Buy Now, Pay Later Scams
Fraudsters are taking advantage of the buy-now, pay-later (BNPL) payment model, according to Jim Ducharme, COO of Outseer. On the CyberWire’s Hacking Humans podcast, Ducharme explained that scammers can either impersonate victims or take over their accounts in order to make fraudulent purchases.
“In some cases, you know, it’s really what’s old is new,” Ducharme said. “Attackers are using a lot of the same techniques they used before, either account takeover or, in some cases, a new type of fraud called synthetic identity fraud. And what that really is, in synthetic identity fraud, when a fraudster goes to check out, they’ll use social engineering or other means to basically steal somebody’s identity and pretend to be you and just have the merchandise shipped to them. So, we see this quite a bit where, you know, somebody creates an identity or uses a synthetic identity to pretend to be somebody, get that installment plan, purchase the goods and services, and then by the time fraud is detected, the rip-off has already happened, if you will. In the case of account takeover, you know, again, a similar sort of thing where people are stealing credentials or ways to get into an account so that they can again enable this new way to pay and basically steal those goods and services using somebody else’s account or identity.”
Ducharme added that these BNPL providers may also be more susceptible to fraud because they have less experience than traditional credit card companies.
“With your credit card, as you probably know, the consumer is typically not responsible for the fraud, and the credit card company’s responsible for that,” Ducharme said. “And so they’ve put a number of controls in place to help prevent fraud and mitigate that risk. And so what we’re seeing is in – you know, with these new buy-now, pay-later methods, you know, we have to look at those same things. And in these cases, these buy-now, pay-later companies are typically going to be held liable to that fraud. But, again, some of the newer companies don’t necessarily have the decades of fraud prevention capabilities in place or even the sophistication of the new attack patterns of, you know, fraud at the point of an account enrollment versus what we’re typically, you know, what we’ve traditionally done for fraud prevention at the point of a transaction.”
New-school security awareness training can give your employees a healthy sense of suspicion so they can avoid falling for social engineering attacks.