Why buy now, pay later is the next big fraud risk for retailers

Retailers are offering customers more buy now, pay later (BNPL) finance purchasing options to drive sales across a wide range of products. Shoppers can get instant credit at the point of sale (POS) and then delay or spread payments (often at no extra cost) instead of paying outright at the time of purchase. This can appeal to consumers and has proven to be particularly popular during busy shopping periods such as Black Friday and the holiday season.

However, BNPL is also capturing the attention of online fraudsters. While it is maturing with new providers and products coming to the market, so too are the risks of fraud for retailers as cybercriminals look to exploit the BNPL process.

2022 a big year for BNPL

According to a recent FinTech trends report from legal services company Stephenson Law, 2022 is likely to be a big year for BNPL having stolen much of the limelight from credit cards, loans, overdrafts, and traditional point-of-sale financing in 2021. “2021 has seen a rising tide of BNPL providers. Klarna in particular has cemented its dominant and international position, leading countless other providers to jump on the BNPL bandwagon,” the report read.

One such provider is Monzo, which has launched its own BNPL product, while Virgin Money has announced a move to build a digital wallet with the BNPL feature built in. “Other BNPL providers are in the process of enabling BNPL purchases via browser extensions,” the report continued.

Meanwhile, the UK’s Financial Conduct Authority (FCA) announced intentions to introduce BNPL regulation to better protect consumers and ensure BNPL holds up to established finance purchasing standards, which it plans to implement in 2022.

Retailers at risk of BNPL fraud

A flourishing market and increased regulatory oversight are positives for BNPL providers and consumers, but retailers who offer BNPL should be wary of fraudulent activity that targets it. “BNPL is an obscure and difficult-to-understand/measure channel for retailers,” Forrester Principal Analyst Andras Cser, tells CSO. “It involves various creditworthiness decisions as well as orchestration of payments. All of the above represent opportunities for fraudsters to exploit the transaction and payment ecosystem.”

BNPL provides an easy means of committing fraud for cybercriminals that intend to impersonate someone but only have minimal data on them, says Stephenson Law’s head of FinReg, Gareth Malna. “For instance, you could likely get through the entire purchase process with little more than the email address and password used by the user for a webstore.”

The problem with BNPL offerings being built into platforms is, once an account is approved, the retailer usually assumes that any login to the account is authentic and permits further borrowing, Malna adds. “As a result, if a fraudster were to access a user’s account, they could purchase goods using a pre-authorized line of credit in the user’s name and have them delivered to an untraceable address.”

Risks are heightened for retailers because, in the event of BNPL fraud, they are typically on the hook for losses. The fraudster gets an item but never actually pays, while the retailer must front the cost of fraud management and repossession – if the latter is even possible, Cser says.

“Legally, the BNPL provider will typically have disclaimed all liability for losses suffered by a user as a result of a security breach of the retailer’s webstore,” Malna tells CSO. “Terms of business for users will also include buyer protection wording, which means that consumers don’t have to pay for any ordered goods until they have been received. In the case of fraudulent activity, that often leaves the retailer bearing the financial burden.”

How cybercriminals carryout BNPL fraud

Cybercriminals employ various tactics to carryout BNPL fraud, with most performed via account takeover (ATO) or fake accounts. “ATO is the most prevalent and involves taking over people’s accounts to make purchases,” Ross Aubrey, head of financial solutions EMEA at Quantexa, says. “It could take some time for the victim to realize they’ve been targeted as they aren’t billed immediately. This is similar to card-not-present fraud but using a different vehicle.”

SIM swapping is one method that is known to be employed by fraudsters to gain access to someone’s account and avoid security measures such as 3D secure authentication (3DS) by altering authentication information such as phone number. “Fake accounts are designed to look real and pass identity checks using stolen credit card details,” Aubrey adds, also citing associated person/family member fraud, collusive behavior between groups of fraudsters or willing participants (even merchants), and elderly/vulnerable abuse where susceptible individuals are pressured into making purchases on behalf of fraudsters as other examples of methods used in BNPL fraud.

How retailers can prevent BNPL fraud

“Retailers who piled in to sign up BNPL providers for their webstores have recently been questioning those decisions and, in some cases, trying to reverse the move,” Malna tells CSO. However, those that are keen to continue to provide BNPL options to meet customer demand but want to reduce the risks of BNPL fraud should implement strategies to mitigate related threats.

Cser considers a three-tier structure to be key, starting with efficient identity and access management backends complete with verification of customers both at enrollment and transaction. “Secondly, retailers need to have an end-to-end automated fraud risk scoring and management system to monitor and manage transactions.” The business workflows of ecommerce portals then need to support the above and the BNPL process, he adds.

For Malna, fraud prevention comes down to better use of data. “Once a purchasing history has been built up and data can be gathered on the jurisdiction of sales, type of goods bought, typical value of goods, typical time, and days of purchasing activity etc., then any transactions outside of ‘normal’ behavior can be queried and an extra layer of security brought in before transactions are approved,” he says.

Entity resolution is a process that can create an even bigger picture to help better understand the behavior by bringing together data from internal and often disparate data sources and combining it with up-to-date external data that delivers greater context, adds Aubrey. “Entity resolution can be performed on things like devices and IP addresses to help to identify where things look suspicious when assessing the full picture of activity performed at these entities. This can help illuminate networks of relationships including social connections and any less obvious or even hidden connections that are not evident at an individual purchase or using internal data alone.”

Robust anti-money laundering checks are also useful for managing new users and fake accounts, Malna says. “That can be achieved with video recordings of individuals to validate their identity against public and private data points (over time this will be a solution increasingly provided by AI). It also comes from making users more aware of security features they can use to protect their passwords and personal data.”