Buy-now-pay-later reached a scale in US consumer credit over 2022–2024 that most BNPL providers didn't fully anticipate. Rapid user acquisition, thin KYC requirements at origination, and the structural absence of a shared data layer across BNPL providers created conditions that fraud networks quickly identified and exploited. The FTC's 2024 BNPL report noted growing consumer complaint volumes specifically around unauthorized account activity and disputed installments — a lagging indicator of fraud that had been building in the pipeline for 12–18 months prior.
For risk teams at BNPL platforms in 2025, the challenge is not identifying that fraud exists — it's that the dominant fraud patterns have matured into well-organized operations that are specifically designed to evade the velocity rules and KYC checks that BNPL platforms initially deployed. This post covers the three patterns that are costing BNPL providers the most losses and the detection approaches that have meaningful impact on each.
Pattern 1: Bust-out fraud and the credit-building phase
Bust-out fraud in BNPL operates on a longer time horizon than most card fraud, which makes it expensive to detect retrospectively and critical to catch at origination. The playbook: a fraud actor applies for a BNPL account using either a real stolen identity or a synthetic identity with a thin-but-plausible credit profile. They make several small, on-time installment payments — often 2–4 payments over 60–90 days — to build behavioral legitimacy within the platform's risk model. Then, once the account has been flagged as low-risk by the model's behavioral calibration, they make a large purchase (typically high-liquidity items: electronics, gift cards, resalable consumer goods) and default immediately.
The credit-building phase is the signal that most behavioral models miss because it looks, by design, like good customer behavior. The features that carry predictive weight for early bust-out identification are not transaction behavior features — they're origination features and early-lifecycle features:
- Identity graph thin-ness at origination: email address age, phone number first-seen date, device-account linkage history
- Address velocity: how many recent BNPL or credit applications share the same address or address components (normalization required)
- Payment method for the early installments: debit card funding from recently-opened accounts, especially prepaid debit, is a stronger bust-out signal than credit card funding
- Purchase category at the bust-out transaction: electronics, gaming consoles, gift card codes — categories with high secondary market liquidity are disproportionately represented in confirmed bust-out cases
Detection at the bust-out transaction itself is already too late to prevent full loss. The detection investment needs to be at origination, scoring the lifetime bust-out risk of the application, not just the initial fraud risk of the first transaction.
Pattern 2: Loan stacking across platforms
Loan stacking is the structural exploit that BNPL providers face because there is no shared credit reporting layer equivalent to traditional revolving credit. A fraudulent actor — or a consumer who has shifted into first-party fraud — applies for BNPL accounts at multiple platforms within a compressed time window (typically 7–21 days), uses each account to purchase high-value items, and then stops making payments once all accounts are maxed out. Because BNPL installments historically did not report to Equifax, TransUnion, or Experian in real time (this is changing slowly under CFPB pressure), each BNPL provider sees a clean credit profile at origination.
The detection surface for loan stacking is limited but not zero. The signals that are accessible without cross-platform data sharing:
- Device fingerprint co-occurrence: if the same device ID appears on multiple BNPL applications within a 14-day window (detectable if the BNPL platform has integrated device intelligence via a shared network like ThreatMetrix/LexisNexis), the stacking pattern is visible at the device layer even without shared account data
- Email and phone number freshness: newly-registered email addresses and recently-ported phone numbers are strongly correlated with stacking operations that use fresh credentials per platform
- Behavioral velocity at checkout: the time between account creation and first purchase — stacking operations typically make purchases within 24–72 hours of account opening because they need to complete the credit utilization before risk flags accumulate
We're not suggesting that device intelligence alone closes the loan stacking gap — it doesn't. A determined stacking operation rotates devices. But device-based signals are the most accessible cross-platform signal currently available, and they meaningfully raise the cost of executing a stacking campaign at scale.
Pattern 3: Synthetic identity origination
Synthetic identity fraud — where a fraudster creates an identity from a mix of real data (often a valid SSN obtained from a data breach or purchased from a dark web market) combined with fabricated name, address, and contact information — is the fastest-growing fraud category in US consumer financial products per the Federal Reserve's FedNow fraud monitoring research. BNPL platforms are disproportionately targeted because their origination friction is intentionally low: instant decisions, minimal documentation, no hard credit pull in many cases.
A synthetic identity that has been "seasoned" — a real SSN attached to a fabricated profile that has had some thin credit history built over 6–12 months through secured card products or other subprime credit lines — can pass basic KYC checks at origination. The distinguishing features are in the identity graph, not in the credit file: the SSN belongs to a real person whose demographic attributes (age, state of residence, name) don't match the submitted application attributes. Name-SSN state of issuance mismatches, age-income implausibility, and thin identity graph depth are the detection surface.
Identity verification platforms like Persona and Socure offer specific synthetic identity scoring that incorporates SSN issuance patterns and identity graph cross-referencing. The integration challenge for BNPL platforms is not the API — it's incorporating the synthetic identity score into an origination decisioning flow that is also optimized for conversion speed. A verification step that adds 2–3 seconds of latency to an instant BNPL decision is a conversion problem as much as a fraud problem.
For more detail on synthetic identity detection signals and the feature architecture, see Fraudhalo's Synthetic Identity Detection page.
Refund abuse: the pattern often categorized separately but structurally similar
Refund abuse sits at the boundary between fraud and policy violation, but its financial impact on BNPL platforms is meaningful enough to address. The pattern: a consumer makes a BNPL purchase, initiates a return claim (often fabricated or exaggerated), receives the refund, and continues making installment payments on the original balance — or doesn't, using the refund receipt as the bust-out trigger. The refund-then-default pattern looks like friendly fraud in the dispute data but functions like bust-out in the loss accounting.
Detection requires correlating refund request patterns with default rates at the account level — a cross-functional data join that many BNPL platforms haven't built because dispute data and payment data live in different systems. If your dispute data and installment data are in the same warehouse, a simple cohort analysis correlating refund request timing with subsequent default probability will surface this pattern clearly within 60–90 days of refund data accumulation.
What this means for BNPL risk team priorities
The structural challenge for BNPL risk is that the three dominant fraud patterns — bust-out, loan stacking, and synthetic identity — all require detection at or near origination, before behavioral data accumulates. This is the opposite of the transaction fraud detection problem, where real-time behavioral signals are the primary detection surface. For BNPL, the origination scoring model is the critical investment: it needs to operate on identity graph signals, device intelligence, application-time velocity features, and synthetic identity scoring, not transaction history that hasn't yet accumulated.
The regulatory environment is adding additional pressure. CFPB guidance on BNPL supervision issued in 2024 treats BNPL as a credit product subject to Regulation Z in many contexts, which increases documentation requirements for origination decisioning. A BNPL platform that can't explain why an application was approved or declined is exposed to fair lending risk in addition to fraud risk — the explainability requirement at origination is now both a fraud defense and a regulatory defense.
For BNPL-specific detection architecture and signal coverage, see Fraudhalo's BNPL Fraud Detection page. For the origination-to-lifecycle model architecture, see How It Works.