Protecting Your Business from Bitcoin Payment Scams

Accepting bitcoin opens your business to a genuinely different payment rail, but it also introduces fraud patterns that differ from what most merchants know from chargebacks and card skimmers. The good news: the most common scams targeting Canadian merchants are well-documented, and most are avoidable with a small amount of operational discipline.

This article is educational only. It is not financial, tax, or legal advice. Fraud tactics change, and you should verify current guidance from the Canadian Anti-Fraud Centre (CAFC) and FINTRAC before updating your policies.

How bitcoin payment fraud actually works

Credit card fraud relies on reversibility. A bad actor uses stolen card details, the merchant ships goods, then a chargeback erases the payment weeks later. Bitcoin doesn't have chargebacks, so scammers targeting merchants who accept it have to work differently.

The most common approaches fall into a few categories:

• Zero-confirmation fraud. A buyer broadcasts a transaction but never actually pays the full amount or broadcasts a conflicting double-spend before the transaction confirms. If you release goods after seeing an unconfirmed transaction in a mempool viewer, you may get nothing.
• Fake payment screenshots. A scammer sends a screenshot of a completed transaction (often fabricated or from an unrelated wallet) and pressures you to release goods immediately. The payment never arrives.
• QR code substitution. In-person or in emailed invoices, an attacker replaces your bitcoin address QR code with their own. The customer pays, but the funds go to the attacker's wallet.
• Overpayment scams. A "buyer" sends more bitcoin than the invoice amount, then asks you to refund the difference in CAD via e-transfer. The original bitcoin transaction is sometimes reversed later (or was from a compromised exchange account), and you're out the cash refund.
• Phishing against your wallet or processor account. Emails mimicking your payment processor, wallet provider, or exchange try to capture your credentials or seed phrase.

None of these are bitcoin-specific in spirit. The underlying mechanics, pressure tactics and exploiting rushed verification, are the same as older fraud. What changes is the technical surface.

Verifying a payment before releasing goods

The single most effective safeguard is waiting for confirmed transactions. Bitcoin transactions are considered final after six confirmations on the network, which takes roughly an hour at normal fee levels. For most retail transactions, one to three confirmations (10-30 minutes) is a practical compromise.

How to check:

1. Have the customer show you the transaction ID (TXID), not just a wallet screenshot.
2. Look up the TXID on a public block explorer (Blockstream.info and Mempool.space are two widely used options).
3. Confirm the amount matches your invoice exactly, in satoshis if necessary, not just a rounded BTC figure.
4. Wait until the confirmation count reaches your threshold before handing over goods or activating a service.

For high-value sales, require more confirmations. A CAD $200 item at one confirmation is reasonable. A CAD $5,000 item at zero confirmations is not.

If you use a payment processor rather than accepting bitcoin directly to a wallet you control, the processor typically handles confirmation logic and shows you a "payment received" status only after the required confirmations. Check your processor's documentation to understand exactly what that status means.

Protecting your payment address and QR codes

QR code substitution is simple to pull off and easy to miss. If someone can access your printed invoice templates, your website code, or your point-of-sale setup, they can swap your address for theirs.

Practical steps:

• Generate invoices programmatically from your payment software rather than copying addresses by hand.
• Display your bitcoin address as text alongside any QR code so the customer can manually verify at least the first and last several characters.
• Audit your website and any printed materials periodically, especially after a contractor or employee with system access leaves.
• If you use a hardware or software wallet to generate receiving addresses, keep the device or application secure and treat your seed phrase like a bank vault combination.

For businesses processing more than occasional payments, consider a dedicated payment processor or a multisig wallet setup that requires multiple keys to authorize any spend. That adds friction for day-to-day operations but removes single points of failure.

Red flags in buyer behavior

Fraud often comes with pressure. A buyer insisting you release goods before a transaction confirms, or claiming the network is "slow" and you should trust their screenshot, is a warning sign. Legitimate buyers understand that bitcoin confirmations take time.

