Resource center
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Topic
Region
Perspectives

How to prevent buy now, pay later (BNPL) fraud

Find out what Buy Now, Pay Later (BNPL) fraud is, how it works, the most common types, and ways to detect and prevent it in your business practices.

Link to the author's page
Checkout.com
November 5, 2024
Link to the author's page
How to prevent buy now, pay later (BNPL) fraud

Buy now, pay later (BNPL) is on course to become one of the world’s most popular alternative payment methods. It’s already used by 45 million people in the US, and 17 million in the UK, and is expected to reach a market value of nearly $4 trillion by the end of the decade.

But where there’s money to be made, criminals will follow. Buy Now, Pay Later fraud is on the rise, with fraudsters deploying ever-more ingenious ways to take advantage of businesses and consumers.

To fight it, you need to know how it works. Below, we explain the different types of BNPL fraud you should be looking out for, which party is liable for the loss when it occurs, and we give you our top fraud-fighting tips.

What is BNPL fraud?

BNPL fraud refers to any criminal activity that exploits the BNPL payment method to steal data or money. It is most commonly perpetrated by professional third-party fraudsters, but even merchants, consumers, and BNPL companies are capable of engaging in this type of fraud if there’s something to be gained from doing so.

As an emerging payment method, BNPL doesn’t yet have the robust regulations and standards in place that help to protect more established methods, which contributes to a greater BNPL fraud risk. Additionally, there’s not yet a lot of data available that can be used to identify and prevent BNPL fraud.

How does BNPL fraud work?

BNPL fraud takes numerous forms, depending on who is perpetrating the crime and who the intended victim is. It could involve a fraudster pretending to be a legitimate customer to gain access to their account, or it could be as simple as non-repayment.

The main aspects of BNPL that make it vulnerable to fraud are:

  • Real-time decisions - BNPL is designed to be quick and frictionless for the customer, which encourages them to use the service and increases the chance of a conversion. However, this makes it hard to conduct thorough identity verification and authorization, which helps fraudsters
  • Delayed repayment - as BNPL purchases are paid off in installments over several weeks or in one go at a later date, there’s a clearly defined window of opportunity for malicious actors to commit fraud and escape undetected
  • No credit checks - unlike other types of finance, most BNPL providers don’t conduct proper credit checks on customers. Instead, they run a soft check to establish the customer’s creditworthiness. While this is good for customer experience, it creates more opportunities for fraudsters to slip through the net

BNPL fraudsters look for businesses with weak identity verification in place because it’s much easier for them to create accounts that way. 

What are the different types of BNPL fraud risk?

Here are the most common types of BNPL fraud that merchants should be aware of as part of their fraud monitoring strategy:

Account takeover fraud

Fraudsters use takeover tactics, such as stealing usernames and passwords through phishing, to gain access to a customer’s account. They can then place orders to their addresses under the guise of a legitimate customer until the genuine account owner notices.

Fraudsters can therefore enjoy the benefits of a user’s account with an established credit history, rather than creating a new account with no history – and going through the identity verification required to do so. This makes it easier to commit fraud and omits the need to create a false identity.

Identity verification as a first line of defense won’t suffice here, because the fraudsters are taking over existing accounts that have already been through this process. However, another way to prevent account takeover fraud is by monitoring the IP addresses of account logins and looking out for password or username changes. Fraudsters are unlikely to have access to a user’s entire device or other accounts, so sending a user an email to confirm a login from a new IP address can block their way here. 

Rules take things one step further. You can establish rules where a certain series of suspicious events will trigger a block, such as a login from a new IP address immediately followed by a password change before making a new purchase. 

Synthetic identity fraud

Fraudsters can create synthetic identities by combining data that’s freely available on people’s online profiles with false personal details, e.g. a fake name and date of birth with a real social security number. They can then pose as a legitimate customer to place orders using BNPL, with no intention of making their payments, and no way to find out who they really are. 

Synthetic identity fraud is difficult to detect – it will usually get past KYC processes and identity verification. Given the false nature of the IDs, it’s not easy to recover the funds and BNPL providers will usually write these defaulted payments off as bad debt. 

To do the most to prevent synthetic identity fraud, you should check customer IDs throughout their lifecycle as your customer, not just once at onboarding. 

