TLDR; Evertas has seen an alarming anecdotal uptick in requests for help from people who have been scammed out of anywhere from a few thousand dollars to over six figures – here are some thoughts to keep your employees, friends and family safe from predatory cryptoasset scams.
Last week I touched on elements of the social engineering criminals will use when orienting their “investment” pitch to target their victims. This week, I take a look at how criminals rely on their victims not asking the right – if any – questions about the companies for whom they work. Fraudsters also understand that regulatory and law enforcement agencies for the most part lag the market and have limited resources to devote to investigations below a certain loss threshold.
If you or someone you know is tempted by amazing returns with little risk on investing in cryptoassets, here are some things to consider before having anyone make that uninformed leap into crypto and risk losing their life’s savings.
- Please note that this is not meant to be a technical article or exhaustive in nature and no legal or financial advice is being provided.
The Company – On the Internet, nobody knows you’re a dog.
Prospects need to pay close attention to how fraudsters frame the “investment” pitch and ask the right questions about individual licenses, company details and any relevant registrations.
- Legitimate companies can be identified. In most countries, business activity and businesses are regulated. In the US, that means companies need to be registered at both the State and Federal level for both licensing and tax reasons. Normal companies will want to be found; that helps in building trust with potential new clients. That said, Evertas has seen examples where scammers make use of real company registrations and even existing web sites to lend their fraudulent enterprises legitimacy. Victims rarely ask where a company’s headquarters are located or the state in which it is registered to conduct its business; as even a largely virtual organization will have a headquarters or main telephone number and/or fax number. This becomes an even greater problem for victims with companies that claim to operate outside of the USA. Criminals count on victims’ innate human tendencies to follow the path of least resistance and NOT do their due diligence.
- Legitimate company officers and founders can be identified. Legitimate companies will make their executive team known and this is particularly true for regulated industries. Accountants, lawyers, financial planners, brokers and traders all need to pass professional examinations and be licensed to practice their respective trades. These licenses are generally publicly available. Contacts who hedge on identifying officers or individual licensing should raise a red flag. The use of Gmail, Yahoo or other non-company email addresses for officers are another red flag. People should be particularly cautious whenever an individual uses the term “professional” in describing who they are – this implies a degree of licensure that criminals are unlikely to possess.
- Legitimate investment and brokerage firms have support numbers clients can call. Generally speaking, real companies have separate channels of communication for support or complaints. Private Facebook, WhatsApp or Telegram groups are not preferred mechanisms for providing client service or support and place the victim at additional risk for social engineering. These groups will contain other “clients” who are either the same people perpetrating the scam using fake accounts or accomplices furthering the fraud. Additionally, victims need to be made aware that scammers make liberal use of virtual phone numbers to make it appear as though the fake company operates in a different jurisdiction to where the scammers actually live. Additionally, scammers may employ knowledge of local time zones to convince victims they are in the US, for example.
- Regulatory and law enforcement agencies may not be able to help. While it is true that there is limited insurance coverage for cryptoasset accounts at some legitimate exchanges, a problem Evertas is addressing through the commercial marketplace, almost all of these coverages will not cover victims of fraud; any illegitimate exchange (those most likely to be used in a scam) will have no coverage at all. In the event of serious loss due to fraud, regulatory and law enforcement agencies are not equipped to help individual consumers below a certain financial loss threshold (and can struggle even with higher amounts). Traditional civil asset recovery can take years to conclude, even after a favorable judgment for the victim in the relevant jurisdiction (assuming you can trace your funds to a jurisdiction that is willing to go after the criminals). As noted earlier, commercial cryptoasset recovery is still in its infancy and, despite advances in big data analytics platforms that focus on cryptoassets, recovery itself takes time and effort requiring the combined expertise of forensic, investigative and legal partners. Fake profiles on social media, WhatsApp and Telegram can disappear; and without proper identification of individual accounts or other attribution from when scammers off ramp their cryptoassets into real (fiat) currency the odds of recovery drop effectively to zero.
- Next Post Coming Up Later This Week