July 21 – According to the FBI, cyber attackers are launching malicious apps that imitate those of legitimate companies. Consumers unwittingly download the look-alike apps, leading to phone-based malware infections and financial theft.

The FBI is highlighting this issue to help prevent cyber security risks and fraud, as US citizens have lost millions due to these scams. The reality is that anyone around the world could be affected.

The FBI’s observations

Specifically, the FBI has observed a series of cyber criminal campaigns involving malicious apps that feign association with US financial institutions, and that dupe investors into believing that they are interacting with an actual investment firm.

In some cases, cyber attackers created fake websites to complement the apps and to gain the trust of potential investors. Many of these schemes are built around cryptocurrency investment.

Investors as targets

A general interest in cryptocurrency investing has led to a spike in related cyber scams. In 2021, hundreds of investors were fooled by a cryptocurrency scam that conned them out of a collective $11 million.

This is not the first time that the FBI has issued an alert regarding cyber criminals who are targeting the investing community. Roughly a year ago, the FBI shared that cyber criminals were impersonating financial representatives in order to push investment scams.

Malicious campaign details

This warning includes details pertaining to three specific cryptocurrency fraud campaigns, which occurred between October 2021 and May 2022. Together, these three campaigns defrauded investors of over $10 million.

• In a campaign that persisted for more than six months, cyber criminals used the company name YiBit to lure four investors into handing over roughly $5.5 million. The criminal operators had victims download a fake app, and deposit cryptocurrency into a wallet.
• Another campaign involved the impersonation of a legitimate US financial institution for the purpose of stealing funds from more than two dozen victims. In total, this campaign defrauded investors of roughly $3.7 million.
• In yet another investor-fraud campaign, cyber criminals operating under the company name of Supayos (a.k.a. Supay) lured victims into downloading the Supay app and depositing funds into a fake crypto wallet. One investor is believed to have lost as much as $900,000.

Lessons learned

The FBI encourages both institutions and individuals to review and mentally check through cyber security best practices – especially as they relate to app stores, app downloads and disclosure of personal information through unverified sources.

Financial institutions may wish to proactively warn customers about the potential for fraudulent applications and activities. They may also wish to provide customers with a means of reporting it.

Institutions are also advised to regularly pursue online searches for any unauthorized uses of their company name, logo or other identifying information that cyber criminals may attempt to exploit.

Investors can protect their own interests through remaining alert in relation to suspicious emails. Unsolicited requests to download investment applications are highly suspect. Verifying that an app is legitimate ahead of downloading it is critical in avoiding scams and fraud attempts.

Enterprises and individuals may wish to report suspicious activity to appropriate authorities.

For more fraud prevention insights, click here. Or check out CyberTalk.org’s whitepaper resources. Lastly, to receive cutting-edge cyber security news, exclusive interviews, expert analyses and security resources, please sign up for the CyberTalk.org newsletter.