Lax credit checks, minimal personal data requested, and fast loan approval. What’s not to love about buy now, pay later (BNPL) options if you’re a cybercriminal? From creating fake identities to exploiting flaws in providers’ data-management tools, bad actors have been quick to take advantage of these fast-growing, convenient finance services.
BNPL is essentially a modern take on in-store layaway, and has seen a huge surge in popularity in recent times, with adoption rates climbing at an impressive rate. As the name suggests, BNPL services offer shoppers a fast and flexible way to purchase items they might otherwise have been unable to immediately afford.
But fraudsters love BNPL, too—for two main reasons. First, these services have a quick and simple digital registration process and considerably softer credit checks than you find at big banks or with traditional credit card companies. Fraudsters can be approved by a BNPL lender in a matter of seconds.
Yes, most BNPL companies have a robust anti-fraud process in place, but since the industry is in a relatively early stage, many of these companies are relying on a variety of data sources and services to support their internal customer- identification processes.
This brings us to the second reason BNPL is so appealing to cybercriminals: the more advanced the scoring becomes, the more pressure is placed on third-party data management to obtain the unobtainable—to be flawless and not leave gaps open for misuse.
BNPL providers want their processes to be frictionless. They need the signup process in particular to favor simplicity to build their brand’s market share, onboard the maximum number of new customers, and then retain them. So they must both take care with new customers and also protect legitimate accounts from takeover fraud and mitigate false purchases that drain profit. And they need to be able to make accurate decisions in near real time, with significant volumes of transactions being processed. See the predicament?
It’s worth repeating: cybercriminals are growing more sophisticated by the day. In the BNPL space, bad actors have been known to exploit everything from misconfigurations in customer-relationship management to vulnerabilities in the BNPL risk-scoring engines to password-protected idle-user accounts. Each information leak gives cybercriminals more data to leverage—names, addresses, phone numbers, emails—in their pursuit of identity theft.
A solution that is taking off with several major BNPL service providers is the addition of fraud-defense measures that are powered by artificial intelligence and use advanced statistical and machine-learning techniques. These protective layers monitor the provider’s underlying systems to expose fraudulent transaction patterns and strengthen the effectiveness of risk-based decision systems. Smarter monitoring and detection engines can prevent account takeovers by identifying changes in customer behaviors, block stolen-identity attacks using intelligent and adaptive classification models, and provide additional protection by identifying and leveraging similarities between seemingly unrelated transactions.
Combining multiple algorithms to detect multiple weak patterns allows today’s AI-powered solutions to detect advanced fraud and manipulation earlier and faster than standard risk algorithms. They do it by looking for inconsistencies and high-dimensional correlations in data that can then be investigated further. These detection engines can also flag previously unidentified vulnerabilities and gaps in third-party systems.
By distinguishing mere coincidences from unusual groups of related transactions, these engines work in close collaboration with pre-existing underlying systems to prioritize alerts based on the full transaction context. The result is a significant reduction in false-positive alert volumes. That both improves the efficiency of risk-and-fraud analysts and powers a smooth digital experience that boosts brand reputation and builds a loyal customer base.
The BNPL industry is walking a tightrope to keep the business secure without sacrificing trademark features like fast and easy approval and no-pressure payment plans. However, by elevating their automation-oversight capabilities, these providers can win greater market share with confidence while also significantly reducing fraud.
—Martin Rehak is chief executive of Resistant AI, Prague.