How to Prevent Account Takeover for Buy Now Pay Later Companies

Online accounts are precious. Even more so when they belong to Buy Now Pay Later (BNPL) customers.

Why Is Account Takeover Fraud a Problem for the BNPL Sector?

BNPL accounts are valuable to fraudsters for two reasons:

First, they can mine them for personal information, which can fuel identity fraud or synthetic identity fraud. This causes all kinds of problems down the line, from issues with KYC and AML compliance to helping fraudsters open bank accounts

Then there is the fact that these accounts are linked to payment methods. It doesn’t matter whether it’s Apple Pay or a credit card: fraudsters will use the account as their own personal wallet to purchase goods and services. This results in higher chargeback fraud opportunities.

Yet another concern for the BNPL company is the issue of customer trust. If a fraudster manages to log into your user’s BNPL account, chances are they will blame you for the security breach. 

Find and Block Risky Customers & Fraudsters

Partner with SEON to keep your BNPL safer with real-time data enrichment, unique digital footprinting, and advanced APIs.

Ask an Expert

How Do Fraudsters Take Over BNPL Customer Accounts?

Cybersecurity company Outsider reports that account takeover (ATO) attacks surged by 75% in 2022, fueled partly by BNPL companies. 

But how do fraudsters target these accounts? Same as with every other industry. And one reason it’s such a popular attack is that there is no shortage of ways in which it can be performed on unsuspecting customers, as a fraudster may:

  • Find login details in data breaches: Customers often reuse the same password and email address to log into their accounts. Fraudsters find these lists and systematically try them on your BNPL site using bots, a practice known as credential stuffing.
  • Phishing and spear phishing: Fraudsters target people online by imitating BNPL companies and inciting them to divulge their passwords.
  • Brute-force their way into the accounts: Fraudsters automate attacks using bots, essentially guessing the password for email addresses they know are already linked to BNPL accounts.

And as phishing opportunities show no signs of slowing down, your BNPL customers are increasingly at risk of having their accounts stolen or “hacked”.

How to Detect BNPL ATOs

Broadly speaking, there are three key questions to ask to secure your BNPL customers’ accounts at the login stage:

  • How easily are they logging in?
  • Does their data appear familiar or suspicious?
  • Is their behavior consistent with that of their previous sessions?

Here are ten examples of suspicious actions you should be monitoring at all times:

Top 3 Custom Rules for Account Takeover in BNPL

Now that we understand how and why fraudsters target BNPL accounts, let’s look at concrete examples of risk rules to deploy to catch them.

#1: User Entered the Wrong Password Five Times

A great way to secure accounts is to monitor when the user has trouble logging in. In this scenario, we’ll consider that five failed attempts is suspicious, and could point to BNPL account takeover.

bnpl wrong password rules

We’ll set this rule to automatically perform a manual review. You can link SEON with your favorite messaging app, such as Slack, and receive real-time alerts when this kind of event happens.

Here is what the rule looks like once it’s been triggered by the failed login attempts.

BNPL wrong password rule screenshot

What happens next is completely up to you. You could:

  • automatically message the customer to check everything is fine
  • ask for extra verification once they manage to log in
  • force them to enable 2FA or MFA
  • or even freeze the account on the spot

#2: IP Country Is Different from Card Country

IP lookup tools are becoming increasingly sophisticated. You can, of course, see where the person is based, which can lead to insightful deductions about your customer’s identities.

For instance, let’s look at a customer based in Australia, who suddenly changes their card details. The new prepaid card’s location points to Switzerland. Why would that be?

Virtual Card Different Country

Well, they could be traveling or using a card from a country where they used to reside.

But if the IP or card change is sudden, you could very well be dealing with account takeover fraud. The fraudster accesses the account and immediately uses it to purchase items (which will result in chargebacks).

For this reason, we’ve set this account to add just 1 point to the risk score, meaning it is somewhat of a concern but only when seen in combination with other suspicious behaviors and data.

#3: Customer Is Suddenly Increasing Their Transaction Volume

This is an interesting rule that showcases the power of velocity checks. If your BNPL customer is going on an unexpecting shopping spree that is quite unlike their usual shopping patterns, you have reason to suspect that something malicious is going on, and someone else might have accessed their account. 

In the example below, we’re looking at a whopping 200% increase in transactions in over 24 hours.

AML Rule

Of course, increasing payment volume isn’t enough to catch a fraudster. This is why this rule only adds 20 points to our risk score.

Yet, combined with other suspicious activity, such as an unlikely IP address or previously unseen device, this user probably deserves your scrutiny. Double-check that your customer is who they say they are.

Worried about BNPL Fraud?

Book a demo and learn how we have lowered fraud rates by 50% and saved costs on automated checks by 6% for a leading BNPL provider

Ask an Expert

How SEON Can Help Prevent BNPL ATO Fraud

SEON is a full fraud prevention solution designed to let you learn more about your users and stop fraudsters in their tracks, whether it’s during onboarding, login, or the transaction stage. 

seon workflow fraud prevention

You have complete control over the data fields as well as the risk scoring and subsequent actions, allowing you to protect your BNPL customer accounts however it makes sense for your business. 

SEON’s solution is granular and fully customizable, allowing you to mitigate risk however you see fit, so you can focus on growing your BNPL company as effectively as possible, with the exact level of risk tolerance you decide.


  • Outseer: Fraud & Payments Report Q3 2021

Share article

Speak with a fraud fighter.

Click here

Author avatar
Jimmy Fong

Jimmy Fong is the Chief Commercial Officer of SEON. His expertise in payments saw him supervise the acquisitions of companies by Ingenico, Visa and American Express. Jimmy’s enthusiasm for transparent sales and Product-Led-Growth companies drives SEON’s global expansion strategy, and he interviews both fraud managers and darknet fraudsters in our podcast to stay on top of the latest risk trends. Yes, it’s also him wearing the bear suit on our YouTube channel.

Sign up for our newsletter

The top stories of the month delivered straight to your inbox