BNPL transaction values are projected to nearly double, from $334 billion in 2024 to $687 billion by 2028. But growth also brings proportional fraud exposure, and the typologies hitting BNPL providers are getting more sophisticated faster than most detection stacks are evolving.
Unlike a standard card transaction, where the attack surface is a single checkout event, BNPL stretches the window across weeks or months of scheduled repayments. The friction providers remove to maximize conversion is the same friction that would have stopped a fraudster at the door.
This article breaks down the most common BNPL fraud types, how detection works at each stage of the payment lifecycle and what providers can do to stay ahead.
Key Insights
- BNPL fraud operates across two distinct attack surfaces: onboarding and every subsequent payment event.
- The frictionless experience that drives BNPL adoption is the same reason fraudsters prefer it over other payment models.
- First-party fraud has more than doubled in a single year and is now the fastest-growing fraud category globally.
- Three detection strategies catch the majority of BNPL fraud patterns: device fingerprinting, login monitoring and digital footprint analysis.
- Real-time transaction monitoring is essential. The extended repayment window means fraud can go undetected for weeks without it.
What Is BNPL Fraud?
BNPL fraud refers to any fraudulent activity that exploits the buy now, pay later payment model. It operates across two main channels: fraudsters attacking the payment system itself using tactics common across digital payments, and fraudsters exploiting the onboarding process, where due diligence is deliberately kept light to preserve the frictionless experience.
The Most Common Types of BNPL Payment Fraud
BNPL providers face a wider range of fraud typologies than most other payment models. The extended repayment window, lightweight onboarding and real-time credit decisions each create distinct attack surfaces, and fraudsters exploit all of them.
Never-Pays Fraud
A fraudster creates an account using real, stolen or synthetic identity data, triggers order fulfillment by paying the first installment, then stops. The item is delivered. The remaining payments never arrive.
For fraudsters operating at scale, the economics are straightforward: pay 25% of an item’s retail price, sell it at a profit, repeat with a new account. First-party misuse, including friendly fraud and chargeback fraud, is accelerating. 64% of merchants reported an increase in first-party misuse in 2025, with one in four reporting a 25% or more increase.
Account Takeover (ATO)
BNPL accounts with an established payment history have a pre-approved credit line, making them valuable targets. A fraudster who gains access via credential stuffing or phishing can route a high-value purchase to themselves before the legitimate holder notices.
The victim may not realize they were compromised until the second scheduled charge arrives, which could be weeks after the attack. By that point, the fraudster has moved on.
Trojan Horse Fraud
A fraudster creates an account and makes several legitimate payments to build trust with the provider, then switches to a stolen credit card for a high-value purchase. The account appears to belong to a reliable payer. The chargeback that follows lands squarely with the BNPL provider.
Synthetic Identity Fraud
Synthetic identity fraud thrives in BNPL precisely because onboarding checks are lighter than any other credit product. A fraudster combining a real email address, a plausible device setup and fabricated personal details can pass standard KYC checks without triggering a flag. What makes it particularly damaging is timing: a synthetic account that pays its first installment on time looks identical to a legitimate customer until the bust-out hits and the loss is written off as bad debt.
Fraudulent Chargebacks
A customer pays for a purchase, receives the item, then disputes the charge, claiming the transaction was unauthorized or the item never arrived. The BNPL provider absorbs the cost. For every $1 of a chargeback, the merchant loses at least $3.
ViaBill slashed fraud registrations by 90% and chargebacks by 50%, frictionlessly.
Read the case study
How to Detect and Prevent BNPL Payment Fraud
Effective BNPL fraud detection covers three stages: account creation, post-login account activity and individual payment events. Most providers focus heavily on onboarding. The transaction stage is where the gaps are.
Device Fingerprinting at Onboarding
Never-pays fraud at scale requires volume. A fraudster buying and abandoning items needs a new account for each transaction, and most create those accounts from the same device or a recognizably similar one.
Device fingerprinting captures a detailed hash of a user’s device environment, covering browser language settings, installed add-ons, screen resolution and operating system version. The fingerprint is specific enough that a repeat fraudster returning under a new identity will frequently match against a previously flagged device. Feeding confirmed fraud cases back into the detection model allows the system to flag matching device signatures before a new account completes a purchase.
New Device and IP Monitoring at Login
A login event showing a new device and a new IP address — particularly if the IP originates from a different country than the registered address — is a strong indicator of an account takeover attempt. Adding significant weight to the fraud score when both conditions appear simultaneously surfaces these cases for review without blocking the majority of legitimate logins.
Velocity checks that monitor credential changes in real time mean that if a fraudster updates account details after gaining access, the fraud team is alerted before the next payment event.
Digital Footprint Analysis at Account Creation
A real person’s email address and phone number accumulate history over time and are linked to social media accounts, streaming services, financial platforms and other digital services used in daily life. A fraudster using a disposable email has none of that history. Neither does a synthetic identity, regardless of how convincing the KYC data appears.
Digital footprint analysis turns this absence into a risk signal. Checking whether an email or phone number is linked to known platforms, whether it has appeared in data breaches and whether the account handle matches the name provided at registration produces a risk picture that standard KYC cannot replicate without adding any friction for legitimate users.
The Role of Real-Time Transaction Monitoring
Fraud that survives onboarding does not stop there. Trojan horse attacks and ATOs both rely on fraudsters maintaining access to accounts that look legitimate from the outside. Without ongoing transaction monitoring, providers have no visibility into what happens after the account is approved.
Real-time transaction monitoring evaluates each payment event as it occurs, comparing the device, IP, behavioral patterns and payment method against the account’s historical profile and known fraud signals. A sudden change in payment method midway through an installment sequence, a payment routed from a card registered to a different country or a rapid increase in order value are all patterns that end-of-day batch monitoring catches too late.
Monitoring also needs to cover what happens between transactions. A login event from an unrecognized device three days before a payment date is worth flagging, even if the payment itself looks clean.
How SEON Helps BNPL Providers Detect and Prevent Fraud
SEON gives BNPL providers real-time detection coverage across the full payment lifecycle, from account creation through to every scheduled repayment, without adding friction to the customer journey.
At onboarding, SEON enriches each user profile using 900+ real-time signals across email, phone number, IP address and device intelligence. Digital footprint analysis flags thin or absent account histories, device fingerprinting catches returning fraudsters under new identities and IP intelligence surfaces location anomalies — all within milliseconds of account creation, before a credit line is extended.
For post-onboarding monitoring, SEON evaluates each login and transaction against the user’s full behavioral history and real-time risk signals. New device and IP combinations trigger automatic escalation, payment method changes mid-sequence are scored in real time and account takeover patterns are flagged before the next installment is due. AI-powered detection adapts continuously, surfacing emerging fraud patterns and refining risk scoring as BNPL-specific tactics evolve.
SEON’s fraud consultants work with BNPL providers to map detection coverage across every payment stage and identify where attacks are most likely to slip through.
Speak with an Expert
Sources
- eMarketer: BNPL is the latest fraud target—and providers should act quickly to avoid losses
- GlobeNewswire: Buy Now Pay Later Market Size to Hit US$ 3268.26 Bn by 2030
- Fortune: Artificial Intelligence Is Giving Rise to Fake Fingerprints. Here’s Why You Should Be Worried
Frequently Asked Questions
BNPL fraud refers to any fraudulent activity that exploits the buy now, pay later model. Common types include never-pays fraud, account takeover, synthetic identity fraud, trojan horse fraud and fraudulent chargebacks. BNPL providers are typically liable for losses across all of them.
BNPL’s low-friction onboarding and extended repayment window create a larger attack surface than a single-transaction payment. Real-time credit decisions without formal credit checks make it easier for fraudsters to open accounts, and the weeks-long payment cycle gives attackers more time to act before detection.
Device fingerprinting captures a detailed hash of a user’s device environment, including browser settings, screen resolution and installed extensions. The fingerprint is specific enough that a fraudster returning under a new identity will often match against a previously flagged device, allowing the system to flag the account before a purchase completes.
