The Metaverse Fraud Question: What Are the Risks?

It feels as though people are either completely sold on the idea of web 3.0 or are confident that it’s just another case of tulip mania. 

But whether you like it or not, it seems like it’s here to stay, with major brands such as Adidas, Coca-Cola, and even The Doggfather himself dabbling in this new world. 

Gartner goes as far as predicting that “25% of people will spend at least one hour per day in the metaverse by 2026“.

However, new technologies are often coupled with high levels of risk, so we decided to take a look at the ‘metaverse’ and the components within it – and what ways fraudsters are looking at exploiting this new online universe.

What Is the Metaverse?

The metaverse, also dubbed web3 or web 3.0, is a term that encompasses the many different ways in which we could potentially communicate socially in the “cyber world”. 

From VR headsets to avatars and wearable NFTs, the metaverse sees the combination of new technologies such as blockchain technology, virtual reality, and augmented reality brought together in a new environment that is more interactive than the traditional 2D web we have traditionally been exposed to. 

For certain people, the idea is that all this will be in a fully decentralized version of the internet where the platforms and apps are developed and owned by users/players themselves. 

But when Facebook announced its name change to Meta, skepticism about the new concept began to emerge, with high-profile figures in tech and finance expressing their opinions on social media, often commenting on the ownership aspect of web 3.0. 

How do NFTs fit into the metaverse?

If you’re not an avid follower of the cryptocurrency world, it’s fair to say that all the new words can be pretty overwhelming, and non-fungible tokens (NFT) are definitely something that people haven’t quite been sold on yet…

However, with predictions going as high as $10-$20 million worth of NFTs being sold in the blockchain each week, as well as mainstream news coverage, it is a phenomenon that is becoming increasingly hard to ignore.

In short, NFTs are a new asset that is tokenized on a certain blockchain (the digital ledger that powers cryptocurrencies) to create a form of digital ownership that can be bought, sold, and traded on special marketplaces such as OpenSea. 

How are NFTs used in the metaverse?

The individual code that’s associated with the NFT can be traced back to the owner via the blockchain it was built on. The token itself can be used in a range of ways across massive industries. 

Some use cases include:

• digital art
• licensing 
• ticketing
• fashion 
• experiences
• supply chains
• identification 
• real estate
• gaming 

The idea is that within these virtual worlds, users can purchase NFTs to use and trade across the many different platforms. 

The level of interoperability allows users to craft and create virtual, “meta” versions of themselves across a range of games and platforms. 

In 2021, the NFT market surpassed the $40bn value point, according to blockchain analytics firm Chainalysis. And it doesn’t seem to be going anywhere…

What Is Metaverse Fraud?

Although the metaverse is this brand new concept, cryptocurrencies and blockchains have been around for a long enough time that we know many of the issues surrounding it. 

The metaverse might have plans to expand beyond blockchain but at the core seems to be this technology which, unfortunately, fraudsters have found to be incredibly useful to utilize in order to launder money, steal identities, and conduct scams.

Due to a lack of KYC measures on certain platforms, combined with minimal regulatory measures, fraudsters can test out new methods and, to some extent, enjoy risk-free attempts to defraud both companies and users. 

Blockchain-based transaction crime hit a record-high in 2021, a staggering $7.8 billion, and with the constant threat of hacks as well, there is undoubtedly some level of risk to the many metaverses.

Examples of Metaverse Fraud Work?

Any organization that offers crypto-based services, as well as individuals who choose to venture into the metaverse and the wider crypto-adjacent ecosystem, are met with various risks. 

There are a series of schemes and techniques already employed as well as soon-to-be employed in metaverse-adjacent sectors, and experts anticipate new methods unique to these platforms to also appear.

Account takeover (ATO) attacks

Fraudsters will use traditional methods such as phishing attacks to gain access to accounts and rinse them of either currency or NFTs held by the account.

