Digital Wallet Fraud: How It Works and How to Fight It

Digital wallet fraud is causing concerns to organisations across the globe and is increasingly being reported to us at FICO as a leading cause of fraud losses. This is no new fad – with the spread of digital wallet payment channels in the last ten years, catalysed and popularised at a rapid rate during COVID, digital wallets (or e-wallets) are now commonplace for consumers to pay for daily goods and services (via wallets such as Apple Pay or Google Pay), facilitate cross-border payments (e.g., PayPal, Wise) and make financial investments (e.g., Coinbase, Cash App). 

Figures indicate around 15% of digital wallets were compromised in 2023 and this number is on the increase, with organisations reporting to us that wallet fraud is causing continued problems and remaining a key modus operandi for fraudsters.

Types of Digital Wallets and Their Vulnerabilities

Apple & Google Pay

Apple Pay and Google Pay are very commonly targeted by fraudsters. First, the card details are compromised in some way, whether by a data breach or by tricking victims into inputting their card details in a fake site. The victim is then socially engineered into divulging a one-time passcode (OTP), which allows the fraudster to set up the card for Apple Pay and/or Google Pay on their own device.

Beyond this point, the card is linked to the fraudster’s device, and all future secure authentication checks for this token are carried out by the fraudster (facial recognition, fingerprint scans, device passcode). This is why this tactic is so dangerous: it allows the fraudster to bypass or hack the excellent authentication tools that have been implemented in many organisations across the globe to improve security on payments.

Because these payments are deemed as “secure” with these additional levels of authentication, customers (or fraudsters) can make higher value payments more easily, reducing friction and the chance for the bank to intervene.

Crypto Wallets

Fraudsters employ a diverse arsenal of schemes to drain victims’ accounts through crypto wallets. Common phishing attacks include sending fake wallet UIs, deceptive QR codes, or malicious links. Methods can vary but the main aim is to convince the victim to set up a link between their own bank account(s) and a crypto wallet under the control of the fraudster.

Once the connection is established, funds can flow into the wallet and onward with little intervention from the wallet provider or bank. Crypto is often involved in longer-term “pig butchering” scams, which commonly take the form of romance or investment scams. These schemes are on the rise and have been reported to have increased by 40% in 2024.

This approach can prove very lucrative for fraudsters - in the first half of 2025, investors lost around $2.5 billion in crypto scams and hacks, $1.71 billion of which was due to compromised crypto wallets.

Cross-Border Wallets

Some digital wallets are particularly targeted by fraudsters to enable cross-border payments, sending money across jurisdictions and obfuscating its intended final destination. Fraudsters can do this via wallets under their own control, as well as tricking victims into setting up wallets and sending the money themselves by topping up their own wallet and sending the money on.

Some of these wallets are also used for merchant payments (e.g., PayPal) and therefore can be exploited in multiple ways. Fraudsters can set up fake merchant wallets and scam victims into sending money to the “merchant”; once funds are in the wallet, they can be moved to another wallet easily and the victim is left with no goods.

These particular types of wallet payments are especially vulnerable because fraudsters tend to route fraudulent transactions through more lenient jurisdictions, to avoid being detected and make it difficult for authorities to trace or freeze illicit funds. Fraudsters can also exploit technical limitations by routing transactions through unregulated wallets or taking advantage of countries with poor cybersecurity measures in order to set up and run fake e-wallet apps.

What Makes E-Wallets So Attractive to Fraudsters?

E-wallets are all attractive to fraudsters for different reasons.

First, many e-wallet providers operate outside robust banking regulations. Crypto wallets are a good example, as their original intention was to allow people to bank in a de-regulated environment, a notion which brought many positives but also provided an excellent means for fraudsters to move funds anonymously and evade detection by authorities.

Second, payment wallet providers such as Apple Pay and Google Pay, once tokenised, allow the user to make significantly high payments with little intervention or need to refresh strong customer authorization (SCA). The fraudster sets up the token on their own device, with their own authentication methods (facial recognition, fingerprint, passcode) and therefore authorizes every payment on the victim’s card using their own authentication data.

This is why the tokenization event itself is so crucial, to create that “secure” link that allows the fraudster to do high-value spending.

What Are Regulators Doing About It?

Jurisdictions are taking steps towards ensuring that wallet providers are accountable for their role in financial safety and fraud prevention. Many countries now require e-wallet providers to comply with KYC and AML standards, ensuring that users are properly verified before being allowed to access services.

In addition, supervisory authorities are pressuring financial institutions to implement real-time transactions monitoring so they can flag unusual spending patterns and stop suspicious transactions before losses occur.

