Evil twins in the metaverse: a safe haven for identity theft and fraud?

10 Oct 2023
by Kayla Casillo and Alexander Powell

In the metaverse, users have digital avatars which they can customise and use as a virtual proxy to interact with the metaverse environment and other users. It is useful to think of this digital avatar as a virtual extension of the user. Just as one can suffer identity theft in the real world, the question becomes, “What would happen if someone created a digital copy of you as an avatar in the metaverse and engaged in defamatory, fraudulent or other objectionable behaviour?”

In this article, the term ‘evil twin’ is used to describe three unique situations in the metaverse where:

  • a digital avatar is created to mimic a person’s likeness;
  • metaverse buildings, digital wearables, and the like are created to mimic a company’s brand; or
  • a compromised environment is set up.

Identity theft

Identity theft in the metaverse is a concern, as there are currently no measures in place to prevent a user from creating a digital avatar in the metaverse which replicates a person’s identity and likeness. An evil twin in the metaverse could be used for fraudulent or misleading purposes and could be exacerbated by incorporating artificial intelligence functionality in the metaverse, such as deep fakes, which can be used to mimic a person’s likeness. The challenges that people encounter in reality, such as identity theft, defamation and cyberbullying, may spill over into the metaverse, raising concerns that someone’s reputation in the real world could be harmed by the actions of an unruly evil twin in the metaverse.

Since the metaverse comprises decentralised environments or platforms created by various companies, it is crucial for prospective users to review the company’s end-user licence agreement before registering an account and entering the respective metaverse environment. It is also important that these terms and conditions provide a satisfactory degree of recourse in the event that the user becomes a victim of identity theft, fraud, cyberbullying, or some other form of objectionable conduct. In addition, the terms should prevent the unauthorised use of a person’s identity to ensure that the avatars are authentic and true to the identity of the user it is representing.

Brand infringement

Companies wanting to enter the metaverse are able to do so by purchasing land parcels on which they can design and construct buildings. These buildings can then be branded by the company and allow metaverse users to interact with the company staff members, observe company information, or acquire digital wearables or other services from the company. As users are free to determine the aesthetics, architecture, and general design of the buildings, it may be possible for a user to unlawfully brand their building to misleadingly represent an established company or design their building to look similar to a building in real life that is representative of a specific brand.  The concern is that other users will be misled to believe that the user is an official representative of the specific brand and authorised to interact with users on the metaverse in the name of such a brand, which could enable users to sell counterfeit goods or services. If a company were to become a victim of this form of metaverse fraud, not only could the company suffer substantial reputational harm, but it could also result in consumers losing trust in the brand.

Companies may also face potential risks related to digital wearables. Digital wearables are items that can be worn by a digital avatar to customize its appearance. If a company were to offer branded digital wearables for sale or as free promotional items, the company might suffer reputational damage if a user, while wearing these branded digital wearables, engages in objectionable behaviour through their avatar. For example, if a user were to harass other users or engage in unruly behaviour while wearing a branded t-shirt, such behaviour could result in reputational damage for the company. There is also the risk that users wearing branded digital wearables could fraudulently pass themselves off as being a representative of or otherwise associated with the company.

Therefore, a company will need to take proactive steps to ensure that its digital assets (buildings, digital wearables, and brand) are protected against unlawful use in the metaverse. To mitigate the risk of a fraudulent replica of a company being established and operating in the metaverse, it is recommended that the company, prior to entering a metaverse environment, carefully considers and negotiates the service provider’s terms and conditions to ensure that the company has adequate recourse in the event of fraud or other unlawful behaviour on the part of users in the metaverse. The contract should also address and regulate key legal principles such as:

  • warranties,
  • Indemnities,
  • limitation of liability,
  • dispute resolution, and
  • intellectual property.

In addition, the company should look at implementing preventative measures against its digital assets being placed in the hands of unauthorised users.

Compromised metaverse environments

There is a risk that users could set up metaverse environments which appear as being legitimate but are compromised. In this situation, the metaverse environment itself would qualify as an evil twin where it serves as a clone of a legitimate environment. In this environment, there will be a complete lack of security where unsuspecting users could fall victim to fraudulent transactions, data harvesting, or other forms of cyberattacks. Moreover, the fraudsters could possibly monitor messages, transactions, and other sensitive information in this evil twin environment. Therefore, it is important for users to ensure that they are participating in a legitimate metaverse environment and to immediately exit an environment should the user notice any form of suspicious conduct or activity.

Buy now, pay later

Buy Now Pay Later (“BNPL”) is a payment option used in the metaverse which allows users to buy a product and to pay the purchase price at a later stage. As payments are not instant and often divided into instalments, it increases the risk of fraud. The BNPL system may be susceptible to risks such as account takeovers, NFT scams, virtual asset theft, and phishing scams, and users should be cautious when opting for a BNPL commercial arrangement in the metaverse.

ENS’s Technology, Media, and Telecommunications team can assist you in reviewing and negotiating metaverse vendor terms and conditions to ensure that you are protected against the risks identified above.

Reviewed by Ridwaan Boda, the Executive and Head of ENS’ TMT practice.

Kayla Casillo
Senior Associate | Technology, Media and Telecommunications

Alexander Powell
Candidate Legal Practitioner | Technology, Media and Telecommunications