Payment scams exploiting the lure of cryptocurrency are a growing concern for individuals and businesses—losses from crypto scams increased from $907 million in 2021 to $2.57 billion in 2022. These scams typically involve criminals posing as an expert or a legitimate company to try to trick people into transferring funds or providing sensitive information. By being aware of how criminals carry out these scams, both organizations and individuals can help protect their finances and data.
Who Is Targeted?
Just like all financial scams, cryptocurrency scams target a range of individuals and enterprises. Criminals find their targets from many sources: they may find a victim’s name and email address from LinkedIn or social media, or they may target individuals based on recon that they are interested or trade in cryptocurrency. For example, if an individual is a member of an online crypto community or discusses cryptocurrency on public forums, that person may be targeted by criminals.
With cryptocurrency companies front and center in the news, many people and businesses are eager to jump on the bandwagon, even though they do not know much about it. Perhaps they’ve heard a celebrity endorsing cryptocurrency or they hear that they can make a lot of money. Whatever the reason, this lack of knowledge means that victims are more likely to miss red flags and fall for a scam.
Users of cryptocurrency need to understand that the central promise of cryptocurrency transactions is that there’s no need for a central intermediary, such as a bank or payment processor, to execute these transactions. The upside of this is that users have more control to execute fast payments, but the downside is that there is often no recourse in the event of fraud, theft, and even user error.
Cryptocurrency transactions are irreversible and, unlike bank deposits, are not covered by government-backed insurance. This means that once cryptocurrency is sent to a criminal, it may never be recovered.
Some Common Crypto Scams
“Get-rich-quick” schemes are common tactics used in crypto scams, often executed through social media.
In one variation, the victim is contacted directly through a social media community. For example, the victim belongs to a crypto investment group on Facebook, and they receive a direct message from another member—the scammer—about a great opportunity. The scammer knows that someone already belonging to a crypto investment group is more likely to respond to an unsolicited offer promising a large return on their investment. The scammer keeps the con going by initially asking for and returning small amounts, building up to a larger investment request—which disappears once the victim sends the funds.
A second variation is when the victim is contacted by a friend or business acquaintance about a crypto investment opportunity. In reality, the person is being contacted by a criminal who is masquerading as the friend or acquaintance. The scammer hopes that a solicitation from a known contact will convince the victim to comply with the request.
Many have heard of the “Tinder Swindler” and have read about romance scams. These scammers build trust in a seemingly real relationship, then con the victim into sending funds. Such crypto dating scams are often called “pig butchering”—just like a farmer running a livestock production, once the end goal is reached, the relationship is over.
In a sextortion (sex + extortion) scheme, criminals send emails to the victim claiming to have sexually explicit photos or videos and demand a cryptocurrency payment to keep the photos secret. Even if the victim pays the original extorted amount, the criminals sometimes demand more blackmail at a later time, which the victim often pays—losing even more money.
Crypto ATMs may be used by criminals to scam their victims using a familiar technology. The victim may have been targeted through a romance scam or conned by a call from a “government agency” or “bank” and instructed to deposit funds using a cryptocurrency ATM. After the money is converted to cryptocurrency and sent to the criminal’s account, the funds are moved off-platform and the ATM network cannot help the victim recover their funds.
Criminals use a twist on the classic phishing email or text to convince the recipient that the email was sent from a legitimate cryptocurrency platform. The message may include details on an “investment opportunity” or deposit instructions, or may be styled as a spoof “customer support” message. If the victim clicks the link, they are asked to enter their cryptocurrency account credentials into a webpage that closely mimics a real cryptocurrency platform, giving criminals the information needed to sign into the victim’s account and steal their money.
Fake app scams
Criminals can be as skilled in creating fake apps as they are in creating fake websites. Victims may be tricked by realistic-looking names and logos when searching for a cryptocurrency app, and install the fraudulent app instead of the legitimate app.
As part of an investment or romance scam, criminals may ask their victims to install a specific app that appears to be a legitimate cryptocurrency app. After installing the copycat app, the victim deposits money into it, which is then stolen by the criminals.
Alternatively, bogus cryptocurrency apps may contain malware. Criminals can develop apps that may execute malicious activities on mobile devices, such as stealing banking credentials, monitoring text messages, preventing the app from being uninstalled, and even evading detection by security software. Confirming that cryptocurrency apps are legitimate—reading reviews and only installing an app from the official store—is imperative prior to installing apps or depositing money.
Elder abuse scams
Financial fraud involving seniors has increased, and saw a sharp increase during the COVID pandemic. Seniors often prove to be more vulnerable to crypto scams because they may be less informed about new technologies such as cryptocurrency. Scammers view a trusting, less tech-savvy senior as easy bait with a potentially large retirement account. Investment schemes, tech-support scams, romance cons, real estate swindles, and IRS-type frauds are common techniques used to target seniors. Unfortunately, after they are convinced that a scam is real and send their savings to criminals, seniors may have to re-build their nest eggs.