New account fraud

It’s easy to open an account with a BNPL provider. Any fraudster can sign up using information stolen through hacking or data breaches and, currently, the Know Your Customer (KYC) and Anti-Money Laundering (AML) checks used by most BNPL providers aren’t robust enough to detect them. Once signed up, they can place as many orders through their new accounts as possible before they get shut down. 

Fraudsters often abuse new account offers by creating multiple accounts and taking advantage of those offers for profit. So, the best way to defend against this is by making it difficult for users to open duplicate accounts. The easier your system is to take advantage of, the more people will do it. 

Non-repayment

Non-repayment fraud simply involves the buyer placing orders with no intention of paying back the loan. By combining any of the above methods, the fraudster can do so with a completely fake or stolen identity, so there’s no risk of being caught. It’s a relatively easy fraud type to carry out, making it one of the most common types of BNPL fraud. 

The best way to avoid non-repayment fraud is to authenticate the user is who they claim to be. Fraudsters are less likely to commit this fraud in their own name.

Trojan horse fraud

In a trojan horse scam, a fraudster creates a BNPL account using fake credentials, places an order with a merchant, but then changes their payment method to a stolen card.

Family fraud

Family fraud occurs when someone has access to their family member or friend’s account and makes an unauthorized purchase on said account, which is only discovered later. This could be accidental or deliberate. This is increasingly common with the rise of online marketplaces and services where users remain signed in at all times or are signed in automatically from a recognized device, and where card details are stored for quick payments.

Surprisingly, the most common perpetrators of family fraud are children who have access to their parent’s account and/or card details. It’s usually opportunistic in nature, meaning there’s no warning signs you can look out for in order to block the payment.

‍It’s also important to remember that this type of fraud is often opportunistic. It’s not planned and carefully executed, it’s occurring in the moment based on a limited window of opportunity. Because of this, there will rarely be warning indicators that could signal that this is about to occur.

So, to try and prevent family fraud, you must authenticate users every time they use your platform. Multi-factor or two-factor authentication can be great ways to do this securely and make sure the purchaser is also the account holder. 

Refund abuse and friendly fraud

Friendly fraud can involve customers requesting a refund for a product that they then don’t return. They might also falsely claim that they don’t recognize the transaction to initiate a chargeback and then keep the product and the money. Friendly fraud is often unintentional, hence its name, as customers may forget about their original purchase or misunderstand a transaction. 

To reduce the risk of friendly fraud, your transaction descriptions should be clear and recognizable on bank statements, with the same business name as the customer is familiar with. The same goes for order confirmations, which should cover all the essential details from the purchased items and their prices to the delivery and contact information of the purchaser. It’s also important to have quick customer support to resolve customer queries before they initiate a chargeback. 

Repayment fraud

Fraudsters can exploit BNPL providers by making repayments using stolen credentials. Although the BNPL will initially receive the owed money, the actual cardholder will likely notice a fraudulent transaction on their account and dispute it, leaving the BNPL provider liable for returning their money. 

This type of fraud is hard to identify on the BNPL provider’s side because nothing appears to be wrong on the surface – the customer is repaying what they owe. It’s often reliant on the cardholder whose money is stolen to flag the fraud, which means it could go on for a long time. 

Who is responsible for BNPL fraud costs?

In most cases, BNPL providers will accept liability for any fraud that occurs on an account hosted on their platform. That’s because, ultimately, the party that authorizes the payment is responsible, and the BNPL provider acts as both the payment and lender.

What is the impact of BNPL fraud?

While the provider is most likely to bear the burden of the financial loss, BNPL fraud has other negative effects.

For customers, the impact is clear: fraudulent purchases using their account and card that they won’t always be able to reclaim; stolen personal details that leave them vulnerable to further fraud; damaged credibility and creditworthiness that could prevent them from using finance options in the future.

For merchants, the biggest risk if they fail to prevent BNPL fraud is reputational damage, which could impact relationships with customers, suppliers, and even BNPL providers.

For example, if a fraudster manages to hack into the account of one of your customers and uses it to place orders, that customer will likely consider your site compromised and stop shopping with you. Likewise, your BNPL provider likely won’t want to expose themselves to the risk of further losses by offering their services through your website.

How to prevent BNPL fraud

It’s vital that merchants take adequate measures to reduce their risk of BNPL fraud in order to protect themselves and their customers.

To do so, you need to establish a comprehensive BNPL risk management strategy that combines prevention and detection techniques to guard against multiple threats.

Identity verification

Ensuring your customers are who they say they are should be your first line of defense against BNPL fraud. Conducting mandatory KYC checks on any customer that wants to open an account or make a purchase is the best way to prevent fraudulent behavior. At a minimum, these checks should require the customer to provide an ID card, documentation such as proof of address, face verification, and biometric data. You should also implement Enhanced Due Diligence checks where necessary, which require more stringent verification for customers with a higher risk profile.

Authentication methods

Advanced authentication methods, like 3D-secure (3DS), are a great way to verify a cardholder’s identity while ensuring a positive customer experience and, as they’re at the point of payment, your last line of defense. 3DS requires multi-factor authentication, which relies on any combination of passwords, usernames, single sign-on, SMS, and biometrics to confirm the identity of the customer before authorizing their payment.

BNPL transaction monitoring

Any diligent merchant should keep an eye on their transaction data to look for suspicious patterns that indicate fraudulent activity. For example, red flags could be logins from multiple devices and IP addresses, multiple payment attempts using the same card, or attempts using details that have been reported as stolen.  

This data forms the basis of any rule or machine learning-based fraud prevention, by giving your fraud detection system accurate and up to date information that it can use to spot fraud trends. The more data you have, the better.

Address verification

Address verification confirms that the addresses supplied by your customers when attempting a payment are genuine. During an AVS check, the card network or bank cross-references their details with authoritative data sources to validate the address. They can then let the merchant know whether the address matches the one they have on file for that customer.

Machine learning

All merchants should deploy AI and machine learning tools in the fight against fraud. These tools are far more effective and efficient at fraud detection than human agents, as they can review masses of transaction data in seconds to spot and prevent fraudulent activity. What’s more, they’re always improving and becoming more accurate, meaning more bad actors are stopped and more legitimate customers are authorized.

Detect BNPL fraud with Checkout.com

With Checkout.com, it’s easy to implement the BNPL fraud prevention measures detailed above.

Our Fraud Detection Pro solution keeps an eye on our entire network to spot emerging trends and stay one step ahead of the fraudsters. Meanwhile, its robust tools, including dynamic machine learning and flexible rules, work together to stop fraud while improving acceptance rates. You also get access to comprehensive analytics that you can use to continually optimize your fraud fighting performance.

Find out more about Checkout.com’s Fraud Detection Pro.

Download PDF

Stay up-to-date

Get Checkout.com news in your inbox.

Back to top button

Most recent articles

Five ways businesses can prepare payments for the peak season surge
Blog
Nov 20, 2024

Five ways businesses can prepare payments for the peak season surge

Read article
Payment fraud trends (and how to fight them)
Blog
Nov 18, 2024

Payment fraud trends (and how to fight them)

Read article
Interchange fees explained
Blog
Nov 14, 2024

Interchange fees explained

Read article
Future-proofing your career: Education in payments and fraud
Blog
Nov 13, 2024

Future-proofing your career: Education in payments and fraud

Read article
What is a PayFac & what are the benefits of becoming one?
Blog
Nov 7, 2024

What is a PayFac & what are the benefits of becoming one?

Read article
What is Visa Direct?
Blog
Nov 7, 2024

What is Visa Direct?

Read article
What is Octopus Wallet?
Blog
Nov 4, 2024

What is Octopus Wallet?

Read article
Do omnichannel payments thrill your customers? Or do you just need more simplicity?
Blog
Oct 24, 2024

Do omnichannel payments thrill your customers? Or do you just need more simplicity?

Read article
Ecommerce trends shaping peak season sales this Black Friday and Cyber Monday
Blog
Oct 23, 2024

Ecommerce trends shaping peak season sales this Black Friday and Cyber Monday

Read article
Data privacy and identity verification in the US
Blog
Oct 23, 2024

Data privacy and identity verification in the US

Read article
What happens in 336 ms? The journey of a payment transaction
Blog
Oct 21, 2024

What happens in 336 ms? The journey of a payment transaction

Read article
What are Level 2 and Level 3 data in credit card processing?
Blog
Oct 17, 2024

What are Level 2 and Level 3 data in credit card processing?

Read article
Return to home
November 5, 2024 9:30
November 5, 2024 9:30