Scammers Impersonate Crypto Apps
As cryptocurrencies grow more popular among retail investors and major financial institutions, cybercriminals continue to take advantage of the trend. In its Monday, July 18 notification, the FBI said it discovered that scammers are targeting both U.S.-based institutions as well as retail investors. According to the FBI’s research, hackers impersonated legitimate or once legitimate crypto investment services by spoofing company names, logos, emails, and setting up entire fake websites. The scammers then reach out to their targets via phishing emails, scam messages or calls, and ask them to download their mobile applications. Once the fraudulent app is downloaded, they’ll dupe their victims into depositing funds into wallets on these apps. Since the digital wallets belong to hackers, and cryptocurrency transactions can’t be reversed, the victims could no longer access funds.
Sneaky Social Engineering Tactics
It seems scammers were able to convince victims to download bogus crypto platforms by gaining their trust through extensive and patient social engineering tactics. Cybercrooks regularly operated under YiBit — a legitimate crypto exchange that ceased operations in 2018 — and managed to swindle $5.5 million from investors between October 2021 and May 2022. One Reddit user warned others of spam WhatsApp messages initiating outreach for YiBit in late 2021. Another fraudulent app named by the FBI was Supayos (or Supay) which the FBI said shares the same name as a legitimate Australian exchange. Scammers tricked one investor into thinking he was in a program requiring a $900,000 minimum balance. When the victim tried to cancel the program subscription, he was instructed to deposit the funds or all his assets would be frozen.
FBI’s Recommendations for Institutions and Investors
While those into digital currency need to be well-versed in Bitcoin and other cryptocurrency scams, the FBI also recommended that financial institutions and investors take certain precautionary measures. Institutions should reach out to customers and warn them about such scams, while also giving them the ability to report incidents or suspicious activity. Furthermore, entities should make it clear to customers if they offer cryptocurrency investment or related services. They can also take efforts to educate customers on how they can identify legitimate communications. To stay on top of things, institutions also ought to be on the lookout for fraudulent activity involving their company’s name, logo, or other identifying information. The FBI recommends that investors take the time to verify the identity of any individual who is representing a cryptocurrency investment service. Investors should not interact with email attachments or applications if they cannot verify the sender’s identity. It is also a good practice to look into the application before downloading it. Conduct a check into whether the company or application has a website. Investors should not take any suspicious activity for granted. If an application asks for any data or document which may not fit in with its purpose, or if the application is broken or does not operate properly, treat it with skepticism. “The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office,” the notification reads. “Field office contacts can be identified at www.fbi.gov/contact-us/field-offices.”