Real or fake? The latest cryptocurrency payment scams and how to stay safe
Learn about crypto address spoofing, dust transactions and fake stablecoins.
Just as scammers find ways to exploit card and bank payments, so too can they target cryptocurrency payments.
Overall, the revenue that scammers made from cryptocurrencies globally dropped 46% in 2022 to $5.9 billion, according to blockchain data firm Chainalysis, but certain types of scams are on the rise. All ten of 2022’s top cryptocurrency scams were investment scams (offering fake investment opportunities), while romance scams (where scammers adopt a fake identity to gain a victim’s trust) caused the most per-transaction damage.
In this article, we’ll highlight two scams which can affect employees using cryptocurrency and blockchains for business payments. We’ll share recent examples and give advice on how to stay vigilant.
Which scams target cryptocurrency business payments?
While investment and romance scams don’t tend to target professionals at work, impersonation, phishing and spoofing scams often do. And with higher average transaction values for business payments, the consequences can be severe.
For a scam to be successful, it usually requires a victim to take action: for example by transferring money or sharing information. A phishing scam for example, is when a scammer pretends to be someone else to get you to share information. In the context of a crypto payment, this could be your private cryptocurrency wallet keys. To do this, scammers use spoofing and impersonation techniques: for example, by sending an official-looking email that asks you to log in to your account, or by creating a clone of a website.
Below, we share details of current spoofing and impersonation scams which target business professionals making cryptocurrency payments.
Scam 1: Address spoofing
In August, Binance CEO Changpeng Zhao, tweeted a warning about an address spoofing attack that could have cost ‘an experienced crypto operator’ $20m. In this case, the operator noticed the scam and informed Binance who were able to freeze the USDT funds.
At BVNK, some of our merchants have reported address spoofing attempts. For example, one merchant’s customer received a payment of 0.614 in USDT stablecoin from an address which shared the same start and end characters as one of BVNK's addresses. Our client noticed the suspicious transaction and got in touch with BVNK.
Thankfully, the scam was unsuccessful and BVNK flagged the scammer’s address with our payments screening provider, who alerted the wider blockchain payments community.
How address spoofing scams work
Address spoofing or ‘address poisoning’ is where scammers generate cryptocurrency addresses with the same start and end characters as a trusted address.
The scammer’s goal is to trick an employee into sending cryptocurrency funds to the fake address, instead of the real one. They do this by:
- Sending low-value cryptocurrency payments, known as ‘dust' transactions, to a business’ crypto wallet address. They may also try send a fake token (more on that later in this article).
- The payment is received and appears in the recent transactions. Many wallets, exchanges or platforms automatically save new addresses.
- The next time an employee needs to send a crypto payment to a supplier or partner for example, they may accidentally select the fake address. Since crypto addresses are long, most wallets, exchanges and platforms hide the middle part of the address with “...”, so it’s easy to mistake a spoofed address that has the same start and end characters, for the real one.
Best practices to avoid address spoofing scams
- Always double check addresses before you send funds, making sure that all numbers and letters are correct, and advise your customers to do the same.
- You can check your BVNK address in the BVNK merchant portal.
- Another way to mitigate this risk and verify an address is to send a test transaction of a small amount. This is especially recommended if you are making a large payment.
- BVNK customers can also choose to turn on our whitelist feature, which means you can only send funds to addresses that have been pre-approved by your team. Contact our Merchant Support team to learn more.
- Finally, if you think you’re being scammed, it’s important to react quickly. If you notice a suspicious transaction relating to BVNK, get in touch with our Merchant Support team as soon as possible.
Scam 2: Fake stablecoins
Stablecoins now account for 10% of all cryptocurrencies. As adoption grows, stablecoin scams are becoming more common. According to the Crypto Crime Report 2023 from Chainalysis, most scammers used to exploit bitcoin, but are now taking more of their revenue from victims in stablecoins.
Within hours of PayPal launching its new stablecoin (PYUSD) in 2023, scammers were already creating fake stablecoin tokens of the same name. According to DEX Screener, nearly 30 new tokens cropped up in the hours after the coin was announced. The largest of these scam coins saw $2.6 million in trading volume within minutes of the PayPal announcement.
(Note: the real PayPal USD token was created in November 2022 and can be verified at this contract address.)
How fake stablecoin scams work
In a fake stablecoin scam, scammers generate a fake coin and make it look legitimate. Their goal is to deceive you into believing you have received real value, or in some cases, to manipulate you into claiming an airdrop, which can leave your wallet or address exposed to hacks.
Every stablecoin has a contract, which can be verified. To make a fake coin appear real, scammers create fake contracts.
Best practices to avoid stablecoin scams
Both USDC and USDT are ERC-20 tokens, with verified smart contracts that can be checked for free on blockchain explorers like Etherscan. That means you can easily check to see if you have received genuine funds.
Among other things, a real stablecoin contract has the following features:
- a blue check mark next to the token name
- a market cap value
- the official contract site address for that token:
For USDT, this is: 0xdAC17F958D2ee523a2206206994597C13D831ec7
For USDC, this is 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48
If you believe you may have received fake coins, use the guidance above to verify the coin using a blockchain explorer tool.
At BVNK, our systems are designed to detect fake coins. If we find that fake stablecoins have been sent to a wallet you hold with us, we won’t credit your account with the coin and we’ll notify you of the attempted transaction.
If you notice something suspicious involving a BVNK transaction, please contact our Merchant Support team as soon as possible.
General tips to avoid scams
In most cases cryptocurrency transactions can’t be reversed or recovered, so it’s important to stay vigilant.
Scammers are always coming up with new ways to exploit payments of all types, but there are some best practices that can help you stay safe:
- Never send funds to an unknown address and always check the whole address, even if you have sent funds to that address in the past.
- If you receive a message from BVNK, please check the sending address (see below), and remember that BVNK will never ask you for your password, pass-phrases or private keys.
Make note of BVNK’s official addresses and accounts:
Website & email domain: bvnk.com
Merchant support email: email@example.com
X (Twitter) : @BVNKFinance
- If you're sending a large payment, send a small test payment first to verify the address, before sending the larger payment.
- Watch out for ‘red flags’ linked to spoofing and impersonation attacks. These include: spelling mistakes, strange grammar, misspelled domain names and broken links in spoofed emails, messages and websites, as well as wording which creates a sense of urgency, for example telling you that your funds will be lost or your account frozen if you don’t take action quickly.
- If in doubt about the legitimacy of an address, transaction or communication relating to BVNK, always contact our Merchant Support team.
- And finally, make your customers aware of the types of scams that might target them.