> ## Documentation Index
> Fetch the complete documentation index at: https://docs.range.org/llms.txt
> Use this file to discover all available pages before exploring further.

# Payment Scam Prevention

> Use Payment Risk Assessment to detect and prevent common crypto payment scams including address poisoning, new wallet fraud, and social engineering.

Crypto payment scams cost users billions annually. Address poisoning, fake recipient wallets, and social engineering attacks all exploit a fundamental gap: users can't easily verify whether a payment is safe before sending. The [Payment Risk Assessment](/risk-api/risk/get-payment-risk-assessment) endpoint closes that gap by analyzing 8 risk dimensions in real time - before funds leave the wallet.

This guide covers the three risk factors most relevant to scam prevention and how to build them into your payment flow.

<Info>
  **Prerequisites:** You need a [Risk API key](/introduction/getting-started) and familiarity with the [Payment Risk Assessment](/risk-api/risk/get-payment-risk-assessment) endpoint.
</Info>

***

## The Three Scam-Relevant Risk Factors

Payment Risk Assessment evaluates 8 independent risk dimensions. Three are directly designed to catch common payment scams:

| Risk Factor                     | What It Catches                                                                                             |  Risk Level |
| ------------------------------- | ----------------------------------------------------------------------------------------------------------- | :---------: |
| **Address Poisoning Detection** | Scammer creates a lookalike address that matches the first/last 4 characters of a real contact              |     HIGH    |
| **New Wallet Detection**        | Recipient is a freshly created wallet with no history - common in advance-fee fraud and impersonation scams | MEDIUM–HIGH |
| **Interaction History**         | Sender has never transacted with this recipient before - flags unfamiliar counterparties                    |     HIGH    |

Together, these factors catch the majority of common crypto scam patterns without false-positiving on legitimate transactions to known contacts.

***

## How Address Poisoning Works

Address poisoning is one of the most common crypto scams. Here's the attack:

1. The scammer monitors the victim's transaction history
2. They generate an address that matches the **first and last 4 characters** of a real recipient the victim has sent to before
3. They send a small "dust" transaction from the poisoned address to the victim
4. The victim later copies the address from their transaction history, unknowingly selecting the scammer's lookalike address
5. Funds are sent to the scammer instead of the intended recipient

### How Payment Risk Assessment Detects It

The `address_poisoning_attack` factor compares the recipient address against known poison address patterns associated with the sender. If the recipient's prefix and suffix match a poisoning pattern, it returns **HIGH** risk.

```json theme={null}
{
  "factor": "address_poisoning_attack",
  "risk_level": "high",
  "description": "Potential address poisoning attack detected - recipient matches poison address pattern"
}
```

This check happens automatically - no configuration needed. Just pass the sender and recipient addresses to the Payment Risk endpoint.

***

## How New Wallet Scams Work

Many scams involve directing victims to send funds to newly created wallets:

* **Impersonation scams** - "Send funds to this new wallet for verification"
* **Fake investment schemes** - Scammer provides a brand-new deposit address
* **Romance scams** - Victim is given a fresh wallet address to "help" with
* **Phishing** - Fake dApp or site provides a newly generated receiving address

Legitimate recipients (exchanges, protocols, contacts) almost always have established wallet history. A brand-new wallet with zero transactions is a strong signal that something is wrong.

### How Payment Risk Assessment Detects It

The `new_wallet_recipient` factor analyzes the recipient's onchain transaction history:

| Recipient History                | Risk Level | Factor                         |
| -------------------------------- | :--------: | ------------------------------ |
| 0 transactions                   |  **HIGH**  | `new_wallet_recipient`         |
| \<3 transactions OR \<7 days old | **MEDIUM** | `new_wallet_recipient`         |
| ≥3 transactions AND >7 days old  |   **LOW**  | `established_wallet_recipient` |

```json theme={null}
{
  "factor": "new_wallet_recipient",
  "risk_level": "high",
  "description": "Recipient is a completely new wallet with no transaction history"
}
```

***

## How First-Interaction Risk Works

Even without address poisoning or a new wallet, sending to someone you've never transacted with before carries inherent risk. Scams overwhelmingly involve first-time interactions - the victim has no prior relationship with the scammer's address.

### How Payment Risk Assessment Detects It

The `first_interaction` factor examines the transaction history between sender and recipient across both same-network and cross-chain indices:

| Prior Interactions | Risk Level | Factor                            |
| ------------------ | :--------: | --------------------------------- |
| 0 (first time)     |  **HIGH**  | `first_interaction`               |
| 1–2 interactions   | **MEDIUM** | `limited_interaction_history`     |
| 3+ interactions    |   **LOW**  | `established_interaction_history` |

```json theme={null}
{
  "factor": "first_interaction",
  "risk_level": "high",
  "description": "First ever interaction between these addresses"
}
```

<Note>
  A first interaction is not inherently malicious - everyone has a first transaction. The value is in combining it with other factors. A first interaction with an established wallet is normal. A first interaction with a brand-new wallet that matches a poisoning pattern is almost certainly a scam.
</Note>

