An audacious new scamming syndicate is targeting cryptocurrency investors by imitating a legitimate firm supervised by the U.K.'s Financial Conduct Authority (FCA), the regulator said.
The “clone” outfit has been emailing and cold-calling investors and impersonating Gain Capital UK Limited by attaching that (legit) company’s Firm Reference Number to a fake name, "Blockchain Recovery Association," an FCA blog post states. (To be clear: Gain Capital UK Limited is a real company that is authorized by the FCA to carry out certain services.)
“Fraudsters are using the details of firms we authorize to try to convince people that they work for a genuine, authorized firm,” the FCA said.
“Almost all firms and individuals carrying out financial services activities in the U.K. have to be authorized or registered by us. [The Blockchain Recovery Association] is not authorized or registered by us but has been targeting people in the U.K., claiming to be an authorized firm.”
The fake firm has listed its address and phone number as: Cambridge Court 210, Shepherds Bush Rd, Hammersmith, London; +44 555-183-726. CoinDesk called this number and received a “This call cannot be completed as dialed” message (555 numbers, traditionally used for directory assistance, often indicate fake numbers).
Impersonating legitimate organizations is a longstanding and, unfortunately, often effective practice among scammers. In the U.S., for example, mortgage fraudsters have posed as government housing officials from the Great Depression well into the 21st century. Email phishing scams can be thought of as a low-effort digital version of the same ruse.
While the FCA post does not explicitly state the nature of the cloned firm’s chicanery, the fraud appears to be an attempt to trick crypto users into exposing the private keys to their holdings or other personal information.
'Tis the season
The scam identified by FCA is perhaps a reminder that, as crypto becomes more institutionalized, scammers will find newer (and bolder) ways still to filch what they can from this trillion-dollar asset class.
Traditionally, an easy attack vector for hackers and like have been phishing attacks. With these attacks, malicious actors trick crypto users into entering sensitive information, like a password or private key, on a website or through a messaging medium to gain access to accounts or coins.
Alternatively, these actors may use personal contact information like email addresses, phone numbers and home addresses to extort and threaten victims.
A name like “Blockchain Recovery Association” should set off alarm bells anyway because, as many crypto users have learned the hard way, once coins have been stolen they cannot be recovered.