When Techpoint Africa published their investigation into Glovo and Chowdeck’s vendor onboarding process on 7 May 2026, the comment sections did something interesting. Alongside the outrage at the platforms, a quieter argument emerged. Readers pointed out that the piece had just published a working blueprint for fraud, the TIN format to use, the exact gap in Glovo’s verification process, the Chowdeck restricted-access loophole that lets unverified vendors trade. Some went further: the TIN the investigation created using random numbers probably matched a real company’s. The stolen menu photos came from a real restaurant’s Instagram. The impersonation worked so cleanly that the investigation itself looked like a tutorial.
That reaction deserves to be taken seriously. Not because Techpoint did bad journalism, they didn’t. But because the concern points at something real that the investigation couldn’t resolve on its own.
A Fake Restaurant, A Real Order
To understand what the comment section was reacting to, it helps to understand exactly what Techpoint Africa’s Sarah Laniyan found.
The investigation started with Corporate Ewa, a popular Lagos food brand. Corporate Ewa raised concerns about unauthorised listings bearing its name and branding on Glovo, saying it had never registered or operated on the app, despite receiving repeated customer complaints about poor-quality, incorrect, or unsafe meals ordered through the platform. The complaints had been going on for over a year. A customer named Adenike Ruth ordered from a Glovo listing under the Corporate Ewa name and became ill. She took two days off work and nearly got hospitalised. Corporate Ewa’s lawyers wrote to Glovo formally in October 2025. The listings stayed up.
Techpoint’s response was to test the system. Their reporter created a fake restaurant on both platforms using fabricated documents; a made-up TIN formatted to look like a real Nigerian tax ID, a false CAC document using the RC number of a company with a similar name, and menu photos lifted from a real restaurant’s Instagram page. Glovo didn’t cross-check the TIN against the Nigeria Revenue Service portal or the CAC register, both of which are publicly accessible databases. A physical Glovo device arrived within a week. Onboarding training followed. The fake restaurant went live. An order was placed and fulfilled. Glovo declined to comment when contacted.
Chowdeck caught the mismatch between the business name and the CAC number and rejected the document. Then let the store trade anyway, under a restricted-access provision designed for small businesses still formalising their registration. Within ten minutes of completing onboarding, a Chowdeck dispatch rider showed up and fulfilled an order.
The Part That Made People Uncomfortable
Here’s where the comment section concern becomes legitimate. The investigation established, in documented, step-by-step detail, that you can register a fake restaurant on Glovo with a made-up TIN in a format anyone can replicate, using photos from any restaurant’s public Instagram page, pay a ₦20,000 activation fee, and have orders delivered within a week. It also established that Chowdeck’s restricted-access provision, a genuine attempt to serve small informal businesses, functions as an open door for anyone willing to accept a daily payout cap.
None of that information was secret before the investigation. The platforms’ lax verification was already happening, as Corporate Ewa’s months of unanswered complaints demonstrated. But there’s a meaningful difference between a vulnerability that exists quietly and one that’s been publicly tested, documented, and confirmed to work. Fraudsters who were guessing before now have proof. The people in the comment sections weren’t wrong to notice that.
The Platforms Failed. The Gap Is Real. So Is The Risk.
Both things are true here, and it’s worth holding them at the same time. Glovo’s failure to cross-check a submitted TIN against a free, publicly accessible government database is genuinely indefensible. A platform that has onboarded over 6,000 vendors and generated ₦71 billion in revenue for Nigerian businesses has the resources to run basic verification checks. Chowdeck’s restricted-access provision is well-intentioned, and the right instinct for an informal market, but a loophole that allows any vendor to trade until daily payouts hit ₦100,000 without verified documentation is a loophole by any other name.
The investigation was the right call. The findings needed to be public. And in a market with a functioning regulatory body positioned to respond quickly, that kind of disclosure creates pressure for rapid reform. Platforms patch the gap, regulators issue guidelines, and consumers are safer within weeks.
Nigeria’s food delivery sector is not that market.
Who Is Actually Responsible Here?
Nigeria has no regulatory framework specifically governing food delivery platforms. The Federal Competition and Consumer Protection Commission has broad jurisdiction over consumer protection in digital markets under the FCCPA 2019, but has not issued any framework specific to food delivery. NAFDAC’s food hygiene regulations govern food-handling establishments, but the agency’s mandate does not extend to the platforms that list them.
That fragmentation matters more after an investigation like this one than it did before. In India, the Food Safety and Standards Authority holds delivery companies accountable for the food they deliver, requiring restaurants to accurately label food packaging with ingredients, allergens, manufacturing and expiry dates, and nutritional data. In China, the biggest food delivery platforms were recently fined 3.6 billion yuan, approximately $528 million, after thousands of ghost vendors were found operating with forged licences and no physical locations. The enforcement happened because the regulatory mandate existed. Nigeria’s doesn’t.
In that environment with no watchdog, no mandatory disclosure requirements, and no enforcement mechanism, the timeline between a published vulnerability and a regulatory response is measured in months, sometimes years. Bad actors work on a different timeline entirely.
The commenters who pushed back on the investigation weren’t arguing that Glovo and Chowdeck should be let off the hook. Most of them understood the platforms failed. What they were really saying, underneath the frustration, is that something felt unresolved. That exposing a gap without a mechanism to close it quickly leaves the gap open, just better advertised.
That’s not a criticism of investigative journalism. It’s an observation about what investigative journalism runs into when the institutions that should respond to it aren’t ready. The platforms need to fix their verification processes immediately. The FCCPC and NAFDAC need to stop treating food delivery as someone else’s problem. And until those two things happen, every investigation that confirms a fraud vulnerability in this sector is doing two jobs at once: informing the public and, unintentionally, informing the people the public needs protecting from.