Notably, the UK is leading the way in some of the measures to tackle e-wallet fraud. PSR rules took effect in October 2024, which mandates that payment service providers (including e-wallets) should reimburse victims of authorised push payment fraud and share liability between the sending and receiving financial institutions.

This means that e-money providers that are involved in scams are as responsible as the banks from which the money is sent. Outside of banking regulations, the Online Safety Act in the UK is attempting to target fake adverts and promotions, mandating that tech companies do more to prevent these types of materials appearing on their platforms.

Other regions are similarly strengthening their approach to prevent e-wallet fraud. Central banks and regulators in the EU, for example, have issued guidelines for fraud prevention specifically tailored to digital wallets. In the US, the Consumer Financial Protection Bureau is moving towards treating e-wallet providers with the same oversight as banks. The Monetary Authority of Singapore, moreover, has updated its e-payment guidelines to improve its approach to scams. Finally, the Reserve Bank of India has tightened its rules for payment aggregators that are involved in many e-wallet configurations.

These examples demonstrate how seriously e-wallet fraud is being taken across the globe, but there is still a way to go. Two-factor authentication and biometric verification go a long way to ensuring that the tokenisation, or wallet setup, is done securely; nevertheless, fraudsters are still convincing people to bypass that secure stage by handing over tokenisation authentication credentials.

Greater cross-border cooperation and information sharing to track fraudsters who exploit regulatory gaps should be the focus of organisations to tackle one of the major loopholes that fraudster exploit: moving funds across regions to make it disappear from one region’s field of knowledge. By sharing threat intelligence and streamlining investigative procedures, authorities can better trace and disrupt fraudulent activities. Without this collaboration, efforts to tackle e-wallet fraud will remain fragmented and largely ineffective.

How Can Organisations Target Tokenization Fraud?

Our work with clients across the globe indicates this form of wallet fraud is causing organisations increasing concern because it allows fraudsters to circumvent secure authentication methods. Often organisations are unprepared to tackle this fraud because the tokenization data they have at their disposal to carry out effective fraud prevention is limited.

The keys to stopping this kind of fraud are:

1. Enhanced data. Being able to distinguish clearly between types of tokenisation events and the risk inherent within them is key to targeting risky tokens and reducing false positives. Organisations can leverage several key data elements that provide critical insight into transaction legitimacy and behavioural patterns. These include device identifiers (like device ID, OS, and geolocation), metadata (token request time, frequency) and authentication outcome (fail/pass, mismatched credentials). Prior risk indicators such as chargebacks, blacklist associations, or compromised credentials can further enhance organisations’ understanding of the riskiness of each tokenisation event and subsequent tokenised transactions.
2. Targeted communications strategy. Engage with the customer in a meaningful way to break the spell of the fraudster. Consumers are overloaded with messaging from businesses, making it difficult to cut through the noise. Targeting the customer with clear, timely messaging is key – speak to them on a preferred channel, with impactful messaging that causes them to think twice about divulging personal data to a fraudster.
3. Segment wallet strategies. Harnessing the right data points for digital wallet fraud will allow organisations to segment the types of wallet fraud and target the specific tactics and patterns that emerge from each typology. As discussed, there are different types of digital wallets used for different purposes, and organisations should move to address all their complexity and variance.

What Can Consumers Do to Avoid Digital Wallet Fraud?

For wallet fraud, consumers should be wary of the following:

• Never respond to unsolicited requests for personal information. If in doubt, stop engaging or ignore the communication and reach out to your bank through a trusted channel (e.g., the genuine website’s contact details, the contact number printed on a credit card).
• Enable multifactor authentication where possible, to limit the need for text or email one-time passcode verification.
• Read OTP messages carefully for context. Banks try to make clear in their messaging what the purpose of the communication is; victims are often socially engineered to not read a communication properly and to hand over a code to a fraudster. Taking a second to think about the content of the message may help break the spell the fraudster is casting.
• Think carefully if someone you know asks you to send money via one of these wallets. If they are someone you’ve never met in person, you may be being scammed into thinking they’re a genuine person in need of money.
• If the message appears to come from someone you know but they have excuses for not ringing/facetiming/asking in person, then it may be a fraudster (see a recent article on WhatsApp scams in the UK).

My colleague Sarah Rutherford recently posted a blog on scam prevention, noting how to raise consumer awareness on scam tactics.

How FICO Helps Protect Against Digital Wallet Fraud

FICO plays a key role in working with banks, payment schemes, and network operators to combat e-wallet fraud & scams. We leverage real-time communications, data ingestion, and enterprise fraud strategy to consistently prevent compromise and losses through e-wallet attacks.

• Learn more about FICO’s approach to fraud protection and compliance
• Check out how you can fight fraud with AI Decisioning
• Discover the power of omni-channel engagement for fraud prevention
• Explore our innovative approach to enterprise fraud management