***

## Building a Scam Prevention Flow

### Step 1: Check Payment Risk Before Sending

```javascript theme={null}
async function checkPaymentForScams(sender, recipient, amount, network) {
  const params = new URLSearchParams({
    sender_address: sender,
    recipient_address: recipient,
    amount: amount.toString(),
    sender_network: network,
    recipient_network: network,
  });

  const response = await fetch(
    `https://api.range.org/v1/risk/payment?${params}`,
    { headers: { Authorization: `Bearer ${API_KEY}` } }
  );

  return response.json();
}
```

### Step 2: Extract Scam-Relevant Factors

```javascript theme={null}
function analyzeScamRisk(paymentRisk) {
  const factors = paymentRisk.risk_factors || [];

  const scamIndicators = {
    addressPoisoning: factors.find((f) => f.factor === "address_poisoning_attack"),
    newWallet: factors.find((f) => f.factor === "new_wallet_recipient"),
    firstInteraction: factors.find((f) => f.factor === "first_interaction"),
    limitedHistory: factors.find((f) => f.factor === "limited_interaction_history"),
    maliciousRecipient: factors.find(
      (f) => f.factor === "malicious_address_recipient" && f.risk_level === "high"
    ),
  };

  // Address poisoning is always a critical warning
  if (scamIndicators.addressPoisoning) {
    return {
      level: "critical",
      warning: "Address poisoning detected",
      description: "This address closely matches another address you've transacted with. " +
        "Scammers create lookalike addresses to trick you into sending funds to them.",
      recommendation: "Do NOT send to this address. Verify the full address character by character.",
    };
  }

  // New wallet + first interaction = strong scam signal
  if (
    scamIndicators.newWallet?.risk_level === "high" &&
    scamIndicators.firstInteraction
  ) {
    return {
      level: "high",
      warning: "Possible scam - new wallet with no prior interaction",
      description: "This recipient has no transaction history and you've never sent to them before. " +
        "This pattern is common in impersonation, phishing, and advance-fee scams.",
      recommendation: "Verify the recipient through a trusted channel before sending.",
    };
  }

  // First interaction alone is a caution
  if (scamIndicators.firstInteraction) {
    return {
      level: "medium",
      warning: "First-time recipient",
      description: "You've never sent to this address before. Double-check the address is correct.",
      recommendation: "Consider sending a small test amount first.",
    };
  }

  return { level: "low", warning: null };
}
```

### Step 3: Display Warnings to Users

```javascript theme={null}
async function protectedSend(sender, recipient, amount, network) {
  const paymentRisk = await checkPaymentForScams(
    sender, recipient, amount, network
  );

  const scamAnalysis = analyzeScamRisk(paymentRisk);

  switch (scamAnalysis.level) {
    case "critical":
      // Block and show red warning - do not allow without explicit override
      return showCriticalWarning(scamAnalysis);

    case "high":
      // Show prominent warning, require confirmation
      const confirmed = await showHighRiskWarning(scamAnalysis);
      if (!confirmed) return { status: "cancelled" };
      break;

    case "medium":
      // Show informational notice
      await showCautionNotice(scamAnalysis);
      break;
  }

  // Proceed with transaction
  return await executeTransaction(sender, recipient, amount);
}
```

***

## Scam Pattern Reference

| Scam Type                    | Triggered Factors                                                  | Combined Risk |
| ---------------------------- | ------------------------------------------------------------------ | :-----------: |
| **Address poisoning**        | `address_poisoning_attack`                                         |    Critical   |
| **Impersonation / phishing** | `new_wallet_recipient` + `first_interaction`                       |      High     |
| **Advance-fee fraud**        | `new_wallet_recipient` + `first_interaction`                       |      High     |
| **Compromised account**      | `first_interaction` + `malicious_connection_recipient_high`        |      High     |
| **Fake investment**          | `new_wallet_recipient` + `first_interaction`                       |      High     |
| **Typo / wrong address**     | `first_interaction` (no poisoning)                                 |     Medium    |
| **Legitimate new contact**   | `first_interaction` + `established_wallet_recipient`               |   Low–Medium  |
| **Regular payment**          | `established_interaction_history` + `established_wallet_recipient` |      Low      |

***

## Integration Recommendations

### For Wallets

* Run Payment Risk Assessment on every send before the user signs
* Display scam warnings inline - not as a separate step users can skip
* For address poisoning: show a full-screen blocker, not a dismissable toast
* Cache results briefly (30 seconds) to avoid re-querying if the user adjusts the amount

### For Payment Processors

* Check both directions: screen the sender when receiving, screen the recipient when sending
* Log all risk assessments for dispute resolution and fraud investigation
* Set automated hold policies for first-interaction payments above a threshold amount

### For Exchanges

* Run Payment Risk Assessment on withdrawal requests before processing
* Flag `address_poisoning_attack` results for manual review - these are almost never false positives
* Use `first_interaction` + `new_wallet_recipient` to trigger additional verification (email confirmation, 2FA) on withdrawals to new addresses

***

## What's Next

<CardGroup cols={2}>
  <Card title="Payment Risk Assessment" icon="money-bill-transfer" href="/risk-api/risk/get-payment-risk-assessment">
    Full endpoint reference with all 8 risk dimensions explained.
  </Card>

  <Card title="Wallet Integration" icon="wallet" href="/risk-api/guides/wallet-dapp-integration">
    Add address screening and transaction simulation to your wallet.
  </Card>
</CardGroup>