Multi-accounting

Fraudsters might look to set up multiple accounts on a certain metaverse platform to launder illegally acquired money or look to abuse promotions. One example scenario could see a fraudster buying an NFT from another account that they also control using dirty money, with the aim of withdrawing once sold onto an honest user.

Irreversible transactions

Crypto is notorious for its transparency, due to the blockchain’s open-record information. However, once a transaction is made, it can be nearly impossible to reverse. This works against some consumer expectations, especially compared to offline transactions.

Influencer and affiliate fraud

One renowned instance of crypto influencer fraud saw celebrities such as Elon Musk and Jeff Bezos have their Twitter accounts hacked as part of a fake giveaway. A similar thing could be seen in future metaverse promotions.

Fake reviews

Fake reviews can massively damage brand reputation when these new platforms need to remain transparent to their communities in order to succeed, keep their token price stable, and have loyal users. For instance, a targeted bad review attack via bots can easily scare consumers away and cause a drop in token price.  

Scam projects

The unregulated nature of NFTs and crypto gives room for scam projects to appear on major marketplaces as well as issues surrounding copyright and intellectual property. For instance, Vice has already covered some from late 2021, such as an NFT project developer who disappeared with $2.7 million.

Data breaches

Well, email data breaches are a global problem. As technology continues to become more accessible, metaverse platforms need to ensure the protection of their users’ data or risk losing consumer trust. 

Ecommerce related fraud

Handling online goods, even in a digital format, gives room for typical scenarios seen in the ecommerce sector such as chargebacks, friendly fraud, refunds, and other settlement disputes.

Lack of regulation

For both users and companies, the lack of compliance and regulation legislation in place at the moment allows room for damaging circumstances. 

Volatility and market manipulation

Users often trade tokens without actually engaging with the platform itself to make money – and such risks as aggressive market manipulation, rug pulls and honeypots are something to be wary of for all involved.

Virtual world fraud

It is worth noting that many of the issues mentioned above have been about since before crypto even existed, in virtual worlds such as The Sims, World of Warcraft, and Second Life. So, there is an argument that the gaming companies that are involved in the space should be somewhat prepared.

Rug pulls

New tech brings opportunistic bad actors, the most famous possibly being a digital token inspired by the Netflix series Squid Game that was pitched as a play-to-earn metaverse game. $SQUID turned out to be a complete scam and lost all of its value almost instantly, with the developers running away with all funds. 

Issues with Decentralization

The decentralized nature of crypto and NFTs can make it somewhat difficult to track phishing or virus attacks, as fraudsters can utilize tools such as tumblers to remove links from themselves and the original source.

Furthermore, in a podcast with ACFE, OSINT researcher and artist Kirby Plessas suggests that more calculated fraudsters will use the hype to launder money both through crypto and NFTs.

“Fraudsters [can] either create their own NFT companies and then maybe load up with Ethereum, get people to maybe preload into the marketplace that they create and then close it down as an exit scam, for example, or pretend to be the guide to help somebody create an NFT, for example, to create some… [before] they hijack and take over the NFT account.”

The metaverse brings immense opportunities for brands to engage their customers but platforms that host such worlds need to ensure that their defenses are easily adaptable to the new forms of fraud, identity theft, and laundering techniques that will certainly emerge. 

As well as this, from a professional perspective, users will likely want different profiles to distance their characters from their potential professional identities.

James Gatto, the leading blockchain partner at the law firm of Sheppard Mullin, explains in an interview with VentureBeat:

“Part of this is trying to figure out, in addition to all the traditional data privacy issues when someone has multiple identities, can you link those together if they want them separate?” 

What Tools Can Stop Metaverse Fraud?

It’s not going to be easy, it is never. Fraud prevention is a constant battle and fraudsters will no doubt look at platforms as rife with new opportunities to expose weakness, try new methods, and ultimately scam businesses and people. 

