Steering clear of these scams might seem easy, but the tactics of modern-day scammers should not be underestimated
You may already have won! How many scams have begun with these words?
There is a new breed of scammers gaining popularity, thanks to the wild swings in the cryptocurrency market. Avast researcher Matěj Račinský has tracked three different fake crypto exchanges, with names such as TraderESL, Forbit, and Coinsfv. Each is adept at using a variety of communication channels, including Discord crypto discussion channels, phishing emails, and SMS to lure in their victims.
A typical crypto exchange scam email is reproduced below, showing that the come-on is a “promo code” that needs to be redeemed quickly so that “you can take part in the priz” (you’ll notice the typo in the image below). The misspelling should be your first tip-off that something is amiss.
A typical come-on discussion group dialog about fake crypto exchanges
The problem is that these crypto exchanges don’t exist, except as a way to exchange your money to enrich some scam artists. Certainly, the lure of free cryptocurrency is very tempting, and these scammers are very good at finding potential victims. They have designed some very professional-looking websites that include responsive designs, conversion rate details, and pages dedicated to tech support FAQs and trading history. Victims are even offered support for smartphone two-factor authentication (2FA). Sign me up now – not!
Steering clear of these types of scams might seem like an effortless feat. However, as I’ve described above, the tactics of modern-day scammers are not something that should be underestimated. I recently found myself in a situation in which I could have easily been scammed (luckily, I wasn’t). I was very interested in a (legitimate) site called Yieldstreet, an online investing platform that crowdfunds loans and offers a variety of alternative investment products. I was ready to transfer some of my hard-earned funds into one of their investments, when I realized that I should stop and read reviews about the company, such as this Business Insider article. Even after reading this, I was poised with the click of a mouse – especially when I saw that they supported 2FA. For some reason, that single fact convinced me that they’re a legitimate business, without any further investigation on my part. This goes to show how easy it is to get caught up in the heat of the moment – after all, that promo code is good for a limited time only! This sense of urgency is why scammers are so good at collecting your money.
What crypto scammers are counting on is you will get caught up – like I did – in filling out the forms and going through a rather thorough know-your-customer process that will have you taking pictures of your driver’s license, a selfie, and some other realism-enhanced documents. They say on their fraudulent pages that they need to do this to send you your “priz” money. Having you “register” for the promotion makes the scam seem all that more realistic, just like using 2FA (which some of the exchanges offer as a “feature for your protection”).
Once you think you’re finished with the registration, you need to make a small “top off” deposit. This should be the next warning bell — never send anyone money to collect something more. Remember those Nigerian Prince email scams? They are still bringing in more than $700,000, year after year.
There are a couple aspects of crypto exchange scams that catch victims off guard. First off, the registration process is clever. Rather than asking outright for you to send a payment, this process gets you more involved in the web of deception. What’s more the process isn’t very clear — you don't know what other steps you need to take in order to obtain the amount of the promised winnings. They could ask for one more document to add to their database. All this information also makes the scam more valuable, because scammers can make use of and sell your data on the dark web that you’ve so conveniently provided.
First off, if someone offers you free money (or really, anything of value), be skeptical. Anything that is too good to be true usually is. What's more, beware of fraudulent news articles “announcing” these exchanges, such as the one shown below. If you’re unfamiliar with the site, take the time to vet it and ensure that it isn’t part of a scammer’s promotional network.
A news article designed by scammers promoting a fraudulent crypto exchange
Don’t give anyone you don’t know any of your private information – including your birth date, your photo, or banking information – until you vet them using a neutral third party. Additionally, be careful about sending any government documents to someone that you don’t know.
Finally, if you are using Discord for either your business or own personal use, make sure you take some steps to secure its services. Set up 2FA for your login and use the “keep me safe” setting under the Privacy and Safety menu. Choose a more restrictive policy (other than “everyone”) on who can add you to their discussion groups. Furthermore, if you have corporate Slack or Microsoft Teams messaging accounts, you should use similar methods to secure them as well.
A new phishing attack uses a countdown clock to pressure users into entering their company login credentials, falsely claiming that the account will be deleted when the clock reaches zero.
Just in time for the back to school season, Avast CISO Jaya Baloo is featured on the Code Week podcast to discuss online safety and cybersecurity in schools.