Why buy now, pay later is the next big fraud risk for retailers

Retailers are offering customers more buy now, pay later (BNPL) financing purchase options to drive sales across a wide range of products. Shoppers can get instant point-of-sale (POS) credit and then delay or spread out payments (often at no additional cost) instead of paying directly at the time of purchase. It may appeal to consumers and has proven particularly popular during busy shopping periods such as Black Friday and the holiday season.

However, the BNPL also attracts the attention of online fraudsters. While it is maturing with new vendors and products coming to market, so are the risks of fraud for retailers as cybercriminals seek to exploit the BNPL process.

2022 a great year for BNPL

According to a recent FinTech Trends Report from legal services firm Stephenson Law, 2022 is likely to be a big year for BNPL after stealing much of the limelight from credit cards, loans, overdrafts and traditional point-of-sale financing in 2021. saw a rising tide of BNPL Providers. Klarna in particular has cemented its dominant and international position, leading countless other providers to jump on the BNPL bandwagon,” the report states.

One such provider is Monzo, which has launched its own BNPL product, while Virgin Money has announced plans to create a digital wallet with built-in BNPL functionality. “Other BNPL providers are enabling BNPL purchases through browser extensions,” the report continued.

Meanwhile, the UK’s Financial Conduct Authority (FCA) has announced plans to introduce BNPL Regulations to better protect consumers and ensure that BNPL meets established financial purchasing standards, which it plans to implement in 2022.

Merchants at Risk of BNPL Fraud

A thriving market and increased regulatory oversight are positive for BNPL suppliers and consumers, but retailers who offer BNPL should be wary of fraudulent activity targeting them. “BNPL is an obscure and difficult channel for retailers to understand/measure,” Andras Cser, principal analyst at Forrester, told CSO. “It involves various creditworthiness decisions as well as the orchestration of payments. All of the above represent opportunities for fraudsters to exploit the transactions and payments ecosystem. »

BNPL provides an easy way to commit fraud for cybercriminals who intend to impersonate someone but have minimal data on them, says Gareth Malna, head of FinReg at Stephenson Law. “For example, you could probably go through the entire purchase process with little more than the email address and password used by the user for an online store.”

The problem with platform-integrated BNPL offerings is that once an account is approved, the retailer typically assumes any connection to the account is genuine and allows further borrowing, Malna adds. “As a result, if a fraudster gained access to a user’s account, they could purchase goods using a pre-authorized line of credit in the user’s name and have them delivered to an untraceable address.

The risks are increased for retailers because, in the event of BNPL fraud, they are usually responsible for the losses. The fraudster gets an item but never actually pays, while the retailer has to bear the cost of dealing with the fraud and repossessing it — if the latter is even possible, Cser says.

“Legally, the BNPL provider will generally have disclaimed any liability for losses suffered by a user as a result of a breach of the retailer’s online store security,” Malna told CSO. “Commercial terms for users will also include buyer protection language, meaning consumers won’t have to pay for goods ordered until they’ve been received. In the case of fraudulent activity, this often leaves the retailer to bear the financial burden. »

How Cyber ​​Criminals Conduct BNPL Fraud

Cybercriminals employ a variety of tactics to carry out BNPL fraud, most of which are done through account takeover (ATO) or fake accounts. “ATO is the most common and involves taking over people’s accounts to make purchases,” says Ross Aubrey, EMEA financial solutions manager at Quantexa. “It may take a while for the victim to realize they have been targeted as they are not charged immediately. This is similar to cardless fraud, but using a different vehicle.

SIM swapping is a method known to be used by fraudsters to gain access to someone’s account and evade security measures such as 3D Secure Authentication (3DS) by changing authentication information such as the phone number. “The fake accounts are designed to look real and pass identity checks using stolen credit card details,” adds Aubrey, also citing associated person/family member fraud, collusive behavior between groups of fraudsters or willing participants (even merchants) and abuse towards the elderly/vulnerable. where sensitive individuals are tricked into making purchases on behalf of fraudsters as other examples of methods used in BNPL fraud.

How Retailers Can Prevent BNPL Fraud

“Retailers who have piled in to enroll BNPL suppliers for their online stores have recently questioned those decisions and, in some cases, attempted to reverse course,” Malna told CSO. However, those who wish to continue to provide BNPL options to meet customer demand but wish to reduce the risk of BNPL fraud should implement strategies to mitigate the associated threats.

Cser sees a three-tiered structure as essential, starting with effective identity and access management backends, complemented by customer verification at both sign-up and transaction. “Second, retailers must have an automated end-to-end fraud risk management and scoring system to monitor and manage transactions.” E-commerce portal business workflows then need to support the above and the BNPL process, he adds.

For Malna, preventing fraud comes down to making better use of data. “Once a purchase history has been compiled and data can be collected on the jurisdiction of sales, type of goods purchased, typical value of goods, typical time and days of business purchase, etc., then any transactions outside of ‘normal’ behavior can be queried and an extra layer of security is added before transactions are approved,” he says.

Entity resolution is a process that can create an even bigger picture to help better understand behavior by bringing together data from internal and often disparate data sources and combining it with up-to-date external data that provides better context, adds Aubrey. “Entity resolution can be performed on things like devices and IP addresses to help identify things that look suspicious when assessing the full picture of activity taking place in those entities. This can help shed light on relationship networks, including social connections and any less obvious or even hidden connections that aren’t obvious when making an individual purchase or using only internal data.

Robust anti-money laundering controls are also useful for dealing with new users and fake accounts, Malna says. “This can be done with video recordings of individuals to validate their identity against public and private data points (over time this will be an increasingly AI-provided solution). It also comes from educating users about security features they can use to protect their passwords and personal data.

Copyright © 2022 IDG Communications, Inc.

Martin E. Berry