Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

How Retailers Can Address 'Buy Now, Pay Later' Fraud

As BNPL platforms grow in popularity, experts warn that cybercriminals could target them using synthetic identity fraud and first-party fraud.

Tatiana Walk-Morris, Contributing Writer

March 2, 2022

4 Min Read
A doll-sized shopping cart filled with tiny cardboard packages rests on a computer keyboard.
Source: William Potter via Shutterstock

For both retailers and cybercriminals, buy now, play later platforms (BNPL) present new opportunities in e-commerce. Retailers like BNPL because letting shoppers buy something by paying in multiple installments over a specified time period expands the market to a larger group of shoppers. Similarly, BNPL provides criminals with new avenues for fraud.

BNPL is a growing, and lucrative, market. According to a January report from Experian, the number of BNPL users in 2021 grew to 45 million active users who spent $20.8 billion. Globally, installment payments are expected to grow to 4.2% of all e-commerce transactions by 2024, according to the Worldpay from FIS "2021 Global Payments Report."

The popularity also makes BNPL a target, as experts warn that these platforms will be increasingly targeted by online fraudsters in 2022. Reports from Outseer, an anti-fraud technology company specializing in payments, and payments analysis firm also warn that cybercriminals are targeting installment payment providers.

For retailers, digital installment payment platforms offer protection from online scammers because the platforms absorb the risk. However, retailers and installment payment platforms can harness the data they have to spot fraudulent transactions that evade detection measures, sources told Dark Reading.

Synthetic Identities, Authentic Grift
Stopping fraudulent accounts remains a persistent problem for fintech firms, especially BNPL providers. PayPal, which offers an installment payment service, made headlines last month after the company's CFO John Rainey said during an earnings call that the company found 4.5 million "illegitimately created" accounts.

First-party fraud involves cybercriminals using their own identities to defraud financial institutions. Third-party fraud refers to using someone else's information to execute illicit transactions. And synthetic fraud involves creating a new identity by cobbling together components from different identities and fabricated information to use in these financial transactions.

BNPL platforms are responsible for vetting customers transacting on their platform, so they typically use internationally shared intelligence to determine whether new customers are legitimate, says Armen Najarian, chief identity officer at Outseer.

Sezzle, an interest-free installment payment platform, uses multiple data points to catch first-party and third-party fraud. The company cross-checks data points such as SIM data, email addresses, shipping addresses, and other metrics to determine whether fraudsters are using synthetic identities to conduct fraudulent transactions, says Charlie Youakim, CEO of Sezzle.

Besides essential metrics that Sezzle needs from retailers in order to conduct transactions, Sezzle also allows retailers to disclose additional API information that assists in fraud detection, Youakim says. Among the targets for fraudsters are gift cards, electronics, and travel rewards, he adds.

"We have optional API information that you can send in, which is basically like project level data, and that type of data does help," Youakim says. "Because what you can see is, for instance, gift cards are a great form of fraud typically. That's where fraudsters like to go because they can take gift cards and they can monetize them easily."

How Can Installment Payment Platforms Fight Fraud?
Besides creating synthetic identities, cybercriminals have also stolen installment payment users' credentials and created fake look-alike sites with similar domains, Najarian says. Once they have the credentials, they can take over authentic accounts and conduct transactions, he says. They also can exploit installment payment companies' sign-up incentives when enrolling their synthetic identities, he adds.

Similar to retailers, installment payment platforms also employ fraud detection and risk management tools to spot cybercriminals, but BNPL platforms may soon request more data from retailers to further reduce the risk of illicit installment payment transactions, Najarian says. He predicts that more cybersecurity teams within online retailers will work more closely with installment payment providers to assess risks, he says.

Najarian doesn't foresee retailers' IT teams transferring personally identifiable information to installment payment platforms, but rather ambient metadata, such as the device used to transact, IP addresses or location of the customer, he says.

"You can't just say, 'OK, Klarna, you're taking over this transaction. You're holding the bag.' I don't think that's going to be a very long-lived model," Najarian says. "I can see new models emerging that will help them to guarantee the transaction [and] help preserve [the] integrity of the transactions."

Sharing Knowledge to Stop Fraud
When accepting installment payment customers, retailers' IT and cybersecurity teams must balance screening out fraudsters and not turning away legitimate customers, particularly by putting authentic customers through unnecessary verification measures, Najarian says.

Najarian recommends IT and cybersecurity leaders keep in contact with vendors that are crafting anti-fraud technologies to stay abreast of how cybercrime is evolving in the BNPL space. IT teams and cybersecurity teams should also make sure they layer multiple solutions to screen out BNPL fraudsters and tailor their procedures to their organizations as needed, he adds. Echoing that sentiment, Youakim encourages retailers' IT teams to share fraud trends they're noticing with one another without exposing consumer information.

"The provider of the technology will guide you and say, 'OK, for companies that look like you, typically this is the risk tolerance. This is the typical policy that you'd establish for a new account opening workflow or for a payment transaction workflow that would govern the acceptable reject rate.' Stay close to that," Najarian says. "Seasonally adjust as you get into holiday seasons or tax seasons. Tuning those policies and adjusting those for different seasonal events [is] super important."

About the Author(s)

Tatiana Walk-Morris

Contributing Writer

Tatiana Walk-Morris is a contributing writer for Dark Reading.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights