Cybercriminals creating fraudulent mobile apps purporting to offer cryptocurrency investment services have stolen $42.7 million from 244 victims over the past two years, according to the FBI.
In some of these scams, fraudsters mimicked legitimate companies and cryptocurrency exchanges. In one case, unidentified criminals defrauded at least 28 victims of $3.7 million by impersonating a legitimate U.S. financial institution.
The FBI did not name which institution the criminals impersonated. The scam lasted from December to May, during which time the persuaded victims to download an app that used the name and logo of the financial institution. Many of the 28 victims received an email stating they had to pay taxes on their investments before they could make any withdrawals. But after paying the supposed tax, the victims were unable to withdraw funds.
In
In another case, the FBI said criminals used the names Supayos and Supay — the same name as a legitimate currency exchange service in Australia — to defraud two victims in November. The criminals instructed the victims to download the Supay app and make cryptocurrency deposits into wallets associated with their accounts.
Criminals in schemes involving fraudulent crypto investment apps netted an average of $170,000, per the FBI’s data. Fraudsters who created an app that mimicked the Supay app told one victim that he was enrolled in a program requiring a $900,000 minimum balance, to which he had not consented. When he tried to cancel his subscription, the criminals told him to deposit the necessary funds or have all his assets frozen.
Fraudulent applications are not the only vector that fraudsters are successfully using to steal from victims.
Scammers are using age-old tactics like phishing to take advantage of the uncertainty — and panic — stemming from the recent price swings of several prominent digital currencies.
The FBI did not disclose details on how exactly cybercriminals bypassed app store review processes to get their fraudulent apps onto victims’ phones, but security researchers have documented tactics criminals have used to do so.
Two major app store operators, Apple and Google, each review submissions to their platforms before making them available for customers to download. Apple has faced
However, workarounds and loopholes exist for getting unscreened apps onto consumers’ iPhones and Android devices. Google for one provides
Last year, the IT security company Sophos showed scammers
The FBI advised banks to actively warn customers about fraudsters’ attempts to put dangerous applications on their devices and provide steps customers can take to report such activity.
The agency also advised banks to inform customers whether the bank has a mobile application, whether the financial institution offers cryptocurrency investment services, and how a customer can verify that a communication from the bank is legitimate.
The FBI also recommends banks periodically conduct online searches for their company’s name, logo and other information to determine whether their brand is being used in fraudulent or unauthorized activities.