Account takeover attacks on the rise as BNPL rises: Imperva

In 2021, ATO attacks grew by 148% across all sectors and, in May 2022 alone, the Imperva Threat Research Team found attacks against financial services and fintech firms have soared by 58%, demonstrating the extent to which bot operators are increasingly turning to ATO as a reliable source of profit and disruption.

The BNPL sector is a target for bot operators because many of the businesses offering BNPL loans are relatively new, meaning they don’t have large amounts of historical fraud data to help them identify potentially fraudulent purchases, as per the press release. On top of this, a lack of regulation surrounding BNPL loans in comparison to other credit agreements, makes it easier for bot operators to commit Account Creation Fraud (ACF). ACF involves using stolen personal information from data breaches to create fake accounts and illegally purchase items.

Imperva’s company officials explained that Successful ATO attacks or ACF harm everyone involved in the transaction. For consumers, they can end up hundreds or thousands of pounds out of pocket, and potentially find their credit scores trashed as part of the bargain. And for businesses, they not only risk losing the entire value of the loan, but also incurring significant additional costs to support victims and investigate fraud claims, increased customer churn, and reputational damage for allowing accounts to be compromised.

According to the 2022 Imperva Bad Bot Report, three of the top four industries most affected by ATO attacks (Financial Services, Travel, and Retail) are most likely to be involved in BNPL transactions. Indeed, more than a third of all ATO attacks (34.6%) were directed towards the financial services industry, which is at the centre of BNPL. As the move towards digital payments continues, fuelled in part by the boom in BNPL offerings, the rate of ATO attacks on Financial Services firms is likely going to carry on rising sharply.

Managing the risk of BNPL fraud requires a holistic approach that is grounded in an advanced bot protection solution that can detect and mitigate automated fraud, as well as helping fraud teams prevent fraudulent activity on user accounts, says Imperva.