Cryptocurrency scams: a growing threat to mobile users

Since the first cryptocurrency, Bitcoin, went live in 2009, the crypto-craze has had a host of buzzwords to go along with it: HODL (hold on [to cryptocurrency] for dear life), FOMO (fear of missing out) and FUD (fear, uncertainty and doubt), to name a few. But increasingly the word ‘scam’ is often associated with cryptocurrencies. It’s not that crypto in itself is fraudulent - many are perfectly legitimate, but the risks of trading in crypto can be quite high! Being a sought-after currency for fraudsters due to its anonymisation, it is inevitable that cryptocurrency scams will grow. The methods and tools used are novel and increasingly affecting mobile device users. As much as FinTech can provide advanced fraud protection, a good dose of user caution and knowledge is essential!

The realm of cryptocurrencies can seem daunting even to internet savvy users, which is perfectly understandable. The unregulated nature of crypto can be offputting to many, and indeed, if people are swept off their feet by the crypto hype, there is a real chance to lose a lot of money (as well as make a lot it) through some easy to make, but fateful trading decisions. With cryptocurrency, fortunes have been made, while others have been lost. And all this without falling for cryptocurrency scams. But now, with the world becoming more mobile, it’s easier than ever before to make investments in cryptocurrencies within the palms of your hands.

Take the situation with the COVID-19 pandemic, which significantly boosted the percentage of eCommerce’s share of global retail sales. In the midst of merchants and shoppers increasingly going online, the convenience has spread to mobile devices, which allowed more people to shop, pay and transfer money with great ease and from the comfort of their sofas. The ease with which mobile apps have allowed people to engage in M-Commerce, digital banking and even dabble in cryptocurrency investments is staggering, but not surprising. What is a surprise to many is the pace these changes have taken place, which were originally forecast to reach current levels by 2025-2030. Amidst this growth in mobile users, fraudsters have seen an opportunity to target people, aiming to remain hidden in the huge increase in daily transactions.

There have been many stories featured online about the various types of cryptocurrency scams catching people out. Despite the media image fraudsters have, the majority of them do not need to have advanced skills, relying instead on the readily available tools that can be found on the dark web. They play upon people’s ignorance or naivety by using tried and tested social engineering attacks, in other words, building trust with people and making them carry out actions that may not be in their best interests (clicking on a link in an email phishing scam, for example). Social engineering remains one of the most effective ways for cybercriminals to enact an account takeover. Fraudsters are aware that anti-fraud systems are becoming harder to attack face-on, which is why the path of least resistance to achieving their goals is to convince people to do half the work - by unwittingly giving away their details.

With romance scams, for example, otherwise known as ‘pig butchering’ in China (like fattening up a pig before it is killed for its meat), fraudsters can find victims through dating apps such as Tinder, spending months gaining their trust, only to then move on to talk of investment opportunities in crypto. This involves making legitimate payments and transactions using the victim’s money (which, at this point, they have agreed to give) to buy cryptocurrencies, before transferring them to digital wallets, which are then stolen by fraudsters. More sophisticated methods may include the use of pressure (and FOMO) to encourage people to make quick investments in order to make gains - sometimes, even the promise of free cryptocurrency may make people sign up to a fake crypto exchange or app, handing over their previous data. The threats are numerous and growing.

With this in mind, we write our blog posts to help educate about the fraud-related risks posed by online payments. We often highlight the advanced nature of tools and knowledge shared by fraudsters in the darknet, but we also continually emphasise that people themselves can be a weak point in the overall chain of protection. It is important for users to practice good digital hygiene with strong passwords, password managers etc. But with cryptocurrencies, it is essential to understand how they work, the risks involved, and how to remain safe and secure.

Although media coverage of online scams tends to focus on the average browsing experience being related to desktop computers (phishing scams received by email, etc.), fraudsters are increasingly focusing their efforts on the growing no. of individuals that use mobile devices to browse the internet and also carry out payments and transactions.

While cryptocurrency companies must also ensure the best possible anti-fraud solutions are on hand to secure cryptocurrency exchanges, and associated transactions either via their website or apps/digital wallets, users must be cautious when using such services. There are a plethora of fake crypto exchange websites and crypto apps, which can be used by fraudsters to action an account takeover (ATO). A phishing email may direct a user to a fake site, which at face value looks near identical to the real thing, but with minor nuances such as a dot here and there in a URL. It can also contain a direct download link to a fake crypto app.

Fake apps, on the other hand, are more difficult to distinguish. Although Apple and Google make efforts to remove fake apps from their app stores, plenty remain online - and for all those that are removed, more may appear in their place before being removed again. Some apps can gain 100,000+ downloads before they are removed. For example, a user may wish to download an exchange app from a reputable cryptocurrency company. Rather than visiting the main website, a user may choose to find it via an app store where they may download a fake version. They look convincing, using preview screenshots of the original app and with only minor differences in the app’s icon graphic to distinguish it from the original. This is why all users are encouraged to only download apps from a reputable source, and if they do so from an app store, to make sure it is a legit developer account hosting the app. Reading user reviews and ratings will also prove beneficial in determining the validity of the app.