The insidious threat of fraud in the buy now, pay later space
Concerns over the credit risks of Buy Now, Pay Later (BNPL) platforms have been making headlines, but there’s another threat beneath the surface: fraud.
Federal regulators’ fixation on the credit risk associated with BNPL is warranted. Banks lending money to hundreds of thousands of consumers who may not be able to repay their loans could create a bubble that would rattle financial markets and leave investors shaken when it bursts.
The fraud that’s occurring is largely overlooked, making it a more insidious threat. Fraud on BNPL platforms differs from general e-commerce fraud because of the unique way BNPL is structured. With payments spread across four (or more) transactions, fraud actors have an expanded “attack surface,” giving them more opportunities for infiltration.
There are two types of fraud happening in the BNPL space. Neither is new, but both have found these largely unregulated payment forms to be soft targets.
The first type of fraud is known as “synthetic identity fraud,” where scammers paste together pieces of information stolen from real people (a name, a birthday, a social security number) to create a Frankenstein identity that they use to buy goods and services through a BNPL provider.
They receive what they “purchased” immediately, with no intention of repaying the loan. Since they created a fake identity to make the purchase, there’s no effective way to track them down.
Synthetic identity fraud is pervasive: It costs banks and lenders some $6 billion a year, according to the New York data services firm Auriemma Group, and is considered by the Federal Reserve to be the fastest-growing form of financial crime in the U.S.
The second type of fraud that scammers–individual criminals and organized fraud groups alike–are perpetrating using BNPL platforms is known as “account takeover fraud.” Account takeover fraud occurs when a criminal gets ahold of a BNPL user’s login, either by duping them into revealing it or by buying it on the Dark Web.
Once the fraudster is able to log in to a legitimate person’s BNPL account, they can buy a range of products, from Pelotons and iPhones to gas and groceries. The unwitting consumer whose account has been exploited to make these purchases doesn’t know what happened until the loans become due weeks or months later.
Data on just how much fraud is happening on BNPL platforms remains scarce. These platforms operate independently of one another. Measuring illicit activity across a wide range of private services is a perennial challenge–but anecdotal evidence is surfacing.
A growing chorus of cybersecurity experts are saying they’re seeing fraud occur. Scammers are openly boasting on Telegram about their ability to exploit innocent BNPL users. A March 15 report from the San Francisco-based anti-fraud company Sift that was derived from the company’s global network of over 34,000 sites and apps found that fraud attacks on BNPL platforms have gone up 54% year-over-year.
In other sectors, account takeovers are increasing rapidly, so it stands to reason that they are also increasing on BNPL platforms. In the second quarter of last year, these kinds of attacks increased by 75%, according to a report our company published after analyzing 49,000 online attacks we witnessed that quarter. This surge is driven by the pandemic, as people live more of their lives online, increasing the “attack surface” fraudsters can target.
While the total volume of account-takeover attacks in the BNPL space is still lower than that of traditional banks, the growth rate is almost certainly higher. My company, Outseer, helps financial institutions prevent fraud. We are hearing from the financial institutions we work with that proportionately, fraud is happening more in BNPL than with traditional credit mechanisms like credit cards. This may be due to BNPL not being subject to the same rules governing traditional financial institutions.
BNPL is a shadow economy for lending, and like any shadow economy, the lack of government monitoring makes it easier for criminals to deceive law-abiding citizens.
What’s needed is a bold approach by the private and public sectors alike that makes it harder for criminals to carry out this fraud.
In the private sector, companies across the BNPL ecosystem will need to implement defenses against evolving attack modalities, without sacrificing the convenience and choice that make this alternative payment so appealing. Specifically, machine learning, data science, and shared global intelligence can help identify and stem the artifice and deception.
Because of the way BNPL is structured, where consumers delay paying back their loans, the full extent of the fraud occurring in this space won’t start to become visible for at least another quarter.
If we wait until then to act, it may be too late.
Armen Najarian is Outseer’s Chief Identity Officer.
The opinions expressed in Fortune.com Commentary pieces are solely the views of their authors, and do not reflect the opinions and beliefs of Fortune.
More must-read commentary published by Fortune:
- Now is the time for a universal digital wallet–and Google can’t make it happen on its own
- We should stop blaming workers for the Great Resignation–and start looking at the jobs they’re leaving
- These employers are helping workers achieve their dreams of homeownership
- We are not doing our best to solve the truck driver shortage
- The art of being the only one in the room
Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.