Crooks follow the money, and right now there’s a lot of money in buy now pay later (BNPL), which currently accounts for about $97 billion of global e-commerce transactions.

That number is expected to double by 2024, according to Worldpay, the payment processing firm owned by core provider FIS. Although 71% of 2,000 businesses surveyed by Experian see BNPL as secure, it has in fact become a target for cyberattacks, according to Bill Sytsma, senior vice president of sales at identity authentication solution provider Callsign.

One in seven BNPL users has experienced fraud, Sytsma told Bank Automation News. The attacks take various forms: emails with fraudulent BNPL offers that appear to be from established retailers, fake BNPL offers unrelated to merchants, and hacks that steal the user’s name and passcode from actual BNPL services.

“Once [consumers] experienced fraud, they basically abandoned the whole BNPL process, just because it just left a bad taste in their mouth,” Sytsma told BAN.

If the customer sets up the payment through a credit card, then it’s possible to catch and reverse the charges — but often the charges are so small that people miss them, he added.

Synthetic fraud — the act of creating an identity to cause another person financial harm — is another growing scam within the BNPL industry, Mike Cook, vice president of fraud at identity verification company Socure, told BAN. Cybercriminals target consumers with poor credit histories and fraudulently manipulate their Social Security numbers or credit links to create a higher credit limit, he said, noting they can also create completely fabricated identities.

“Synthetic identities take a different bunch of different forms, but basically, they’re just identities that don’t really exist,” Cook said.

The industry is currently an attractive target because BNPL vendors are actively trying to grow their customer bases, he added.

“They generally don’t ask for as much information as they need, so it’s easier for a synthetic identity, or a third party, or even first-party fraud, which is the consumer who’s using their own identity to get credit to get a BNPL loan fraudulently and not pay them back,” Cook said.

Often fraudsters will create fraudulent identities using a young age or an foreign-sounding name so they appear not to have a long credit history. BNPL relies on soft credit pulls, making it an easy target for fraudsters, Cook said.

“[Cybercriminals can] basically test the process and see if they can get that identity through without having to establish a bunch of inquiries on the credit report, which would therefore hurt that identity that they’ve created,” he said.

Help shape our agenda for the Bank Automation Summit by applying to join the speaker roster here. Potential speakers will be contacted and confirmed directly by the editorial team, and only qualified submissions will receive a response.

Learn more about Bank Automation Summit Fall 2022.