illustration of how fraudsters target buy now pay later (BNPL) platforms

Consumers love the buy now, pay later (BNPL) market because it offers them flexible payment options. Merchants love BNPL because it enables them to increase their basket values by opening new opportunities to sell expensive or high-end products to more customers who are willing to pay over time. The service is gaining in popularity globally, with Malaysia recently taking a significant step to ensure local BNPL platforms comply with Shariah laws. 

Unfortunately, consumers and merchants aren’t the only ones falling in love with BNPL platforms. Bad actors are also fawning over BNPL. They’re taking advantage of buy now pay later platforms to commit fraud – and have no intention to pay for their goods. 

What is Buy Now Pay Later (BNPL)?

Buy now pay later is a short-term payment model merchants offer customers to make expensive purchases. Customers pay for their purchases over several installments (usually up to four). Customers can select BNPL as a payment option during in-person or online checkout and will go through a brief approval process following a basic credit check. 

Payment plans typically last several weeks or even months. In many cases, the plans are interest-free. Under the BNPL model, customers receive their goods immediately and pay off their balance over time.

BNPL Platforms: A Market Snapshot

The global BNPL market is on track to reach a transaction volume worth roughly $680 billion USD by 2025, according to recent research. That same research found US consumers are more likely to use BNPL platforms to avoid using their credit cards or to make purchases that exceed their budget. Moreover, U.S. BNPL payments will reach $82 billion later this year.

In the UK, BNPL is also growing in popularity. Research from the UK Financial Conduct Authority (FCA) found 27% of UK adults have used BNPL services in the past six months before January 2023. This reflects a 17% increase from those who used BNPL in the year prior to May 2022.

Malaysia Prepares for Shariah-Compliant BNPL

BNPL is growing significantly in Asia, with recent data forecasting market growth of $335 billion USD by 2029.

Recently, Malaysia’s Shariah Advisory Council (SAC) took an important step by addressing Shariah compliance with BNPL platforms. BNPL has been a popular way to access money in Malaysia, but borrowers have faced obstacles due to terms and conditions that do not align with Islamic banking standards. 

The SAC’s decision aims to help Islamic banks develop and offer BNPL products that respond to strong demand for BNPL while borrowers abide by Islamic principles. The move could introduce new competition into Malaysia’s financial services market, enabling Islamic banks to release new products and services that are available from traditional banks.

As Malaysia explores the Shariah compliance of BNPL platforms, it becomes evident that security measures need to evolve to meet both regulatory and ethical standards. Merchants, as key stakeholders in this ecosystem, should advocate for robust identity verification, advanced fraud detection systems, encryption technologies, and real-time monitoring to fortify the security of BNPL transactions.

How Fraudsters Target Buy Now Pay Later Platforms

Fraudsters typically rely on two key tactics when targeting BNPL platforms: synthetic identity (ID) fraud and account takeover.

  • Synthetic ID fraud: Fraudsters use synthetic ID fraud during the BNPL platform account opening stage. They’ll create a fake profile using a combination of real and fictional pieces of information, such as identification documents, addresses, social security numbers, and more. After building their synthetic identity, fraudsters use BNPL to buy goods with someone else’ personal details or payment information. Once they obtain the goods they want, they’ll simply disappear leaving the customer or the merchant holding the bill.
  • Account takeover fraud: Some fraudsters play the long game to defraud a BNPL user. They find individuals with strong credit ratings who have taken out a BNPL loan. Fraudsters use account takeover (ATO) attacks to assume control of the account and purchase more expensive items using the real customer’s strong history with the BNPL provider.

How BNPL Fraud Can Harm Merchants

BNPL fraud affects merchants who partner with BNLP providers in two main areas.

  1. Merchant reputation. If a customer is defrauded via a BNPL service offered by the merchant, they are very unlikely to do business with the merchant again. What’s more, the defrauded customer is likely to share their experience with their friends, family members, and followers on social media. This scenario raises serious questions over whether merchants are capable of protecting their customers and their personal information.
  2. Financial repercussions. While most merchants will not have to pick up the cost of chargebacks for fraudulent transactions, they will have to address the issue with their BNPL provider. Many BNPL providers have clauses in their merchant agreements tied to security breaches. This means merchants could find themselves picking up the cost of the fraudulent transaction.

The Evolving BNPL Market

Despite these issues, BNPL is on track to grow and significantly evolve in the coming years. Some BNPL providers are shifting their offerings beyond traditional buy now, pay later models and moving into more traditional acquiring or payments services. Some are offering instant payment services instead of enabling customers to split purchases over three different payments.

The market is also seeing a rise in consolidation with some acquirers, payment service providers (PSPs), and even banks purchasing BNPL providers. Meanwhile, some banks have launched their own in-house BNPL services to stay at the top of wallet for their customers. Taken together, these developments indicate the BNPL market is in a very fluid state and poised for further evolution.

Tips to Secure BNPL Platforms and Merchants

With the ongoing evolution of BNPL platforms, there are several steps that both BNPL platforms and merchants can take to keep their transactions secure.

Watch for Data Inconsistencies

This is especially important during the account opening stage. BNPL platforms and merchants should review data from a wide range of sources and make sure the provided information makes sense. For example, is the submitted phone number associated with a different user? Does the provided information match the customer’s credit file? Reviewing the provided data for inconsistencies is a critical step in minimizing the effects of synthetic ID fraud.

Consider Device Hygiene and Reputation

This is a critical step to reducing the risk of BNPL platforms and merchants targeted by ATO attacks. Look at the user’s device and the geolocation of where they log into their account. Consider if they’re logging in from a location where they normally operate – or if they are in an unusual location. But don’t stop with geolocation. Also consider how they hold and use their device. For example, are they holding it in portrait position instead of using landscape like they normally do? Are they interacting with their screen in an unusual way? These factors can build a clearer picture of whether the user really is who they claim to be and play a critical role in stopping a potential ATO attack before it reaches the transaction stage.

Understand the Consumer’s Lifecycle

The account opening stage is critical to determining a customer’s risk level. But it’s not the final stage. BNPL platforms and merchants should continue to monitor the customer’s risk level throughout the entire span of their relationship. Instead of treating the customer’s risk assessment as a one-and-done task or something that only needs to be performed annually, BNPL platforms and merchants should continue to monitor their customers’ risk level and watch to see how different events change their overall profile.

BNPL platforms are gaining in popularity. Like all payment mechanisms, they are also vulnerable to fraud. Regulations will inevitably add new requirements for how these platforms operate. Now is the best time to get ahead of these upcoming rules by working to keep the platforms secure.