Spike in BNPL Fraud Prompts Cybersecurity ‘Arms Race’

Paper checks, credit cards, bank accounts — all have been favored targets of fraudsters over the years. Enter buy now, pay later (BNPL), the latest payment form shadowed by cybercrooks.

With the meteoric growth and staggering popularity of point-of-sale (POS) credit comes the inevitable wave of criminal activity around it, as bad actors create fake accounts and make off with merchandise.

A new study commissioned by identity and compliance risk firm GIACT, a Refinitiv company, found that of United States consumers surveyed who had been victims of application fraud, 23% had their information used to open a BNPL account in 2021. It’s startling, but not surprising to James Mirfin, global head of digital identity and fraud solutions at Refinitiv.

As Mirfin told PYMNTS, “there’s a good reason why it’s grown so much. Buy now, pay later seemed to be the theme of 2021. Pretty much every major retailer offers buy now, pay later. I walked through an airport yesterday, and they were offering it. Wherever there’s growth in a particular category, criminals also go there as well.”

BNPL is an increasingly popular target because cyberthieves are drawn to anywhere there’s action, but also because — Mirfin said he suspects — providers are chasing after revenue without putting the same controls that more established financial players have in place.

That’s a message BNPL providers and their merchant clients need to hear as the fraud problem in the sector worsens. Policies and systems need changing to keep ahead of the fake accounts and stolen goods that are marring this hugely popular form of financing more and more.

Mirfin said it starts at onboarding.

“Specifically, when we talk about application fraud, it’s really about protecting that upfront sign up and making sure that you are using the best data to establish that this is actually the customer you think it is that’s creating an account with you,” he said.

He ran down the list. Fraudsters are creating and using fictitious identities. They’re using “combinations of good data and fictitious data. It’s obviously very attractive to be able to create an account and get high value products shipped out to an address,” he said.

“I always describe it as an arms race,” he added. “It’s an arms race between the financial services providers and the criminals because they’re all trying to use compromised data, compromised accounts and find vulnerabilities.”

See also: Global Fraud Risks Reduced With Real-Time, Cross Platform ID Verification

The Data Challenge

The devil is in the data and, as Mirfin told PYMNTS: “We very much think of it as a data challenge, which is looking at the different information that a consumer’s using for either creating an account, when they’re transacting on an account, or when making a change.”

“It comes down to working with service providers like Refinitiv and others that can help you have what I think of as a multilayered approach to protecting the accounts and to protecting your customers and your business,” he said.

That data-driven multilayered approach involves systems that scan and detect suspicious behavior, which can go completely undetected in the absence of strong solutions. Mirfin said email is often revealing when hunting for fraudsters in one’s BNPL customer base.

“When was that email account set up?” he said. “Does it correspond to the individual that’s using it? Is it a trusted email address, if you like? From our perspective, it’s very much a real-time data challenge that can help to solve this.”

It goes beyond checking data at scale. Far beyond that, in some cases, if a company is serious about cleaning the crooks out of its BNPL accounts.

“If I’ve got an account with a merchant, and I try and change some data, do I send a message out to the mobile number that was registered or the email address that was previously on the account to confirm [who’s] making that change?” he said. “You’d be surprised how many providers don’t.”

Read also: Refinitiv Launches Integrated API to Blunt Rising Risk, Growing FI Fraud Threat

Turning Red Flags Green

As to the “arms race” between legitimate businesses and fraud rings, know your enemy. These criminal enterprises are well-funded, use the latest tech, and “employ” the smartest coders they can find, who spend their workday industriously creating fake accounts and stealing, he said.

Partners like Refinitiv move quickly to scour data for red flags in real time, using multifactor authentication (MFA), location-based risk ranking, identity verification and risk screening tools.

“One of the areas that we focus on is also looking at payment information as well,” Mirfin said. “When you start to link identity with payments or bank account verification, ownership and bank account status, again, it’s that triangulation of information to try and make sure that you’ve got the person you think you have buying from you.”

Conceding that the prevalence of fraudulent accounts being opened in the BNPL space over the past year “looks pretty bleak,” Mirfin added, “the good news is that there are solutions out there, and for every criminal that’s successful, there’s lots that aren’t, and there’s lots of businesses that are able to protect themselves.”

“Whether you are a large business or a small business, you don’t want to be the weakest one out there because the criminals are going to find you, and they’re going to exploit that,” he said. “It’s important to look at this stuff and to try and protect your business and your consumers.”

“There’s an education aspect to this [for] service providers like [Refinitiv] and financial institutions,” Mirfin said. “There’s a role for all of us to play to make sure consumers think about what’s happening, that they protect their accounts, protect their passwords and take advantage of biometrics where they can because all of those [offer greater account security].”