illustration of how fraudsters target buy now, pay later (BNPL) platforms

Consumers love the buy now, pay later (BNPL) market because it offers them flexible payment options. Merchants love BNPL because it enables them to increase their basket values by opening new opportunities to sell expensive or high-end products to more customers who are willing to pay over time. Unfortunately, consumers and merchants aren’t the only ones falling in love with BNPL platforms. Bad actors are smitten too. They’re taking advantage of BNPL platforms to commit fraud - and have no intention to pay for their goods.

What is BNPL?

BNPL is a short-term payment model that merchants offer to customers to make expensive purchases. Customers pay for their purchases over several installments (usually up to four). Customers can select BNPL as a payment option during in-person or online checkout and will go through a brief approval process following a basic credit check. Payment plans typically last several weeks or even months. In many cases, the plans are interest-free. BNPL is a form of lending so missed or late payments can result in late fees. They can also affect a customer’s credit score. 

The BNPL model is similar to lay-away programs that some merchants offer. But in a lay-away model, merchants hold onto purchased goods until the customer pays for them in full. Under the BNPL model, customers receive their goods immediately and pay off their balance over time.

BNPL Platforms: A Market Snapshot

The global BNPL market is on track to reach a transaction volume worth roughly $680 billion USD by 2025, according to recent research. That same research found US consumers are more likely to use BNPL platforms to avoid using their credit card or to make purchases that exceed their budget. Moreover, US BNPL payments are on track to reach $82 billion later this year.

In the UK, data suggests that BNPL is now used by 25% of eCommerce customers and available from approximately 20,000 merchants. Recent transactions were valued at £6.4 billion, or 5% of the eCommerce market. 

BNPL is also popular among younger age groups with 25% of platform users between ages 18 and 25 and 50% between ages 25 and 36, according to research from the UK Financial Conduct Authority (FCA). The platforms are highly popular with female customers who make up 70% of users. About 90% of goods purchased are for fashion and footwear.

Given the current size of the BNPL market, it’s important to understand how platforms are vulnerable to fraud and work to keep them secure.

How Fraudsters Target BNPL Platforms

Fraudsters typically rely on two key tactics when targeting BNPL platforms: synthetic identity (ID) fraud and account takeover.

  • Synthetic ID fraud: Fraudsters use synthetic ID fraud during the BNPL platform account opening stage. They’ll create a fake profile using a combination of real and fictional pieces of information, such as identification documents, addresses, social security numbers, and more. After building their synthetic identity, fraudsters use BNPL to buy goods with someone else’ personal details or payment information. Once they obtain the goods they want, they’ll simply disappear leaving the customer or the merchant holding the bill.
  • Account takeover fraud: Some fraudsters play the long game to defraud a BNPL user. They find individuals with strong credit ratings who have taken out a BNPL loan. Fraudsters use account takeover (ATO) attacks to assume control of the account and purchase more expensive items using the real customer’s strong history with the BNPL provider.

How BNPL Fraud Can Harm Merchants

BNPL fraud affects merchants who partner with BNLP providers in two main areas.

  1. Merchant reputation. If a customer is defrauded via a BNPL service offered by the merchant, they are very unlikely to do business with the merchant again. What’s more, the defrauded customer is likely to share their experience with their friends, family members, and followers on social media. This scenario raises serious questions over whether merchants are capable of protecting their customers and their personal information.
  2. Financial repercussions. While most merchants will not have to pick up the cost of chargebacks for fraudulent transactions, they will have to address the issue with their BNPL provider. Many BNPL providers have clauses in their merchant agreements tied to security breaches. This means merchants could find themselves picking up the cost of the fraudulent transaction.

The Evolving BNPL Market

Despite these issues, BNPL is on track to grow and significantly evolve in the coming years. Some BNPL providers are shifting their offerings beyond traditional buy now, pay later models and moving into more traditional acquiring or payments services. Some are offering instant payment services instead of enabling customers to split purchases over three different payments.

The market is also seeing a rise in consolidation with some acquirers, payment service providers (PSPs), and even banks purchasing BNPL providers. Meanwhile, some banks have launched their own in-house BNPL services to stay at the top of wallet for their customers. Taken together, these developments indicate the BNPL market is in a very fluid state and poised for further evolution.

Tips to Secure BNPL Platforms and Merchants

With the ongoing evolution of BNPL platforms, there are several steps that both BNPL platforms and merchants can take to keep their transactions secure.

Watch for Data Inconsistencies

This is especially important during the account opening stage. BNPL platforms and merchants should review data from a wide range of sources and make sure the provided information makes sense. For example, is the submitted phone number associated with a different user? Does the provided information match the customer’s credit file? Reviewing the provided data for inconsistencies is a critical step in minimizing the effects of synthetic ID fraud.

Consider Device Hygiene and Reputation

This is a critical step to reducing the risk of BNPL platforms and merchants targeted by ATO attacks. Look at the user’s device and the geolocation of where they log into their account. Consider if they’re logging in from a location where they normally operate – or if they are in an unusual location. But don’t stop with geolocation. Also consider how they hold and use their device. For example, are they holding it in portrait position instead of using landscape like they normally do? Are they interacting with their screen in an unusual way? These factors can build a clearer picture of whether the user really is who they claim to be and play a critical role in stopping a potential ATO attack before it reaches the transaction stage.

Understand the Consumer’s Lifecycle

The account opening stage is critical to determining a customer’s risk level. But it’s not the final stage. BNPL platforms and merchants should continue to monitor the customer’s risk level throughout the entire span of their relationship. Instead of treating the customer’s risk assessment as a one-and-done task or something that only needs to be performed annually, BNPL platforms and merchants should continue to monitor their customers’ risk level and watch to see how different events change their overall profile.

BNPL platforms are gaining in popularity. Like all payment mechanisms, they are also vulnerable to fraud. Regulations will inevitably add new requirements for how these platforms operate. Now is the best time to get ahead of these upcoming rules by working to keep the platforms secure.

Download our eBook, Decoding Account Takeover Fraud’s DNA, to learn to stop ATO attacks in their tracks without interrupting the customer journey.