Many financial institutions are setting up shop in the so-called metaverse, right alongside retailers and other businesses that people can “visit” through virtual reality. (XH4D/Getty Images)

Even though most financial institutions are shutting down their physical branches in favor of digital channels, location still matters online.

Indeed, many financial institutions are setting up shop in the so-called metaverse, right alongside retailers and other businesses that people can “visit” through virtual reality. The metaverse – really more of a collection of various virtual reality spaces which people initially used for video game play – is increasingly becoming the place to be, to shop, to attend events, and more recently to even engage in complex financial transactions, like buying a home.

In recent weeks, JPMorgan Chase, HSBC and American Express have all staked their corporate flags in the virtual world – buying plots of virtual space, often near a celebrity or in an area of metaverse that will get them seen. Case in point, JP Morgan Chase, with $2.6 trillion in assets, bought a virtual place in “Decentraland,” which reportedly serves more than 300,000 users overall, with 18,000 daily visitors.

“When HSBC recently bought virtual real estate in The Sandbox metaverse, a decentralized virtual gaming world, it joined JP Morgan in the latest sign that financial entities are betting on the potential of metaverse investments,” says Gary McAlum, senior analyst at TAG Cyber. JP Morgan Chase recently published a white paper, suggesting that this channel could offer a wealth of marketing and transactional opportunities, as well as helping them gain credibility with Generation Z and Millennials.

But with greenfield opportunities especially come great risks. While most financial institutions are by and large using their virtual world presence to market and connect, more so than to transact, this is not your father’s Second Life.

It is anticipated that metaverse user base and capabilities will snowball rather quickly. “The metaverse will likely infiltrate every sector in some way in the coming years, with the market opportunity estimated at over $1 trillion in yearly revenues,” according to JP Morgan Chase’s white paper.

And, as this evolution happens, McAlum says that, “without a doubt, cybercrime will follow.”

“While the understanding of metaverse security challenges is still evolving, there are many reasons to be concerned,” McAlum continues. While the current expectation is that the exact “method of attacks within the metaverse” may differ to those seen through email or other more established delivery channels, “the general concepts remain the same,” McAlum adds.

The metaverse has already become a hotbed for ticket scalping or resale fraud, according to Kevin Gosschalk, founder and CEO of Arkose Labs. For right now, banks and credit unions are primarily setting up shop in the metaverse “because they want to seem cool.” As metaverse channels become more popular with users and financial firms, and start becoming the site of more trade, Gosschalk predicts more automated botnet attacks will follow, and there will be a “changing of the guard.”

“The metaverse is going to be a whole new world,” Gosschalk says. “And banks will be creative in how they become involved here."

McAlum agrees: “Regardless of the medium, malicious actors will try to use deception and human error to gain access to information.”

For example, fraud and phishing attacks could come from an avatar impersonating a bank employee’s coworker instead of a misleading domain name or email address. Perhaps even more concerning, deepfake technology will “really come into its own with metaverse," McAlum predicts, as bad actors use virtual reality to gain trust and engage through impersonation.

“Clearly, identity security will be a foundational element of a strong metaverse security model,” McAlum says, adding that banks and their service providers need to think carefully about security as payments and other financial transactions become “metaverse-enabled.”