As the digitalization of financial services advances, criminals have become increasingly imaginative in their attempts to defraud customers. Dr. Stephen Topliss, Vice President of Fraud and Identity at LexisNexis® Risk Solutions, addresses the growing problem of fraud and scams centered around cryptocurrency.
Have fraudsters evolved their techniques in recent years?
S.T: The last couple of years have seen significant changes in the digital fraud activity, driven by the impacts of the pandemic and accelerated digital transformation around the world. Every six months, we publish a cybercrime report, which tracks emerging trends in financial crime. At the start of the pandemic, digital fraud rates fell because many fraudsters were impacted in ways similar to the rest of us. But they adapted, and when economies started to open up again, digital fraud started to rise, even in jurisdictions with previously historically low rates of fraud such as Singapore. In an increasingly digital world, physical borders are becoming much less important, both to legitimate commerce as well as fraudulent activity.
Early on in the pandemic, a lot of fraud was centered around new digital account applications as fraudsters hid among the millions of legitimate customers who migrated to digital during lockdowns. More recently, their focus has shifted towards account takeover and password resets, as they try to exploit the accounts that were set up during the pandemic.
Does crypto as an industry have a fraud problem?
S.T.: Fraudsters like to make money with the least possible effort and are always on the lookout for new opportunities. So, when organizations launch new services, they are heavily scrutinized by the fraudsters – whether it’s new virtual banks, buy now pay later, or crypto. Crypto is becoming more mainstream; a recent poll conducted by the Pew Research Centre suggests that 52 million Americans have either invested in, used or traded cryptocurrency. Similar stats showing the growing acceptance of cryptocurrencies are available for many other parts of the world. And when the value of holdings rise, crypto becomes a perfect target for fraudsters. Data from the Federal Trade Commission in the US and others show that crypto fraud and theft is increasing exponentially – by as much as 500% between 2020 and 2021. As a result, we’ve seen a significant amount of interest from crypto industries coming to us to discuss their fraud challenges.
What are the riskiest points, in terms of fraud, for crypto companies and their customers?
S.T.: Basically, almost all the frauds and scams that have been perfected by fraudsters over the years, whether it’s in e-commerce or digital banking, are equally applicable to the crypto industry. There’s fraud at the point of onboarding – some exchanges have told us that up to 30% of new account applications are fraudulent. Then there is account takeover, either because the fraudster has gotten hold of stolen credentials or has persuaded the account owner to move money themselves. And then there is the payments side – for example, the use of stolen credit cards to top up accounts. These problems are not unique to crypto, but they are a big problem.
What are the specific types of crypto fraud that you are seeing?
S.T.: We see cases of stolen and synthetic IDs being used to open crypto accounts, the use of phishing scams to attempt to gain access to legitimate customer accounts and we are continuing to see fraudulent Initial Coin Offerings (ICOs). These are not new techniques, but they have new implications in the crypto space. A ‘normal’ phishing attack, for instance, involves a bad actor attempting to bait recipients into clicking malicious links and inputting their personal details. In the crypto world, they will be looking for crypto wallet key information. Unlike digital banking, where you have a username and password that is different for each account and can be changed, you only get one key to your blockchain wallet, so this is a unique risk for crypto.
What is the role of regulators in crypto-related fraud?
S.T.: It is interesting to draw a parallel to what has been happening in the online banking world. Regulators have been highly active in the banking sector in recent years. One of their priorities is for customers to be protected and increasingly, they want financial institutions to take responsibility for that. But it has also been interesting to see how reputation and public pressure have forced change.
In the UK, for example, fraudsters began looking for a new weak link when banks’ defenses against third party fraud became so strong that this ‘traditional’ form of fraud became too difficult to execute successfully. The weak link that fraudsters identified was ultimately the customer themselves. Fraudsters came up with some sophisticated scams, using information gathered from social media and elsewhere to convince people to move their own money out of their legitimate bank accounts and into a fraudster’s account. This sophisticated form of fraud, also known as authorized push payment, has the potential to inflict higher financial impact on the victims of such scams.
Initially, customers were liable for these losses because they had moved the money themselves, but there was such a public outcry that in 2019, UK banks signed up to a voluntary code that said they would compensate customers for these losses unless there was clear evidence of customer negligence. The message here for the crypto industry is that if you don’t manage fraud, the regulators or the public, or both, will come for you.
So crypto should expect to see more regulation in the future?
S.T.: In the crypto sector, the barriers to entry have been very low until recently, which means that some crypto businesses have been operating with less stringent fraud controls whilst focusing on customer acquisition. with few or no controls in place. I strongly believe that rather than putting the ball in the courts of regulators and asking them to dictate what needs to be done to manage fraud and money laundering, it’s beholden on those of us working in and with the crypto sector to work in close partnership with regulators to look at emerging technologies and consider collectively how we can pragmatically address fraud in these channels.
What can crypto companies learn from traditional firms when it comes to best practice in fighting fraud?
S.T.: Banks historically focused on fraud or anti-money laundering (AML) with a siloed approach, but crypto companies are telling us that they want their defenses to span both fraud and AML. This is good because they recognize that fraud prevention and AML uses a lot of the same digital intelligence, just in different ways and using different operating procedures. We have examined some of the solutions we offer and modified them so that fraud and financial crime teams can use the same technologies and data, but in different ways based on their roles.
We are helping crypto firms beat fraudsters without affecting the experience of legitimate customers – that takes a combination of advanced technology, analyzing behavioral anomalies and high-quality digital intelligence. Furthermore, in a recent webinar titled “Threats to Global Security Webinar Series – Role of Cryptocurrency and Cybercrime”, we looked at ways in which digital identity intelligence is being used to stay ahead of constantly escalating risks and expanding regulatory expectations.
For more information about how LexisNexis Risk Solutions can help, visit Defend Against Crypto-Cybercrime | LexisNexis Risk Solutions.