- Current fraud controls such as IP and geolocation intelligence are very easy to spoof, and that is not enough to fight against BNPL fraud.
- BNPL is a great payment option, especially with the holiday season coming up so consumers do not have to front the entire amount at the time of purchase.
- “The merchant has some responsibility for the identification of a valid user, so especially with mobile purchases, use the device itself to identify who the user is while logging in and buying high value items.”
Apple recently announced its big move into Buy Now, Pay Later (BNPL). This new payment method will attract more purchases and allow customers to spread costs over several payments interest free, but buying now and paying later also attracts fraudsters and could potentially get consumers into financial trouble. Han Sahin, CEO of ThreatFabric, believes it will become a big fraud risk by 2023.
“We predict a Buy Now, Pay Later epidemic is yet to come — but instead of waiting for it to happen, we are already ahead of the issue. Current fraud controls such as IP and geolocation intelligence are very easy to spoof, and that is not enough to fight against BNPL fraud. In order to avoid a fraud epidemic for BNPL, we should consider stronger identity proofing mechanisms. By relying on behavioral analytics and mobile sensors, we can quickly identify a normal user from a fraudster,” Sahin said.
Apple Pay Later
iPhone users already have the option to store their wallet on their phones, making it easier to pay both online and in stores. Now, Apple has taken that one step further and created their own BNPL option, called Apple Pay Later, where users can make payments for up to six weeks without fees to pay back the full amount, which will be taken from their mobile wallets.
According to Sahin, this will essentially be the same BNPL system, but Apple will be the provider. The plan is for this new payment method to be rolled out in September 2022, so there is still some time to figure out the details, but Sahin is worried they will not have the proper security controls in place and fraud will become a big problem.
The Reality of Buy Now, Pay Later Fraud
According to data from ThreatFabric, in 2021, consumers lost almost $52 billion to traditional identity fraud and identity fraud scams, with nearly $7 billion attributed to account-opening fraud. BNPL is a great payment option, especially with the holiday season coming up so consumers do not have to front the entire amount at the time of purchase. They can choose to spread out payments, enabling them to buy higher-end and more expensive products than before — but with this comes great risk.
ThreatFabric details some emerging vectors for BNPL fraud:
- Account opening fraud (application fraud)
- Account Takeover fraud by phishing and malware
- Fraud by malware by only changing the drop address in the merchant’s app
- Fraudulent chargebacks
- Repayments with a stolen credit card
- High value good or transaction laundering (drop sites)
These are some of the factors that retailers need to be aware of which can accelerate fraud:
- Continuous data breaches, allowing easy syntactic identity fraud
- No fraud control oversight by any payment or loan authority
- Limited KYC-checks (Know Your Customer Checks) in an age of continuous data breaches
- Spoofable and hackable onboarding controls (SMS/Email)
- Over-trusting document and liveliness detection
- A lot of segregation of fraud and identity controls between providers
These are just some of the downfalls that can occur from BNPL fraud:
- Lost inventory for merchants in the day of delivery competition
- Investigation overhead when fraud occurs
- Fraudster can on-the-fly change the delivery address in the merchant’s app
- Negative impact of the entire shopping journey for customers
How Retailers Can Prevent BNPL Fraud
Sahin advises retailers to use strong identification methods when consumers purchase high value goods, such as face identification. Keep in mind that you do not want to add any extra friction to the checkout process that will annoy shoppers, but something such as one extra simple step to authorize the purchase will not only keep the checkout process fast and easy, but your customers will also feel safer knowing their information is that much more protected.
“The merchant has some responsibility for the identification of a valid user, so especially with mobile purchases, use the device itself to identify who the user is while logging in and buying high value items. This will not introduce friction into the buying journey because it will give the customer a sense of security,” Sahin said.