The pace of technological growth understandably excites people and businesses alike. In the realm of investments and banking, an app-driven world coupled with the emergence of cryptocurrency opens up many new avenues for investments and opportunities for financial institutions to provide mobile banking and investment services via mobile apps.
The excitement generated by these changes also extends to cybercriminals. Wherever there is money, there is the opportunity to swindle people out of their savings. This article examines the current cybersecurity situation in light of a recent FBI warning about fraudulent crypto investment apps.
When cyber threats demonstrate a repeated pattern of damage over time in a specific industry, the FBI often releases Private Industry Notifications (PINs) to warn of the danger. In July 2022, an FBI PIN addressed the rise of fraudulent crypto investment apps. According to the warning, 244 victims were impacted with a total loss of $42.7 million.
But how exactly are cybercriminals conning people out of such large amounts? Typically, a lone wolf actor or threat group creates a seemingly legitimate crypto investment app. The tactics deployed involve using the same name, logo and branding as legitimate investment platforms run by various financial institutions. Additionally, typosquatting tactics help perpetrators create websites that only slightly deviate from a real financial institution’s URL.
One scam saw threat actors using YiBit’s branding and company name to convince targets to download their crypto app and deposit money. YiBit was formerly a legitimate crypto trading platform, so it’s understandable that some people fell for these tactics. Unfortunately, little did the victims realize that YiBit closed in 2018.
Crypto apps usually require users to create a wallet where they can deposit cryptocurrency. In these scams, victims get directed to fraudulent investment platforms using social engineering techniques and download an app. They’ll create the same kinds of crypto wallets seen on legitimate platforms and then deposit cryptocurrency into those wallets. Unfortunately, though, later attempts to withdraw cryptocurrency fail, and victims are left without their savings.
Much of the layperson’s interest in crypto as an investment opportunity stems from marketing hype. Online forums, YouTube channels and celebrity social media pages are rife with discussions, courses and promotions for crypto platforms. It’s easy for victims to get caught up in this hype and download fraudulent crypto investment apps without doing thorough due diligence.
Of course, this is not to say that the underlying technological innovations upon which cryptocurrencies are based aren’t genuinely useful. Blockchains provide decentralization and reduce counterparty risks in financial transactions.
Somewhat paradoxically given the sums of money lost by investors, the qualities of the blockchain—cryptography, decentralization and consensus—give it robust security by design. Unfortunately, recovering lost funds is usually difficult. If the scammer cashes out the crypto at an unregulated exchange or offshore account, victims often don’t get their money back.
The global market for cryptocurrency exchange platforms was worth $30.18 billion in 2021. Even if investor interest in crypto declines with a predicted recession, that’s still a huge market for cybercriminals to exploit. Expect to see other scam tactics emerge that leverage the buzz around crypto investments, including the use of fake celebrity endorsements for platforms, “launching” new coins, or perhaps false claims about innovative features on a platform that aren’t available elsewhere.
Fraudulent crypto investment apps somewhat continue and refine a recurring trend from the 2010s that saw cybercriminals create fake mobile banking apps. In one case from 2015, the Yanbian cybercrime gang copied a South Korean bank’s logo, name and user interface in their own mobile app. Unsuspecting users downloaded the app and entered legitimate banking credentials, which were then used by the gang to conduct fraudulent transactions.
A 2018 incident saw developers create a fake mobile token app known as Movil Secure, which they made available on the Spanish version of Android’s Google Play store. The app claimed to be associated with BBVA, which is one of Spain’s most trusted financial institutions well-known for its own mobile banking apps. When researchers analyzed the app’s functionality, they found it acted as spyware, transmitting information about users to a command and control server.
While mobile banking app scams remain a cybersecurity threat, it appears cybercriminals are more focused on exploiting the somewhat less regulated and Wild West nature of crypto investing.
The proliferation of fraudulent crypto investment apps and mobile banking scams creates a dilemma for financial institutions. These scams prey on the vulnerability of individuals rather than genuine lapses in cybersecurity controls and processes. It’s natural to wonder what actions (if any) financial institutions should take to help people avoid these scams.
The FBI’s PIN serves as a useful reference point here. The document advises financial institutions (including legitimate crypto trading platforms) to proactively warn customers about the potential for fraud. Other steps businesses can take include informing customers on whether the financial institution offers cryptocurrency investment services and if there’s a mobile banking or investment platform available. These all sound like reasonable actions that reputable businesses should be taking anyway.
However, one piece of advice worth noting is the advice to periodically conduct online searches for your company’s name (and variations thereof), logo or other information and determine if any fraudulent activity is occurring that exploits user trust. This step, when conducted manually, might seem to go above and beyond for security teams that already feel the pain of resource constraints.
Solutions that automate and simplify cybersecurity tasks will prove useful in reducing the burden. For example, managed detection and response (MDR) can help free up time and effort for in-house security personnel to engage in other valuable security tasks, such as investigating threat actors masquerading as your business to defraud customers.