific incidents. Generally, MSPs report cases of suspected fraud to Presto Support, so it may be the case that the issue has already been dealt with, or at least that the Presto team is aware and working on the problem.  To avoid duplication of effort, contact the Presto team to find out what has already been done to address the issue.
  • Respond appropriately.  Any response should recognize that shopper fraud is not a problem that is caused by Presto, nor is it a problem that Presto can entirely eliminate.