When Bots Look Human: A Master Class in Marketplace Trust

Recently in San Francisco, I had the privilege of moderating a session at the Marketplace Risk Management Conference with some incredibly insightful practitioners. The session, “When Bots Look Human: Rebuilding Trust Across the Marketplace Transaction Journey,” turned out to be a candid, no-nonsense conversation between two trust & safety leaders who are living these challenges every single day.

I was joined by Kristin Kupiec (Manager, Critical Investigations & LERT at DoorDash) and Garrett Olson (Head of Insurance & ER at Wolt) for in-depth insights into hard-won perspectives. What was most evident was how aligned Kristin and Garrett were on the big themes, even though they operate across very different geographies and regulatory environments. Together, the session amounted to a master class in how modern marketplaces balance fraud prevention with seamless user experience. Here's what I took away.

‍

‍

Bots aren't at the front door anymore

The first thing we established is that the threat landscape has fundamentally shifted. Fraudsters have moved well beyond the login screen. At Wolt, the promotion space and customer support channels are now prime attack surfaces, with AI-generated actors gaming refunds, abusing offers, and creating budget pressure that's hard to quantify. At DoorDash, telephone bots and identity bots are probing every entry point the company offers.

These are not necessarily new threats, but they’re becoming far more prevalent, and it’s forced us to reshape how we think about the perimeter. For a long time, the assumption was that strong onboarding verification was sufficient. It isn't. The attack surface is the entire transaction lifecycle, not just sign-up.

Point-in-time verification is no longer enough

Both panelists were emphatic on this. Wolt has observed continuous fraud instances even after initial identity verification, meaning that passing a check at onboarding tells you very little about what that account will do six months later. Their response has been to segment, model, and build continuous fraud detection that captures data points across the user journey. Crucially, reverification (re-checking identity at meaningful moments in the lifecycle) has matured significantly over the last 12 to 24 months and is now being deployed globally.

Other marketplaces are in a similar position. They often feel six steps behind the bots, but that’s not a failure; it's an honest description of the arms race every major platform is in. The approach has been to capture fraudsters in the act, study their patterns, and use each incident as a model-building trigger. The question they ask themselves: how do we turn a fire into a key signal that prevents the next one?

One specific trend both companies flagged was a major uptick in false image fraud tied to refund requests. Fraudsters are submitting fabricated images to claim refunds at scale, individually and in coordinated campaigns. Combating this has required significant investment in policy, process, and detection tooling.

Making the business case for trust infrastructure

This is often the hardest conversation internally, and we spent meaningful time on it. The challenge: trust erosion is notoriously difficult to put a number on. How do you quantify something that hasn't happened yet?

Wolt's approach is to measure the silence after an incident: did the fix hold? Did the attacks stop? That post-incident quiet is itself a metric. They frame platform integrity not as a cost center but as the foundation for future investment conversations.

DoorDash focuses on turning security incidents into success stories. If a post-mortem ends without clear action items, it's not a win. They track losses, map triggers, and frame the ROI in terms that finance understands; essentially a P&L framing versus an insurance cost framing: how much did we save, not just how much did we spend?

Regulation is table stakes, but it still ties hands

Both panelists operate across multiple jurisdictions, and the regulatory environment (GDPR, the EU's Digital Services Act, Australia's emerging frameworks, and various US state rules) came up as a genuine operational challenge. The key tension: regulations are often designed to protect users, but in practice they can constrain the very signals that fraud prevention relies on.

Wolt's philosophy is to build compliance in from day one. Security and fraud prevention by design, not as a retrofit. When you treat these regulations as table stakes rather than obstacles, you build systems that are both compliant and resilient. DoorDash is working hard to shift from reactive to proactive every day, though they were honest that certain markets, particularly Australia, remain especially challenging.

Deepfakes, law enforcement, and the bigger picture

The Q&A surfaced a timely question: with India considering the criminalization of deepfake fraud, how should marketplaces be thinking about their role? Both panelists were aligned: work as closely as possible with law enforcement and financial regulators. Marketplaces should not be in the business of enabling bad actors, and building those institutional relationships before a crisis is far better than scrambling during one.

The final exchange of the session was perhaps the most insightful. An audience member asked how to get internal buy-in for proactive fraud investment, noting it's always easier after something has already gone wrong. Garrett's answer was spot-on: it comes down to risk appetite and unit economics. Find the right moment in the budget cycle, quantify what you can, and be honest that quantifying future losses will always feel uncomfortable. Kristin's response was simply: "perfect answer."

Rebuilding marketplace trust

At Prove, we spend a lot of time thinking about how identity infrastructure can serve as a continuous layer of trust, rather than just being a gate at sign-up. What Kristin and Garrett articulated so well is that the industry is converging on exactly that philosophy. The platforms winning the fraud fight are the ones building continuous, intelligent checks across the entire user journey, with the data models and internal champions to back them up.