On the web, you need to be careful of phishing emails claiming to be from your boss, telling you to check out the information on a link and report back.
“In the metaverse, fraud and phishing attacks targeting your identity could come from a familiar face — literally — like an avatar who impersonates your coworker, instead of a misleading domain name or email address,” Charlie Bell, Microsoft’s head of security, said in a blog post Monday (March 28).
Bell continued his warning, writing that a new generation of scams will accompany users in the immersive three-dimensional worlds as they put on virtual reality (VR) headsets and log into the metaverse.
Read more: What’s a Metaverse, and Why is One Having a Fashion Show?
He is not the first to send out this message, nor is he alone in doing so.
On Feb. 18, the Chinese Banking and Insurance Regulatory Commission issued a similar warning of fraudulent activity in the metaverse, pointing from everything from flat-out cons like rug pulls — in which project developers make off with investors’ funds — to selling fake “land” in various metaverse projects.
See also: China Warns About Frauds in the Metaverse
Meaning yes, a fraudster can, and likely will, try to sell you the Brooklyn Bridge — well, at least a non-fugible token (NFT) image of the Brooklyn Bridge, built on NFT plots of real estate the seller doesn’t own.
Related: PYMNTS NFT Series: What Are NFTs and Why Are They Crypto’s Newest ‘Next Big Thing?’
What’s Old is New Again
“Some new experiences using headsets and mixed reality will be in your face — quite literally — but other implications will be harder to spot,” said Bell, who’s Microsoft’s executive vice president of security, compliance, identity and management. “There is an inherent social engineering advantage with the novelty of any new technology.”
Bell warned that fraud is a cycle that’s been seen right from the beginning of the internet with knock-off domain names pretending to be real brands. It happened again with WiFi, and again when smartphones led corporations to embrace bring-your-own-device policies.
“One of the dangers of the metaverse is that, while the virtual land and property aren’t real, their monetary value is,” Alexey Khitrov, CEO at ID R&D, an artificial intelligence (AI)-powered biometric authentication firm, wrote in Information Age. “On purchase, they become real assets linked to your account. Therefore, fraud doesn’t look like it used to.”
Khitrov pointed to the example of someone spending $450,000 for an NFT land plot next to the one early metaverse adopter Snoop Dogg set up in The Sandbox. And hackers have, in fact, stolen NFTs like CyberPunks and Bored Ape Yacht Club avatars worth six and seven figures.
Read more: PYMNTS NFT Series: NFTs Target Collectors Market With Avatars, Celebrities
Locking the Virtual Door
Bell pointed to three areas of concern that businesses setting up shop in the metaverse, or just doing business there, should be wary of. The first, he said, is that criminals strike first at identity.
“Play this forward, and picture what phishing could look like in the metaverse,” he said. “It won’t be a fake email from your bank. It could be an avatar of a teller in a virtual bank lobby asking for your information. It could be an impersonation of your CEO inviting you to a meeting in a malicious virtual conference room.”
Bell pointed to techniques like multi-factor authentication (MFA) and passwordless identification. Khitrov, meanwhile, suggested that AI-powered facial biometrics — the same basic technology as smartphone facial unlocking tools — are ideal tools for countering the threat.
Bell’s second area of concern is interoperability. With more and more metaverse projects springing up — from Meta’s Facebook future to blockchain-based VR landscapes like Decentraland and The Sandbox — it is vital that companies are able to work across platforms securely.
Security experts must “understand the terrain of the metaverse as adversaries do — and use it to our advantage,” Bell said.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More