Soft2Secure

Soft2Secure

Soft2Secure

HomeSoft2SecureAfterpay scam emails: All you need to know, and how to stay safe

Afterpay scam emails: All you need to know, and how to stay safe

Posted by on September 11, 2025
Afterpay scam emails: All you need to know, and how to stay safe

Even an email that actually comes from Afterpay can signal a scam, let alone a bevy of spoofed account status notifications allegedly arriving from this popular service’s support. Several different spin-offs of this fraud have seen a dramatic spike in 2025, including someone opening an account in another person’s name. So, you might want to know how to identify dubious activity stemming from Afterpay abuse, and how to act if one of these messages ends up in your inbox.

What Are Afterpay Scam Emails?

Receiving a suspicious “Afterpay” message isn’t a rare occurrence these days. At scale, criminals piggyback on the popularity of buy-now-pay-later (BNPL) to push look-alike notices that your account is “restricted”, a payment “failed”, or your “details must be confirmed”. The goal is to get you to click through to a convincingly branded site that harvests your login, SMS one-time passcode (OTP), and card details.

Security analysts have documented waves of such emails, including templates that say “Your last Afterpay payment was declined” and prompt a green “Retry payment” button – the landing pages are replicas of the real portal but live at unrelated domains. Once a victim enters their credentials, the site immediately triggers a legitimate OTP challenge and asks for that code too, completing the takeover in one sitting.

‘Account is currently restricted’ email from Afterpay isn’t necessarily legitimate

The Newer Twist: An Afterpay Account in Your Name, With Someone Else’s Phone

A growing pattern is different from classic phishing because the criminals don’t need your card. They open a brand-new Afterpay account in your name using breached data: your email, full name, and a current or former street address. The telltale mismatch is the phone number. Attackers register the account with a number you’ve never used, so all OTPs and login resets go to them.

Victims often first notice via genuine Afterpay emails (welcome messages, order confirmations, spend-limit notices) hitting their inbox, even though they never signed up. Multiple first-person reports describe exactly this: an account created with the victim’s identity markers and a burner phone, followed by attempted purchases at mainstream stores.

Why the Wrong Phone Number Is the Linchpin

Afterpay’s consumer requirements explicitly hinge on a valid and verifiable email address and mobile number, plus a delivery address and a payment instrument. That mobile becomes the default second factor for login and sensitive actions. This is why victims receive real email notifications yet can’t reset anything – the code keeps going to the attacker’s handset.

What the Email Trail Looks Like to a Victim

When your email has been attached to a fraudulent BNPL profile, the inbox noise tends to follow a pattern. It can start with a “Welcome to Afterpay” or an address/limit notice, move to “order placed” or “payment due”, and sometimes include “account restricted” or “update your details” prompts.

Afterpay credential phishing site whose URL is a huge giveaway

Spin-Offs and Adjacent Tactics You Should Know About

  • Unsolicited verification codes (smishing). Random “Your Afterpay verification code is: XXXXXX” texts hit both customers and people who never used Afterpay.
  • Robocalls that fish for the OTP. Some victims report calls claiming their Afterpay account was hacked and prompting them to read back a six-digit code.
  • Classic email phishing for account takeover. The “account restricted / payment failed” templates are rampant and dangerous because they harvest both your password and OTP.
  • Broader BNPL new-account fraud. Fraud-prevention vendors note a rise in synthetic identity misuse across BNPL services.

Scammers trying to obtain one’s OTP code to take over a target’s Afterpay account

Does This Hurt Your Credit? And What Your Rights Look Like

In many countries, BNPL lenders now sit under credit-card-style consumer protections for disputes and refunds. In the U.S., for example, the Consumer Financial Protection Bureau (CFPB) clarified in 2024 that BNPL lenders are treated as credit-card providers for core rights. Practically speaking, if a fraudulent Afterpay account was created using your data, you should report it to Afterpay, and treat it as identity theft by placing a fraud alert or credit freeze and filing a complaint with the appropriate national authority.

How to Protect Yourself (and What to Do if You’re Targeted)

  • Don’t click “Fix” or “Retry” from any email or text. Always open the Afterpay app or type afterpay.com yourself.
  • Report suspicious messages to Afterpay. Forward phishing emails to reportphishing@afterpay.com.
  • If an account was opened in your name, notify Afterpay immediately. Use their Unauthorised Transaction or Activity form.
  • Lock down your identity outside Afterpay. Place a fraud alert or credit freeze and file an identity theft report.
  • Harden your email. Change the password, enable 2FA, and review forwarding rules.
  • Never share verification codes, especially by phone. OTPs are only for you.
  • Use unique passwords and a manager. Avoid reusing credentials.
  • Watch your mailbox and old addresses. Redirect or hold mail if necessary.
  • Know your dispute rights. BNPL lenders must allow you to dispute charges and obtain refunds.

No ratings yet.

Please rate this

Tags:

Posted in: KnowledgeBase

Leave a Comment (0) ↓

Leave a Comment

You must be logged in to post a comment.