Fraud Prevention

Buy Now, Pay Never: The Rising Concern of BNPL Fraud

December 2, 20215 min Read


Fraudsters are finding faster and more sophisticated ways of taking advantage of  increasingly popular Buy Now Pay Later (BNPL) services, where consumers can access credit on interest-free installments. It becomes harder and harder for BNPL providers to fight BNPL fraud.

BNPL services received a boost during the pandemic, as many people were facing financial hardships. BNPL made it easier for customers to stagger their payments over a defined duration, without the need for a credit check or paying any additional fees. This allowed them to access low-value loans and continue shopping without burdening their monthly budgets.

Consumer interest in BNPL is on an upward trajectory with nearly 27% more consumers using the service in 2021 as compared to 2020. It is also estimated that by 2030, the global market for BNPL will likely reach $3.98 trillion, growing at compounded annual growth rate (CAGR) of a whopping 47% between 2021 and 2030. Naturally, fraudsters are quick to take note and look for opportunities to make money.

The BNPL Provider’s Conflict

Payment methods are top targets for eCommerce fraud and the popularity of BNPL has opened up new avenues for fraudsters to exploit. BNPL providers are known to provide instant credit, which makes it critical for them to strike a fine balance between user experience and customer protection. However, since they rely on multiple third parties for data which powers their own internal evaluations, the operations become vulnerable to abuse.

Fraudsters often look for the path of least resistance to orchestrate their attacks. As a result, they are quick to take advantage of any misconfigurations in the infrastructure, lack of credit inquiry, lacunae in the BNPL scoring code, and even resort to intercepting SMS-based validation codes to game the BNPL platforms.

Fraudsters generally rely on new account registration and account takeover to manipulate BNPL providers, as frequent incidents of data breaches are making it easy to manipulate these entry points.

  • New account registration:

    Arkose Labs has found that fake new account registration comprised over one-third (36.3%) of attacks detected in 2021, an increase of over 70% from the end of 2020. Combining bits and pieces of stolen customer details with fictitious data, fraudsters can create synthetic identities that are used to register fraudulent accounts at scale. Access to a default line of credit with a new account provides fraudsters with the opportunity to make multiple purchases using compromised credit card details.

  •    Account takeover:

    Using automated credential stuffing, fraudsters try to hack into genuine user accounts so they can leverage the good transaction history to strike big. According to the Arkose Labs report, logins are the top abused touchpoint with an attack rate of over 37% in 2021. Fraudsters are increasingly using account takeover to target high-worth and credible accounts to take out loans with no intention of repaying them.

Fraudsters also understand that BNPL providers have only a few seconds to approve the purchases. They are using this knowledge to make big-ticket purchases and escape with the loot, leaving behind a provider that must settle chargebacks and other transaction costs, and a victim who suffers damage to the credit score and must make efforts to restore the digital identity.

To protect their business interest and customers from potential fraud, BNPL platforms are using fraud defense solutions. However, most fraud solutions add friction, which can mean additional steps for onboarding. This may cause consumers to lose patience and give up – an undesirable proposition for BNPL providers.

Step Up Vigilance at the Entrance and Fight BNPL Fraud

Instead of scouting the business ecosystem looking for fraudsters, BNPL providers need to step up vigilance at the entry gates to ensure only good users are allowed in. That said, they cannot simply block any suspicious user based on ‘trust’ or ‘mistrust’ signals, as manipulation of digital identities and evolution of consumer behavior have transmuted signals to increasingly fall in the gray area. Being overcautious can filter out potential revenue-generating customers, which is detrimental to business interests.

BNPL providers need a fresh approach to tackle this challenge. They need long-term protection, which can also make them resilient to evolving attack tactics in the future, without having the consumers to face disruption in their digital interactions. Arkose Labs understands the dilemma BNPL platforms face and offers a solution that goes beyond mitigation.

Fraud Deterrence with Arkose Labs

The Arkose Labs solution is API-based and can integrate seamlessly with the partner’s existing infrastructure. This eliminates infrastructural vulnerabilities created due to multiple interfaces with third parties for data. Arkose Labs then shifts the attack surface onto its own network and challenges suspicious users. Real-time risk assessment leverages advanced machine learning models and hundreds of digital forensics parameters to inform the challenge-response mechanism, which presents an appropriate 3D challenge to the users.

Good users usually do not encounter these challenges and those that do, find these challenges fun and continue with their onward journey unhindered. Bots and scripts, however, instantaneously fail these challenges. Human bad actors, who refuse to give up, face a stream of challenges that keep increasing in numbers and complexity, which wears them out and wipes out any chances of economic returns from the attack. This forces them to give up on the attack and move on.

BNPL is an emerging revenue stream and if you are a provider looking to learn more about fraudsters’ modus operandi and effective ways to protect your business, hear the industry experts discuss this pertinent topic in the session ‘Fintech Fraud and the Rise of Buy Now Pay Later’ of our summit, by registering here.