Other patterns worth noting:

• Requests to overpay and receive a CAD refund, particularly from a new or unverified contact.
• Urgency framing: "I need this today," "my flight leaves in an hour," "can you just check your wallet?"
• Contact through unusual channels (personal social media, WhatsApp) rather than your normal business email or storefront.
• Buyers who seem more focused on your internal processes (where do you generate the address, do you check the blockchain yourself or use software) than on the product.

None of these automatically mean fraud, but together they raise the threshold at which you should slow down and verify independently.

Protecting your business accounts and credentials

Phishing is the easiest attack vector against a business owner who accepts crypto. Exchange accounts, payment processor dashboards, and wallet software are all targets.

Some practical habits:

• Use a unique, strong password for each account related to bitcoin payments. A password manager makes this sustainable.
• Enable two-factor authentication (2FA) on every platform that offers it. Hardware tokens (like a YubiKey) are more resistant to SIM-swap attacks than SMS codes. Authenticator apps are a reasonable middle ground.
• Never enter your seed phrase or private key into any website, browser extension, or app unless you initiated the action and verified the URL independently.
• Be skeptical of any email claiming your payment processor account is suspended, that a transaction requires your approval, or that you need to "verify your wallet." Go directly to the platform's URL rather than clicking the email link.

For how you hold the bitcoin you receive, separate the question of fraud prevention from the question of storage security. Once a payment is confirmed, how you store that bitcoin and whether you hold it in hot or cold storage becomes the next operational decision.

Canadian reporting and compliance context

If your business falls victim to crypto fraud, report it to the Canadian Anti-Fraud Centre at antifraudcentre.ca. CAFC tracks fraud trends nationally and coordinates with law enforcement. For losses above CAD $5,000 or patterns suggesting organized crime, also file a report with your local police.

FINTRAC rules apply to businesses that qualify as money services businesses (MSBs) under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Accepting bitcoin as payment for goods or services generally doesn't make you an MSB on its own, but if you're also exchanging crypto for customers or facilitating transfers, the analysis changes. Confirm your compliance obligations with a qualified legal or compliance professional, since FINTRAC's guidance on virtual currencies has been updated several times since 2020.

From a CRA perspective, crypto received as payment is treated as barter for income tax purposes: the fair market value in CAD at the time of receipt is your revenue, and any subsequent gain or loss on the crypto itself is a separate taxable event. Keep records of the exchange rate at the moment of each transaction. CRA's guidance on cryptocurrency is available at canada.ca, but the rules have evolved and will likely continue to, so check current publications rather than relying on older summaries.

FAQ

Do I need to wait for six confirmations every time?

Six confirmations is a conservative standard often cited for high-value or irreversible transactions. For lower-value in-person sales, one to three confirmations is common practice. The right threshold depends on the transaction size and how reversible the goods are. Consult your payment processor's documentation for its specific confirmation policy.

What do I do if I receive a fake payment screenshot?

Do not release goods. Look up the TXID on a block explorer directly. If the buyer cannot provide a valid TXID that matches your invoice amount and shows the required confirmations, treat the payment as unverified. If you believe fraud was attempted, document everything and report to CAFC.

Can I get my bitcoin back if I'm scammed?

Confirmed bitcoin transactions are irreversible on the blockchain. There is no equivalent of a chargeback or wire recall. If you shipped goods based on a fraudulent unconfirmed transaction and the payment never finalized, your recourse is through law enforcement and civil action, not through the payment network itself.

Is using a payment processor safer than accepting bitcoin directly to my wallet?

A processor adds a layer of confirmation logic and abstracts away some of the technical verification steps. That can reduce errors, but it also introduces reliance on the processor's security. Either approach carries risk if your account credentials are compromised. Using a processor doesn't eliminate the need for strong 2FA and phishing awareness.

Do I have to report crypto fraud to CRA?

A loss from fraud may be deductible as a business expense, but the tax treatment depends on your specific circumstances and how you were holding the bitcoin. This is a question for a tax professional with experience in cryptocurrency. CRA has published some guidance on crypto losses, but the application to fraud scenarios isn't always straightforward.