No matter the type of scam they are trying to perpetrate, many criminals will use the same techniques. Be alert to these indicators of a cryptocurrency scam:
- Investors are promised a large profit in a short amount of time.
- A stranger or a “celebrity” approaches an individual on social media or a dating site about an investment opportunity.
- A cryptocurrency payment is demanded in order for an applicant to start a job or receive a service.
- An individual receives a check or overpayment and then is asked to wire the difference to a crypto exchange.
- An email, text, or message from a legitimate-sounding company or government agency demands that an individual makes a cryptocurrency payment, shares financial or banking account information, or clicks a link to see more information.
- An individual receives an unexpected message from “customer support” about their cryptocurrency transaction and is encouraged to click on a link or share private information.
- There is pressure to act immediately on an urgent request.
Due Diligence Serves as Protection Against Cryptocurrency Scams
Understand that once cryptocurrency is transferred from a cryptocurrency platform, the transaction cannot be stopped or even recovered. Do due diligence before agreeing to any transaction—whether business or personal—that involves cryptocurrency.
- Pause before responding to requests. Anyone being asked to send cryptocurrency as a payment should understand the impact it could have on their finances, especially if the person asks for additional payments. Don’t respond to unexpected contacts or investment opportunities, and be wary if a known individual or business suddenly demands payment with cryptocurrency without explanation.
- Verify the person or company before money is sent. Random or new contacts should be thoroughly vetted. Do not accept funds from or transfer funds to anonymous or unknown people or organizations.
- Don’t take any information at face value. Investigate the claims around any investment, especially if they seem too good to be true or promise overnight windfalls. Be wary of advice from celebrities, people on social media or internet forums, or anyone else who doesn’t have financial credentials. If it seems too good to be true, it’s probably a scam. Real financial professionals will provide a long series of consumer disclosures and will not provide unsolicited investment advice.
- Avoid clicking on links that appear in a suspicious or unexpected email, text message, or social media direct message (DM). It may be an attempt to install malware or steal account credentials. This includes an unexpected call or message from a purported cryptocurrency platform “customer support representative” who claims that there is an issue with an account.
- Do not send sensitive information. Never email or text contact details, private crypto account information (e.g., username, password, private cryptographic keys, seed phrases), or other sensitive information. Don’t respond to pressure to give out this type of information; rather, consider cutting ties and reporting the individual/entity.
- Secure financial accounts. Use strong credentials and enable multi-factor authentication for all accounts. Do not share passwords, private crypto keys, or seed phrases with anyone. Confirm that websites, URLs, and internet addresses are legitimate before entering any sensitive information. Remember, once a cryptocurrency transaction is initiated, it can’t be stopped (this includes erroneous sends to a wrong address or “fat finger” errors).
- Keep a detailed log of transactions. Save a record of all transactions, including screenshots of all completed transactions along with any confirmation texts and emails. Monitor financial accounts frequently to spot irregularities.
- Be aware of how public information about individuals can be used. The more public information that is available about a person, the easier it is for a criminal to target them. Individuals should check the security and privacy settings of all social media and financial accounts to confirm that only trusted contacts and friends can view their profiles.
Taking Action After a Scam
Cryptocurrency is not insured by a government entity so it can be very difficult to recover stolen money. Enterprises or individuals who fall victim to these scams are still encouraged to report the crime, as law enforcement may be able to follow the money trail to identify the criminal or fraud ring and help recover at least part of the money or perhaps bring the scammers to justice. Reporting the crime may also help prevent future scams.
- Report the crime to the following entities:
- The cryptocurrency exchange that was used to send the money
- Local and national police enforcement
- If appropriate, the online dating app or social media website where contact began. This may prevent the scammer from accessing more victims.
- Stop communicating with the criminals. However, keep all evidence of the crime, such as the name of the exchange used to convert cryptocurrency, transaction IDs, and wallet (account) addresses. Make sure to save names, profiles, emails, texts, and any other communications with the scammer(s).
- Implement online security protocols:
- Block the criminal’s profile. Also block them on messaging apps, texts, and calls.
- Confirm that all personal social media accounts are private.
- Change credentials immediately if there is evidence the criminal has accessed any accounts, such as an online banking or cryptocurrency account. Inform the bank and credit card companies that fraud may have occurred.
- While it may be tempting to hire an asset recovery firm, be wary of exaggerated claims of recovery capabilities and upfront charges. Do research and read reviews before committing to an agreement. Understand that in most cases, even if the firm can trace the flow of funds, they may not be able to recover the money.