How Fraudsters are Exploiting Buy Now, Pay Later Providers

“Buy Now, Pay Later” (or BNPL) schemes are instant approval loans given at the point of sale on eCommerce websites. They are commonly seen on fashion websites, where shoppers are offered the chance to buy products right away and split the payment for their items over several months.

Taking the FinTech world by storm in recent years, well-known BNPL providers include Klarna, Clearpay, Laybuy, Payl8r, Afterpay and Affirm. Even giants like Amazon and PayPal have jumped on board, offering zero-credit payment deferment options of their own.

In this post, we’ll find out why these services are gaining popularity, how they are being exploited by fraudsters and what can be done about it.

Why is BNPL becoming so popular so quickly?

The popularity of “Buy Now Pay Later” is undeniable, as it has been the fastest-growing online payment method in the UK for the past two years. £9.6 billion was spend by over 10 million BNPL users in 2020, and this is set to increase to £26.4 billion by 2024, by which time it will account for 10% of all UK eCommerce sales.

What sets these lenders apart from banks and credit cards is they are incredibly convenient for consumers, making them very appealing to millennials especially.

Paying via a BNPL provider is no more trouble for consumers than making a regular card payment on the checkout page. Unlike credit cards or payday loans, there is no credit check or approval process. The ability to spread the cost of desirable items such as clothes, sneakers and electrical goods over several small monthly payments is appealing to consumers, as they can increase their buying power and get their hands on products without worrying about going into their overdraft or over their credit card limit.

BNPL is also beneficial to merchants, who get paid in full for items directly by the BNPL provider as soon as the purchase is made. The benefits to consumers pass on to the merchants, who enjoy better conversion rates, larger baskets and less cart abandonment. They can also shift the sometimes-costly burden of handling payments to the BNPL provider, and any chargebacks become the responsibility of the BNPL provider, not the merchant.

All this adds up to success for the providers themselves, who make the bulk of their money from commission on each sale, as well as charging interest to consumers who fail to keep up with repayments.

How BNPL is being exploited by fraudsters

Paying via “Buy Now, Pay Later” is easy – so easy, in fact, that it’s a perfect attack surface for fraudsters.

As with any business logic (the checkout process being a prime example), the easier merchants make it for the consumer, the more risk there is that the process can be exploited by bad actors using automation.

The BNPL payment process is certainly no exception to this, exposing BNPL to threats like high volume scalping and fraudulent payments.

The use of stolen credit cards is most common and damaging. Illegally obtained card details can be bought on sites like the Genesis Market and then used to verify BNPL agreements. The deferred nature of the payments makes the transactions harder for the rightful card owner to spot, but once they do report the theft, the BNPL provider becomes liable for chargebacks to the credit card. This adds up to huge losses for BNPL businesses.

Card crackers can also take advantage of the fact BNPL transactions don’t require a credit check or approval to make a small payment, verify the validity of stolen or partial card details, and then go on to make bigger purchases elsewhere.

BNPL providers also offer benefits like higher spending limits to regular users. This, and the fact many providers are accepted by so many merchants, puts such accounts in the firing line of account takeover (ATO) attacks. Crooks can use tools like known password lists and credential stuffing bots to brute force their way into BNPL accounts, before making big purchases on a variety of different retail sites or selling established accounts on.

BNPL is also vulnerable to synthetic fraud, in which a criminal will use some real elements of a stolen identity – sometimes even using a child’s name – and fabricate the rest to pass the less stringent checks of BNPL providers. Once the deception is uncovered, it is very difficult for a BNPL provider to track the fraudster based on this faked information.

How to stop BNPL fraud

With the obvious benefits of offering “Buy Now, Pay Later” options to their customers via a third party, most merchants are unlikely to diminish their ease of use, although this would reduce the risk of fraud by making automated threats less viable. It’s unlikely that merchants or providers will add checks or additional steps to the current process unless enforced by regulation, which is not due to be imposed by the Financial Conduct Authority until at least late 2022.

Instead, BNPL providers need a frictionless, invisible defense against fraud. Many attack types rely on volumetric automated bot requests that can flood payment systems and wreak havoc on infrastructures. Others use a “low and slow” approach, distributing their fraudulent requests across multiple IPs, data centers and geolocations to avoid detection.

However, advanced machine learning and AI can look beyond these easily spoofed points of origin to track bots based on one thing they can’t hide – their intent.