According to a recent FinTech trends report, 2022 is expected to be a big year for Buy Now, Pay Later (BNPL). Apple’s recent announcement of its entry into BNPL with Apple Pay Later represents a seismic boom for a sector which is projected to top $1 trillion in annual gross merchandise volume by 2025. The tech giant’s move is bound to increase the popularity of what is already the hottest trend in FinTech. With a growing number of retailers and payment providers adopting BNPL as a payment option, expect to see more consumers relying on these services in the future.
Yet with great popularity, comes great risk. In this case, the risk of online fraud. As BNPL fuels the shift to digital payments, it is estimated by Juniper Research that losses from online payment fraud between 2021 and 2025 will amount to $206 billion. Accordingly, spending on fraud detection and prevention services will exceed $11.8 billion globally in 2025.
But before we dive deep into Buy Now, Pay Later fraud and what you can do about it, let’s first define what BNPL is.
Buy Now, Pay Later (BNPL) is a payment form that enables consumers to make purchases that are repaid in fixed installments, essentially enabling them to split a purchase into smaller, interest-free payments. Put simply, BNPL allows consumers to obtain the goods before they’re paid in full.
Buy Now, Pay Later fraud types
Like any boom, BNPL is attracting the attention of cybercriminals and fraudsters. New and emerging sectors are attractive to them because they are often likely to have some gaps in security and regulation hasn’t caught up (yet). These factors create a fertile ground for fraudsters.
There are several types of BNPL fraud, but it is mainly driven by account-based fraud such as:
- Account Takeover (ATO) Fraud: This is the most popular form of Buy Now, Pay Later fraud. This type of fraud occurs when a fraudster takes over an existing BNPL account and uses it to make unauthorized purchases. This can either be done by taking over the BNPL account directly, or by taking over a user account with a business that is authorized to charge their BNPL account; like an online retailer for example. This creates an even bigger attack surface and allows fraudsters to act with more flexibility.
- New Account Fraud: This type of fraud occurs when fraudsters use stolen personal information from data breaches to create fake accounts utilizing someone else’s data.
In addition to those, there is the risk of digital skimming attacks, like Magecart, that exploit compromised JavaScript to steal sensitive data.
Traditionally, the financial services sector has always been a high value target of account takeover attacks. As covered in the 2022 Imperva Bad Bot Report, the industry was targeted by 34.6% of account takeover attacks. We predict that the shift to digital payments, fueled by the booming BNPL sector, will see a rise in ATO attacks on Financial Services.
In fact, the Imperva Threat Research Team has already recorded an increase in the number of account takeover attacks targeting the financial services sector over the past year, with a significant 58% month over month growth in May 2022 alone.
Who is affected by Buy Now, Pay Later fraud?
The consumer whose account has been hijacked, or whose personal data was used to create a fake account is the first to be affected by this type of fraud. From a business perspective, it is essential to understand that Buy Now, Pay Later fraud isn’t just a problem for the payment platform. Any consumer-facing business accepting Buy Now, Pay Later as a payment option is at risk. In addition, because banks pay merchants up front for consumer purchases, it is putting them at risk of losing up to 100% of a loan’s value through fraud.
Imperva helps reduce the risk of Buy Now, Pay Later fraud
Just as digital payments have evolved, so has online fraud. As a sector with payments at its core, businesses must ensure that customer data is safe and that transactions are secure. No less important, customer experience must not be affected.
Managing the risk of Buy Now, Pay Later fraud requires a holistic approach to online fraud prevention. You need an advanced bot management solution that not only excels at detecting and mitigating automated fraud, but also helps fraud teams prevent fraudulent activity on user accounts. Imperva does this by providing security practitioners and fraud teams with data about their users who are at risk of an account takeover, user accounts that have already been compromised, anomalous user behavior and more. Client-Side Protection ensures that sensitive customer data doesn’t end up in the wrong hands by providing visibility and actionable insights into third-party JavaScript services exfiltrating data from your application, eliminating the risk of data theft.
Try Imperva’s Advanced Bot Protection, Account Takeover Protection and Client-Side Protection free. Complete this short form to start your free trial.
Try Imperva for Free
Protect your business for 30 days on Imperva.