By Alma Angotti
Over the next few months, Guidehouse will explore issues relating to fraud in the digital asset space, including prevalent crypto fraud typologies, the countermeasures financial institutions can take to protect themselves and their customers, and the benefits of educating consumers on digital assets and the fraud risks that accompany them.
In this installment, Guidehouse will outline several fraud typologies and what steps digital asset exchanges and other financial institutions can take to mitigate them.
How can digital asset companies prevent fraud against their customers? This is one of the most important questions facing lawmakers, government regulators, and digital asset executives. It has been brought into focus over the past several months with a seemingly endless stream of reporting about digital asset fraud. Indeed, in November 2022, the Consumer Financial Protection Bureau (CFPB) released a Complaint Bulletin analyzing consumer complaints related to crypto assets, naming fraud as the No. 1 category of complaints involving digital assets.
The report indicated that fraud complaints have steadily increased since 2018, with more than half of the digital asset complaints from January to November 2022 citing fraud. The CFPB Complaint Bulletin goes on to note that consumers of digital assets are particularly exposed to fraud, given the lack of deposit insurance and the inability to reverse on-chain transactions.
One of the most important things to understand about digital asset fraud is that while the asset class may be relatively new, the methods that bad actors use to engage in fraud are not. The same fraud issues that impact traditional financial institutions are at play in digital asset fraud. Below, we will outline confidence scams, rug pulls, account takeover, and market manipulation, which are four main avenues of fraud in the digital asset space.
The largest differences between traditional finance fraud and digital asset fraud that will impact the consumer are the ease in obfuscating digital asset transactions and the inability of senders to cancel transactions once executed. Blockchain transactions are public records. However, transactions can be performed with pseudonyms because the only records that are identifiable are the underlying wallet addresses. This is a primary reason digital assets will continue to be used by bad actors to facilitate their crimes, and why crypto exchanges must do more to protect their customers and balance sheets.
Given these heightened risks compared to traditional finance, institutions engaging in digital assets must have a keen understanding of several fraud typologies common in the digital asset space:
Romance scams, “pig butchering,” and other confidence scams
Scams are perhaps the most immediately recognized type of digital asset fraud. From investment scams, to romance scams, to any variation in between, the same basic methodologies usually hold. A scammer will create a relationship of trust with a victim, intending to use this relationship to convince a victim to send digital assets to the scammer. Often, this involves the scammer directing a victim to open an account with a digital asset exchange, purchase digital assets with funds sent from a traditional financial institution, and then send the funds to the scammer’s digital wallet. Despite the public perception of seniors not being associated with digital assets, financial exploitation of the elderly is as prevalent in the space as in traditional finance.
One of the most sophisticated, and quickly growing, types of scams has been dubbed “pig butchering.” In a pig-butchering scam, a scammer will not only build a relationship with a victim, but once the victim has actually “invested” a modest amount of money in a scheme, they will often realize a return. This is intended to induce the victim to send the scammers ever larger amounts of money, with many scammers directing victims to borrow money from friends and loved ones to “invest.” In 2021, the FBI received more than 4,300 pig-butchering complaints, and there is no indication that this trend is slowing.
In a “rug pull,” blockchain developers will announce a new product or service, such as an initial coin offering, where the organizer(s) have no intention of delivering on their promise after victims invest in the project. Rug pulls are more prevalent in the decentralized finance industry and generally target victims who are relatively comfortable in the digital asset space. Unlike pig butchering and other confidence scams, in a rug pull, a scammer will generally not build a relationship of trust with a victim. The process of a rug pull is like that of a pump-and-dump scheme in traditional equities. The scammer will provide misleading details about a project to artificially inflate the value of digital assets associated with the project before disappearing and leaving no viable product or service behind.
Account Takeover (ATO)
ATO operates the same way in digital assets as it does in traditional finance markets. In both instances, a bad actor has acquired enough information on a victim to identify where their assets are and use that information to successfully pass static or dynamic Knowledge-Based Authentication. They also engage in credential-stuffing attacks using bots to perform brute force attacks to gain access. Where institutions use multifactor authentication, bad actors employ SIM swapping techniques, wherein the scammer receives the multifactor verification code instead of the victim. Once the bad actor gains access to the victim’s account, funds are quickly transferred to a wallet controlled by the bad actors. The victim does not know there is a problem until they attempt to access their account and find the assets missing.
Digital asset markets are just as susceptible to market manipulation as traditional equities, commodities, and other markets. Guarding against some forms of market manipulation, such as wash trading, is particularly difficult given that the anonymous nature of blockchain transactions can make it difficult to identify if a trade is illegitimate. Another area of concern lies in the fact that there are numerous digital assets that are sparsely traded. While it would be difficult for a bad actor to manipulate the price of Bitcoin or Ethereum, other, smaller altcoins are manipulated more easily.
While it is important to note that the majority of fraud and criminal activity does not involve digital assets, this is nevertheless a quickly growing problem. How, then, can financial institutions mitigate these fraud risks? There are numerous actions that financial institutions can take, ranging from increased account security measures to enhanced due diligence of vulnerable customers to make sure their transactions are legitimate. However, the challenge is knowing where to begin. Guidehouse recommends starting with a comprehensive fraud risk assessment. A fraud risk assessment is designed to identify specific fraud typologies and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.
There are several reasons why a fraud risk assessment is an important first step. Not all financial institutions are created equally, and it is important to make an independent assessment of existing controls, and how those controls stack up against others in the industry. How do the controls work together with other business units (e.g., Compliance, Operations, and Sales?) What are the specific fraud typologies impacting digital assets in general, and based on the controls assessment, what fraud typologies should concern a specific exchange? A comprehensive fraud risk assessment not only provides answers to the questions posed above, and an inventory of current fraud risk, but it also provides the foundation to build a go-forward plan on how to manage or remediate the risks.
Guidehouse has extensive experience advising traditional financial institutions, venture capital firms, investment advisors, and digital asset firms on a diverse variety of fraud prevention and regulatory issues, ranging from fraud risk assessments to post-incident investigations. Guidehouse has a deep understanding of anti-fraud best practices, digital asset firms, and how digital asset firms can adapt traditional finance best practices to their unique situations. Guidehouse has relevant experience in numerous areas, including the following: