Skip to main content

Tackling Buy-Now-Pay-Later attacks

By 24 August 2021No Comments

Martin Rehak of Resistant AI investigates the online Buy-Now-Pay-Later phenomenon and describes some of the dangers that accompany it

Buy Now Pay Later (BNPL) services are experiencing massive growth. Offering shoppers a fast and flexible way to purchase items they might otherwise have been unable to immediately afford, the BNPL experience is proving an increasingly popular payment option for today’s digital consumers.

However, fraudsters have been fast to take advantage of the relatively straightforward process of instantly obtaining free credit.

As a result, organisations with BNPL offerings now find themselves confronted by a deluge of increasingly sophisticated criminal activities. Last year saw a 200% increase in account takeovers in digital commerce alone, while the recent COMB data breach put 3.2 billion users’ details online in a searchable database designed to facilitate first party fraud through the creation of synthetic identities.

Account takeover is particularly costly when it comes to long-standing, established customers.  Oftentimes because a previous order has been placed at some point in the past, the merchant fraud system automatically permits all new orders, plus these accounts usually have access to higher credit limits, and lower purchase restrictions.

Finding the right balance between risk and ease

The appeal of a simple digital registration and ‘soft’ credit check that is seamless and fast is proving a winning combination for consumers. They can secure BNPL approval in seconds and take possession of purchases while paying nothing or a minimal amount up front – scheduling future payment instalments over time.

However, the BNPL model is also a very attractive proposition for criminals looking to acquire big-ticket items and gift certificates that can easily be liquidated and sold on.

This creates a significant challenge for BNPL providers. To build market share in today’s on-demand economy, BNPL providers need to balance security with low-friction on-boarding. Ensuring that their customers’ experience is as safe as possible with the minimum of friction  is critical.

This is particularly important when 40% of consumers say they won’t shop again with a merchant that falsely rejects their order – and we can certainly expect the same sentiment towards BNPL providers.

To enable the onboarding of new customers quickly and easily, whilst ensuring they are who they say they are, many BNPL suppliers find themselves dependent on a variety of data sources and services to support their internal identification processes.

But the more advanced the scoring becomes, the more it depends on flawless data management by third parties. And criminals can ruthlessly explore any gaps.

A smarter approach to mitigating BNPL fraud

Criminals are utilising a variety of approaches to commit BNPL fraud. These include exploiting  misconfigurations in the online merchant’s CRM, taking advantage of vulnerabilities in the BNPL scoring code, and taking over dormant rarely-used user accounts on the merchant’s site by breaking the long-forgotten password. 

It’s also not uncommon for them to employ synthetic identities when applying  for finance, enabling them to order items and have them ‘accidentally’ delivered to an unknowing, innocent victim’s home. The attackers recover the package and the victim is left with an unexpected bill.

This kind of attack is becoming more common with each major information leak. Easily available information on names, addresses, phone numbers and emails facilitates identity theft and impacts the validity of credit scores and identity validation.

As organised criminals continue to evolve their approaches, BNPL organisations need to be prepared to utilise more sophisticated means to mitigate risk and counter known and unknown fraud attempts. That means bolstering the credit scoring algorithms of the BNPL service, and protecting the fraud detection layers  against manipulation and third-party gaps.

The additional protective layer utilises combined AI and advanced statistical and machine learning techniques to monitor the underlying systems, expose fraudulent transaction patterns and shield and improve the effectiveness of risk-based decision systems.

Finding a problem before it becomes a threat

Combining multiple algorithms to detect multiple weak patterns, today’s AI powered solutions are able to detect advanced fraud and manipulation earlier and faster by looking for inconsistencies and high-dimensional correlations in data that can then be investigated further.

This would enable the early exposure, for example, of an IP address cluster in Northumberland being used to order products for delivery to addresses in Bournemouth so that the transactions can be quickly blocked.

Similarly, these detection engines are adept at identifying previously unidentified vulnerabilities and gaps in third-party systems that are ripe for exploitation by high level criminals. This could be the misclassification of an electronics gift certificate in the gifts category of an e-shop – alongside low risk gifting items such as boxes of chocolates and soaps.

Creating a top target for criminals looking to use these to purchase electronics elsewhere or sell the certificates on eBay.

Early on, when criminals start purchasing the gift certificates using BNPL, this will create just a slight disturbance that won’t be detected by standard risk algorithms.

However, today’s AI powered smart oversight engines will look at the trends from multiple perspectives and can instantly ‘identify’ when the e-shop experiences a large number of transactions that don’t include a physical item.  This  pinpoints the emerging pattern to expose an exploited vulnerability – in this case a misclassification – that needs to be rectified.

Connecting the dots

Today’s smart monitoring and detection engines are able to prevent account takeovers by identifying changes in customer behaviours, block stolen identity attacks using intelligent and adaptive classification, and provide additional protection by identifying and leveraging similarities between seemingly unrelated transactions.

Distinguishing mere coincidences from unusual groups of related transactions, these engines work in close collaboration with pre-existing underlying systems to prioritise alerts based on the full transaction context.

The result is a significant reduction in alert volumes that both improves the working lives of analysts – and creates a trusted customer experience that boosts brand reputation and builds a loyal customer base.

Capable of adapting continuously to emergent patterns of evolving fraud, today’s financial automation oversight engines enable BNPL providers to initiate more robust controls across multiple platforms. This means that they can seamlessly onboard customers at speed and with greater confidence, protect against fraud loss via detection and transaction blocking, and detect and eliminate any fraud data supplied as part of the underlying credit scoring process.

Martin Rehak is CEO of Resistant AI

Main image courtesy of


All rights reserved Teiss Recruitment Ltd.