Firms tackle ballooning buy now, pay later fraud

Where consumers go, fraudsters follow. The explosion of buy now, pay later popularity means it's become an increasingly vulnerable target for payments fraud.

As BNPL grows online and in stores — global transaction volume is expected to reach $680 billion by 2025, according to Insider Intelligence — more businesses have jumped on the bandwagon, from card companies to banks. Additionally, this burgeoning area of payments has prompted adaptations within the industry; credit bureaus, for example, have recently announced changes in response to BNPL's rise.

Another adjustment: More heightened awareness of fraud threats related to paying in installments. Experian's recent Future of Fraud forecast projected BNPL lenders are likely to see an uptick in identity theft and synthetic identity fraud this year.

With a lot at stake for merchants and lenders, this flurry of fraud activity in BNPL has prompted more action from companies looking to thwart deception in this payments space. Juniper Research estimated online payment fraud losses from 2021 to 2025 will amount to a cumulative $206 billion, and spending on fraud detection and prevention services will exceed $11.8 billion globally in 2025.

The current buy now, pay later vetting structure, which typically involves soft pulls on a consumer's credit history, makes the payment method more vulnerable and susceptible to fraud, said Ashley Usher, chief integration and information officer at Fortis Payment Systems, a payments and commerce company headquartered in Novi, Michigan.

"The lack of credit checks allows fraudsters to purchase merchandise through stolen credit cards and even avoid completing the divided payments altogether," Usher said in an email.

It's "a very lightweight process" Identiq Co-founder and Vice President Uri Arad said of BNPL, noting lenders want minimal credit checks, which can open the door to fraud risks.

Israel-based Identiq, a global information security company that's raised $52 million, has created a peer-to-peer network that allows companies to work together to vouch for consumers without exposing sensitive information. With BNPL, the biggest challenges involve verifying identity, given so many users are newer to the credit pool, Arad said.

With so many installment loan providers and offerings, BNPL fraud varies, which can make it more challenging to address than something well-known and defined, like a card-not-present transaction, said Outseer Vice President Lori Van Deloo.

"On one hand, [BNPL] is a way that people are paying," said Van Deloo, who oversees Outseer's worldwide market strategy and product marketing. "On the other hand, it's an instant point-of-sale loan or financing," so the types of fraud seen there are different.

A majority of BNPL customers "are going to be thin-file customers with little to no credit history, and so the opportunity for fraud, in terms of creating synthetic identities or even an account takeover, ends up being pretty tempting for the fraudsters," said Outseer CEO Reed Taussig.

Outseer, owned by the cybersecurity company RSA Security, recently launched its Emerging Payments platform, with buy now, pay later being its first focus area. Outseer, which works with tier-one banks and authenticates billions of transactions annually, wanted to bring its fraud protection to the burgeoning BNPL sphere, Taussig said.

Given the growth of fraudulent transactions, especially amid the pandemic, Outseer focuses on payment authentication and monitoring. BNPL fraud isn't much different than credit card fraud, Taussig said, but does have an added twist. With thin-file consumers lacking history, "the degree of sophistication that is required in order to really understand [who the customer is] for this transaction becomes challenging," he said.

It's also an elongated transaction, Taussig added, resulting in multiple opportunities for fraud. Merchandise is received before it's fully paid off, and if a customer isn't paying for 60 days, "you're not even going to know whether this is a fraudulent transaction for 60 days. In discerning whether a synthetic or stolen identity is being used, the authentication requirement is even higher," Taussig said.

Synthetic identity fraud, which Van Deloo said is at least a $6 billion problem, comes into play at the BNPL enrollment stage. Fraudsters may have partial information about someone and then phish for the last piece they need, like a phone number or date of birth, to create "these kind of Frankenstein-type" synthetic identities they use to enroll in an installment plan.

Account takeover, on the other hand, occurs after enrollment. The company monitors account updates carefully, when a fraudster might go in and change an address, or change a funding source, Van Deloo said.

Outseer tracks the entire process with installment payments and authenticates throughout. "If you were to look at what's happening just at that point of transaction, you might miss some of the fraud that's happening after the fact," she said.