Buy Now Pay Later (BNPL) fraud causes Dh20,000 loss for UAE resident

Dubai: A Dubai resident off 11 years (who asked to remain anonymous) was shocked to discover nearly Dh20,000 in unauthorised charges on his Buy Now, Pay Later (BNPL) account after a suspected hacking incident. He says the purchases were made without his knowledge and no OTPs or alerts were triggered.

He discovered the issue when an in-store transaction was declined. Upon checking with the BNPL provider, he learned multiple large purchases had been made in a single day, even though he had not used the service since March, when his credit limit was just Dh3,000.

Despite repeated attempts to resolve the dispute, the platform refused to assist in reversing the fraudulent transactions, leaving him to face the financial and emotional fallout alone. He has since reported the case to Dubai Police and plans to raise the matter with Dubai Consumer Rights service.

He says the lack of support has caused significant stress and wants others to be aware of the risks.

Bob Gourley, Chief Technology Officer of OODA, cybersecurity consultancy firm based in Virginia, USA, explained to Gulf News that this kind of incident likely stems from a complex account takeover attack.

“I've seen this type of fraud before. It was probably caused by a complex account takeover attack. The fraudster may have obtained the victim's login credentials through phishing, malware, or a data breach. Then they got around the BNPL provider's security measures, possibly by taking advantage of weaknesses or using social engineering,” Gourley said.

He explained that while it’s difficult to assign direct blame, BNPL providers need stronger safeguards, and users must take more responsibility for protecting their data online.

Austin Rulfs, founder of Zanda Wealth, says BNPL fraud can also be enabled by weak integrations with third-party merchants.

“Being able to get Dh20,000 without an OTP or alert in the first place implies that the fraudster might have pre-compromised the account or abused an integration that does not demand a secondary verification by merchants. Third-party retailers whose transactions flow through some BNPL platforms do not activate their own alert systems, and this leaves holes in user protection,” he said.

Juan Montenegro, founder of WalletFinder.ai, says many BNPL fraud cases stem from weak authentication and session control.

“When no OTPs or alerts are generated in such a scenario, it generally means that there is a failure in the platform to handle authentication and session control. Not all attacks are complex enough to cause fraud. In most cases, it occurs as a consequence of easy access granted by the mechanisms due to speedy systems rather than verification,” he said.

He warned that as BNPL platforms expand rapidly, they face greater responsibility and also called for stronger security systems.

"Ultimately, a safe system defends its users even before they are aware that they are in danger. That is what fintech platforms should be up to, and anything below that is failing.”

The UAE Central Bank has ordered banks to stop using one-time passwords (OTPs) sent via SMS and email by March 2026. Instead, customers will switch to more secure app-based authentication for all financial transactions.

SMS and email OTPs are vulnerable to fraud, as hackers can intercept codes through SIM swapping or phishing, making these methods less safe.

Asma Siddiqui, Senior Associate at UAE-based law firm BSA Law, confirmed that the reader took the right steps by reporting the fraudulent activity to both Dubai Police and Dubai Consumer Protection.

“These authorities are essential first points of contact in cases involving financial fraud,” she said. However, she noted that additional steps may apply depending on the nature of the BNPL platform.

“If the BNPL platform is a licensed financial institution under the UAE Central Bank, the consumer can also report the incident to the Central Bank,” Siddiqui added.

She also advised reporting to the Telecommunications and Digital Government Regulatory Authority (TDRA) if the fraud involved digital communication channels.

Siddiqui outlined that victims of BNPL or digital financial fraud in the UAE have access to both criminal and civil legal pathways.

“Criminal proceedings begin with a formal complaint to the police, which can lead to prosecution if fraudulent intent, identity theft, or misappropriation of funds is established. Separately, the victim may file a civil claim to recover the financial losses incurred,” she said.

To pursue either route, victims must carefully preserve all related documentation.

“If an individual does want to go forward with criminal and civil suit, it is critical to preserve all available documentation, including transaction records, contracts, service terms, platform communications, and any promotional material that contributed to the misuse or fraudulent activity,” Siddiqui advised.

Siddiqui said it’s important to get legal help when claiming compensation, especially in complex financial fraud cases, to follow the right steps and meet deadlines.