There are certain things that platforms can do pre-launch to sure up defenses and block out fraudsters before they get the opportunity to test the new frontier. Here are a few.

Minimize silos

Fraudsters aren’t fluking their way through scams; they’re calculated criminals analyzing industries by testing methods with different businesses to see what might work and often even sharing information with others. 

Information often gets caught up in silos and, for risk/fraud managers, this is a nightmare because they need a complete view of company information in order to spot connections between risky customers. 

A lack of communication and transparency between teams can lead to big gaps in knowledge which can impact revenue, security, and the efficiency of decision making. 

We would recommend not only testing different types of solutions that can help create a full 360-degree view of the business but also making use of machine learning, which can support the organization of data and automate easier decisions. 

Machine learning combined with a test environment can enable companies to investigate historical data and suggest new rules before implementing them. 

To ensure complete protection, an operation must be transparent and enable full access to its risk team or the company they are outsourcing their anti-fraud efforts to. 

Having models and rulesets for each stage of a user’s journey (account opening, login, transactions, etc.) with an easy-to-use GUI can massively reduce the risk of missing information. 

Multi-layered defenses

Machine learning is just one aspect of a sophisticated risk management product stack that will help metaverse platforms to protect their business and users. 

On top of this should be other solutions that complement the machine learning algorithm. Often, providers will give an overall risk score that can be used to automatically accept or reject someone onboarding, logging in, or transacting.

For some platforms, blackbox AI will be the chosen route, as it handles the majority of decisions without any human input. However, for earlier stage launches, whitebox AI can be more useful to minimize the customer insult rate. 

This is because whitebox ML provides full transparency in why a decision or a score has been reached, and thus humans reading the results can pick and choose the parts of the analysis that are most relevant to the situation at hand.

Browser and device fingerprinting

In short, being able to identify someone’s device configuration can help spot emulators, virtual machines and bots. 

Unseen devices should be another indicator of potential risk, although it is worth noting that certain metaverses will be available on multiple devices – which again can cause customer insult rate if you rely on this alone.

With more hardware being used, including VR headsets, computers, and mobile phones, knowing the customer’s devices, location, and setup can be a really easy way to spot misalignments and potential risks.

Digital footprint analysis 

Seeing a user’s digital footprint is especially useful when users are signing up. Using just an email or phone number, companies can verify the validity of accounts, since most honest users will have some form of online footprint, be it social media presence, web platform activity or instant messenger accounts.

IP scanning 

Knowing the IP address of an honest user and then spotting a dramatic mismatch should raise a red flag immediately. 

2FA 

Some services can force two-factor authentication requirements if there are mismatches, which adds friction but also protects users better in certain situations. 

Conclusion

There’s a lot of hype, a lot of money, and a lot of opportunities for metaverse/web 3.0 companies to become dominant players, make a lot of money, and completely change the way we socialize. 

But in its early days, it’s vital for these platforms to focus on their risk management practices as much as they do on new features. Otherwise, the general public will quickly lose trust – and thus, interest. 

Using the experiences of industries that have grown immensely in recent years, such as esports, igaming and crypto, should help these companies understand the typical risks that come with new technologies that accept alternative payment methods. 

Sources

• BBC: Bitcoin: Fake Elon Musk giveaway scam ‘cost man £400,000’
• Chainalysis: The NFT Market Report
• ACFE Insights: Fraud Talk: An Introduction to Non-Fungible Tokens (NFTs) and Fraud
• VentureBeat: How the metaverse will impact governance, privacy, fraud, identity, and more
• Gartner: Gartner Predicts 25% of People Will Spend At Least One Hour Per Day in the Metaverse by 2026
• Chainalysis: The NFT Market Report 2021
• Forbes: Uncertainty In The Valuation Of Non-Fungible Tokens
• BankInfo Security: Virtual Money Laundering and Fraud
• Vice: Investors Spent Millions on ‘Evolved Apes’ NFTs. Then They Got Scammed.