By: James Hunt, Payments SME at Feedzai
The buy now, pay later (BNPL) market has boomed because it offers consumers flexible payment options. Indeed, merchants also appreciate the BNPL model as it allows them to increase sales and opens new opportunities to sell expensive or high-end products to more customers willing to pay over time. However, consumers and merchants aren’t the only ones falling in love with BNPL platforms; bad actors have become smitten, too. Cybercriminals are taking advantage of BNPL platforms to commit fraud.
The global BNPL market is on track to reach a transaction volume worth roughly $680 billion USD by 2025, according to research. In the UK late last year, it was reported that 17 million people had already used BNPL services. Data also suggests that BNPL is used by 25% of eCommerce customers and available from approximately 20,000 merchants. Recent transactions were valued at £6.4 billion, or 5% of the eCommerce market.
And with increasing household costs, consumers are even turning to BNPL programmes to cover energy costs. As BNPL becomes commonplace, it’s important to understand how platforms are vulnerable to fraud and work to keep them secure.
Ways Fraudsters Target BNPL Platforms
Cybercriminals typically rely on two key tactics when setting their sights on BNPL platforms. Firstly, fraudsters use synthetic ID fraud during the BNPL platform account opening stage. They create a fake profile using a combination of real and fictional pieces of information, such as identification documents, addresses, national insurance numbers, and more. After building a synthetic identity, fraudsters then use BNPL to buy goods with someone else’s personal details or payment information. Once they obtain the goods, they’ll simply disappear leaving the customer or the merchant to foot the bill.
And secondly, some criminals play the long game to defraud a BNPL user with account takeover fraud. This involves finding individuals with strong credit ratings who have taken out a BNPL loan. Fraudsters use account takeover (ATO) attacks to assume control of the account and purchase more expensive items using the real customer’s strong history with the BNPL provider.
Affects of BNPL Fraud on Merchants
BNPL fraud affects merchants who partner with BNLP providers in two main areas:
Merchant reputation. If a customer is defrauded via a BNPL service offered by the merchant, they are very unlikely to do business with the merchant again. What’s more, the defrauded customer is likely to share their experience with their friends, family members, and followers on social media. This scenario raises serious questions over whether merchants are capable of protecting their customers and their personal information.
Financial repercussions. While most merchants will not have to pick up the cost of chargebacks for fraudulent transactions, they will have to address the issue with their BNPL provider. Many BNPL providers have clauses in their merchant agreements tied to security breaches. This means merchants could find themselves picking up the cost of the fraudulent transaction.
Despite this, BNPL is on track to grow and significantly evolve in the coming years. The market is also seeing a rise in consolidation with some acquirers, payment service providers (PSPs), and even banks purchasing BNPL providers. Meanwhile, some banks have launched their own in-house BNPL services to accommodate customers. These developments indicate the BNPL market is in a very fluid state and poised for more evolution in the coming years.
Security Tips
With the ongoing evolution of BNPL platforms, there are several steps that both BNPL platforms and merchants can take to keep their transactions secure.
Monitor for data inconsistencies. This is especially important during the account opening stage. BNPL platforms and merchants should review data from a wide range of sources and make sure the provided information makes sense. For example, is the submitted phone number associated with a different user? Does the provided information match the customer’s credit file? Reviewing the provided data for inconsistencies is a critical step in minimising the effects of synthetic ID fraud.
Consider device behaviour. This can be an especially critical step to reducing the risk of BNPL platforms and merchants being targeted by ATO attacks. Look at the user’s device and the geolocation of where the account is logged into. If this appears abnormal, it is a big red flag. But don’t stop with geolocation. Also consider how users hold and use their devices. For example, are they holding it in portrait position instead of using landscape like they normally do? Are they interacting with their screen in an unusual way? These factors can build a clearer picture of whether the user really is who they claim to be and play a critical role in stopping a potential ATO attack before it reaches the transaction stage.
Understand the consumer’s lifecycle. Of course, the account opening stage is critical to determining a customer’s risk level, but it’s not the final stage. BNPL platforms and merchants should continue to monitor the customer’s risk level throughout the entire span of their relationship. Instead of treating the customer’s risk assessment as a one-and-done or annual task, BNPL platforms and merchants should continue to monitor their customers’ risk level and watch to see how different events change their overall profile.
Know that BNPL platforms are gaining in popularity and therefore, like all payment mechanisms, they will also be targeted by cybercriminals looking to take advantage of security gaps. Regulations will inevitably add new requirements for how these platforms operate; however, there’s no better time than now to get ahead of both fraudsters and regulators by taking these steps now to keep these platforms secure.