The US Federal Bureau of Investigations (FBI) has warned criminals have created fraudulent apps that mimic real financial services brands to dupe investors into parting with $42.7 million over about six months.
The FBI documents several fraudulent apps that defrauded 244 victims during the months leading up to the great crypto crash in June.
It said cyber criminals are using the names, logos, and other identifying information of legitimate companies, including creating fake websites with this information, as part of their ruse to gain investors. Financial institutions should warn their customers about this activity and inform customers as to whether they offer cryptocurrency services the FBI said in a private industry notification.
SEE: These are the cybersecurity threats of tomorrow that you should be thinking about today
Cybercriminals behind a scam app using an unnamed, legitimate US financial institution defrauded at least 28 victims of approximately $3.7 million between 22 December 2021 and 7 May 2022. The scammers convinced victims to download the app and deposit cryptocurrency into wallets associated with the victims’ accounts on the app.
Thirteen of the 28 victims attempted to withdraw funds but were then told via email they had to pay taxes on their investments before making withdrawals. But after paying the supposed tax, the victims were unable to withdraw funds, according to the FBI.
Another scam saw criminals using the company name YiBit to defraud at least four victims of around $5.5 million between October 4 2021 and 13 May 2022. It also used the ruse of blocking deposits until tax had been paid. YiBit was a former legitimate cryptocurrency exchange that appeared to close in 2018, according to the FBI.
“Following these deposits, 17 victims received an email stating they had to pay taxes on their investments before withdrawing funds; all 4 victims could not withdraw funds through the app,” the FBI explains.
Fraudulent investor apps using known banking brands is a recent trend. Sophos in May 2021 reported hundreds of fake malicious trading, banking, foreign exchange, and cryptocurrency apps designed for the Android and iOS platforms. Interpol also warned in January 2021 of scammers using Tinder and other dating apps to gain victims’ confidence, share investment ‘tips’ with them, and then lure them into downloading a fake trading app.
The FBI has set out separate recommendations for how financial institutions and investors should protect themselves.
SEE: What, exactly, is cybersecurity? And why does it matter?
It wants financial institutions to warn customers about fraudulent activity and inform them whether they actually do offer crypto investment services and outline methods to identify legitimate communications from them to customers. It also wants them to tell customers whether they have a mobile app, and for these institutions to conduct online searches for the abuse of the company’s name, logo or other information.
For investors, the FBI warns them to be wary of unsolicited requests to download investment apps. Investors should also verify an app is legitimate before downloading it and check whether the company or app has a website, and that financial disclosures or documents are tailored to the app’s purpose and proposed financial activity. Also, treat apps with limited or broken functionality with skepticism.
The FBI is encouraging financial institutions and their customers to report incidents of fraud through fake cryptocurrency investment apps to it or its Internet Crime Complaint Center (IC3).