Best practices published by VISA
As the demand for crypto exchanges grows, so too grows the number and variety of attempts to defraud them. Similar to other existing e-commerce industries, the most common fraud scenarios observed in the crypto space include account takeover, synthetic identity, and first-party fraud. Given the recent volatility in the overall crypto market, there has been a growing concern that volatility could cause buyer’s remorse and increase disputes related to first-party fraud.
Methods used to perpetuate scams
Another area of growing concern related to crypto is its use in scams, which occur when consumers are persuaded to undertake a fraudulent transaction using deception or manipulation. Below are common social engineering methods used to perpetuate scams.
- Email phishing: Email appearing to be from a trusted organization (e.g., a popular brand or bank requesting the victim to click on a link).
- Phone-based phishing (vishing/voice phishing): Actors contact victims through phone calls requesting PII, card numbers, CVV2 codes, or OTP during the call
- Text message phishing (smishing): Exploits SMS or text messages sent to victims that typically contain links to phishing webpages, email addresses, or phone numbers that, when clicked, may automatically open a browser window, email message, or dial a number
- Website phishing/Malicious Advertisements or “Malvertizing”: Leverages the greed factor (“too good to be true”) where illegitimate advertisements, sometimes involving local celebrities or reputed individuals without consent, promise high investment returns simply to obtain PII or card data.
- SIM swap: Type of account takeover scam, when the attacker contacts a mobile provider and tricks the telco’s staff into changing a victim’s phone number to an attacker-controlled SIM card, enabling the attacker to reset passwords and gain access to PII, email service, financial account information, or crypto trading systems.
What does that mean for crypto merchants and the industry alike?
Merchants should be more than ever attuned to anomalous behaviour during customer acquisition, as well as the payment authorization/transactional phases. It’s important to expand risk evaluations to all customer interactions and have the ability to intercept and prevent fraudulent activity as it unfolds.
Crypto fraud management strategy
Below, merchants might find additional tactics effective in establishing a layered crypto fraud management strategy, while common core features include:
- Account Takeover behavioral tools designed to identify anomalous account activity
- Two-factor authentication for account changes, password resets, payment credential changes, or as a step-up during behavioral anomalies
- Robust device profiling/fingerprinting capabilities, GeoIP tracking during account creation, and credential onboarding
- Know Your Customer (KYC) and identity tools to authenticate and validate user identities
- Volume and velocity controls – elevate perceived risk as events increase in frequency by key indexes such as account creation attempts by session, device fingerprint, or IP; account modification and password resets; geographic disparities during requests; credential onboarding (while paying special attention to a number of unique credentials and failed onboarding attempts); unnecessarily distributed purchase activity over time or across payment credentials (low volume, high transaction count)
- Artificial intelligence and machine learning-based fraud scoring
- Deployment of negative listing capabilities to ensure devices, identities, IPs, and other attributes associated with prior fraudulent activity can be blocked in real-time (often part of a fraud management solution).
- Targeted use of reCAPTCHA during anomalous velocity deltas
- Leverage behavioral analytic tools along all points of the cardholder experience to identify anomalous or potentially scripted behaviors (e.g., bots, macros, unusual copy/paste form fills, etc.)
Needless to say, merchants should consider augmenting these core capabilities with additional layers of protection to ensure their approach does not sacrifice legitimate payment acceptance. By employing a nuanced, diversified, and layered solution set, crypto merchants will be better equipped to grow their businesses responsibly and sustainably to the benefit of all stakeholders in the payment ecosystem.
Get in touch with our team at firstname.lastname@example.org or contact your account manager to learn more.