Cybersecurity Europe Intelligence

Businesses and Consumers Alike at Risk as BNPL Usage Creates New Avenues for Fraud

Buy Now, Pay Later (BNPL) transactions increased 182% in the 12 months from June 2020 to June 2021, according to LexisNexis Risk Solutions‘ Cybercrime Report H1, 2021, reflecting the boom in online shopping as a result of global lockdowns. As we near Black Friday and Cyber Monday, the further increase in BNPL transactions could put both merchants and consumers at a higher risk of falling victim to fraud.

In the race to onboard and checkout customers during the festive retail season, BNPL payment providers and online retailers must take care not to overlook the potential risks associated with this emerging payment option.

A major risk lies in fraudsters ability to use stolen credentials of good, trusted customers to open new accounts. Since BNPL providers typically carry out ‘soft’ credit or identity checks, they’re unlikely to spot potential fraud indicators, such as the email address or mobile number not being linked to the named applicant. Implementing tools that can check this in seconds without interrupting the application process, will help retailers and BNPL providers to spot and stop such fraud attempts.

Account takeover, whereby a fraudster uses the stolen credentials of an existing BNPL user to make purchases on their account, presents further risk. Here, the ability to use a mix of physical and digital attributes to verify an individual’s identity, and dynamically add layers of verification where required, could help further minimise fraud risk for providers.

Equally, retailers can reduce the risk of reputational damage and negative scores as a result of issues such as chargeback fraud on payment cards, by ensuring they carry out enhanced fraud and identity checks at point of sale.

BNPL schemes provide consumers with additional flexibility and choice when shopping online, yet both retailers and the providers themselves should be mindful of the potential risks.

BNPL fraud is not the only risk associated with transacting online. The latest Cybercrime Report, combining data from 28.7 billion online transactions also revealed bot attack volumes grew 41% from June 2020 to June 2021, while human-initiated attacks fell 29% over the same period. This growing ‘industrialisation’ of digital fraud is seeing fraudsters increasingly working together, conducting fraud attacks in organised networks, across sectors and borders, using sophisticated automated tools and dark web intelligence, to commit theft.

Businesses must therefore ensure they are doing all they can to protect themselves and consumers from fraud risks, by implementing technologies that can accurately distinguish between trusted and fraudulent customer behaviour, without interrupting the customer journey. Consumers want a slick service, but they also need the reassurance that the online merchant they’re using can effectively protect their account from being compromised and may take this into account when deciding whether to buy from an online retailer.

Kate Dunckley, Senior Solutions Consultant, Fraud and Identity at LexisNexis Risk Solutions, comments:

“Fraudsters will always look to exploit new avenues wherever possible. With the increased levels of online shopping activity in the period around Black Friday, Cyber Monday and the festive retail season, we’re facing a perfect storm that is likely to lead to a surge in risks for both businesses and consumers.

“With an increased volume of transactions expected over this period, there is greater opportunity for fraudulent transactions to slip under the radar – something fraudsters know and will always look to exploit. To add to the complexity of the problem, Black Friday and Cyber Monday sales now often occur across several days, even weeks, meaning that attacks can be spread across a much longer period.

“As fraudsters adapt to the changing eCommerce environment, businesses will need to bolster their defences and arm themselves with tools that can automatically differentiate between a trusted customer and a cyber-threat and implement multi-layered defences that can stop attacks, whilst remaining completely invisible to the customer. The ‘newer to online’ businesses in particular should take extra care to implement adequate defences, given they’ll be perceived by opportunistic fraudsters as having the lowest defences against sophisticated fraud attacks, over the coming weeks.”


  • Francis is a journalist and our lead LatAm correspondent, with a BA in Classical Civilization, he has a specialist interest in North and South America.

Related posts

Atom Bank and Plaid Partner to Simplify Lending for UK Small Businesses Through Open Banking

Polly Jean Harrison

Atlas VPN Reveals GDPR Fines Hit Over €1 billion in 2021

Polly Jean Harrison

Could robo-advisory technology break into the world of sports betting?

Manisha Patel