Amateur investing is certainly having its moment.
What began as an upswing in casual day trading during coronavirus lockdowns, spurred on by the love ‘em/hate ‘em free trading apps like Robinhood, has now turned into a full-blown trading revolution thanks to the arrival of Reddit-driven frenzy investing.
At the same time, the rise of so-called “swarm” investing has led to regular people getting burned. Buying equities based on social media tip-offs is, generally speaking, not such a great idea — especially buying a stock while it is hitting record highs or investing your savings into a dog meme cryptocurrency.
And while price volatility and inexperience are definitely big risks for amateur traders, there is another danger that has been largely overlooked but is equally dire: Criminal scams.
All of the new Main Street money flowing into stocks and cryptocurrency is a huge opportunity for hackers, scammers, and other criminals who will do all they can to take advantage of it.
Here are eight scams that retail investors need to watch out for:
Soon after the WallStreetBets crowd pummeled the hedge funds, bots began infiltrating some of these Reddit forums to promote their own stocks.
Bots can be dangerous for investors for a few reasons. They will often impersonate the accounts of prominent people, tricking you into believing a hot ‘tip’ or a free cryptocurrency giveaway is real.
But even if you don’t fall for those tricks, bots are really good at creating and amplifying fake information, which can have a psychological effect on traders, whether they realize it or not. We’ve seen plenty of that on the political side of things — vis-a-vis Russia — but a similar strategy is also happening in financial scams.
Bots are also cheap for criminals to access. It’s easy for scammers to create the impression of a buzzy stock or cryptocurrency, so traders have to be careful to separate themselves from the noise.
Social media pump-and-dump schemes
Warnings about social media pump-and-dumps date back almost 10 years, but the new mixture of anti-Wall Street, populist ideology demonstrated in the WallStreetBets rally gives this a dangerous new appeal that criminals can take advantage of.
Scammers often create dedicated channels to stage a pump-and-dump. This could be in Telegram, Reddit, Discord, or other platforms.
While the founder of the channel may claim to be an expert, insider, or some kind of altruistic person with a larger mission in mind, in reality they are just manipulating others to drive up the price on a stock or altcoin they already own, and which they will sell as soon as it hits the right price.
Prominent figures may be used in these schemes, either wittingly or unwittingly. For instance, celebrities are often paid to publicly support new altcoins, and hackers also hijack the accounts of well-known personalities and trusted sources in order to spread false information to either pump or short a security.
Clone company scams
The UK’s National Crime Agency recently warned of a surge in a new type of investment scheme known as the "clone firm" scam.
A clone company scam is when criminals impersonate legitimate investment firms in order to defraud their victims. It’s sort of like identity theft in reverse. By using the stolen identity of a genuine investment firm, the criminals will trick victims into making the investment with them, instead of the real company.
Retail investors are often targeted via phishing emails or social media, and since the criminals provide real information about the investment firm (all of which will appear accurate, if the person looks it up online), it can be easy to fall for this con.
Phony investment apps
You’ve heard of romance scams that steal your money, but now cybercriminals are combining "catfishing" with a more costly type of investment fraud.
Interpol issued a "Purple Notice" to 194 countries recently to warn about a new scam circulating in dating apps, in which criminals lure people into using fake investment apps. These apps often look legitimate, and may even come with customer support. Here’s how it works, according to Interpol:
“Victims download a trading app and open an account, buy various financial products, and work their way up a so-called investment chain, all under the watchful eye of their new “friend”. They are made to believe they can reach Gold or VIP status. As is often the case with such fraud schemes, everything is made to look legitimate. Screenshots are provided, domain names are eerily similar to real websites, and customer service agents pretend to help victims choose the right products.”
The scam can run for weeks or months, until the scammer believes they have maxed out their victim. At that point, the person is locked out of the app, and loses everything.
Another way scammers will steal money from investors is through an attack known as phone jacking, or SIM swapping.
The way this works is the criminal will trick a phone company into “porting” a person’s phone number to a SIM card that is under their control. S/he is then able to hijack any online accounts that use that phone number as the two-factor authentication (2FA) protection.
This can include cryptocurrency exchanges, wallets, trading apps, traditional bank accounts, etc. Using the stolen phone number, the criminal will reset those account passwords to lock the victim out and steal all of their money.
Investors need to keep a low profile online, and not share information on Twitter, Discord and other forums that identifies them as a cryptocurrency or retail investor. It's also important to keep your cell phone number as private as possible, and never share it with people you do not know well. Scammers may try to "friend" you on social media, and suggest you move the conversation to SMS, Signal, or something else that will expose your phone number.
ICO and IEC Scams
Investors need to be extra careful about initial coin offerings (ICOs) and initial exchange offerings (IEOs).
These fundraising methods are extremely murky, and often rife with fraud. It is common for scammers to use celebrities to endorse or promote ICOs, as in recent criminal cases involving Floyd Mayweather and Steven Seagal. The U.S. Securities and Exchange Commission (SEC) issued a warning about celebrity-backed ICOs in 2017.
In January 2020, the SEC also issued an investor alert about IEOs, warning consumers to “be careful” about investing in them, and to be aware of the risks. These risks run the gamut, from outright fraud to U.S. securities law violations.
One of the most pervasive risks these days comes from crypto-stealing malware, which hijacks the victim’s wallet. This malware (see: ElectroRAT and InnfiRAT) is typically spread via phishing emails and drive-by download attacks, but it can also come through links shared in social media.
However, cybercriminals can also go behind the investor’s back, by targeting wallet companies and exchanges directly. This has happened more times than I can count, but look to EXMO and KuCoin for recent examples.
Another trick is the fake crypto-related app— such as wallets, exchanges, poker games, etc. — all of which are designed to steal your cryptocurrency. These may impersonate legitimate apps, like the recent scam on Trezor, and they even succeed at tricking the App Store and Google Play.
Malicious browser extensions
In recent years, a slew of financial and investing tools have become available as “add-ons” or “extensions” to the popular web browsers like Chrome, Firefox, Safari, and Opera.
Investors need to be careful about which extensions they install, because hackers can exploit these tools to steal their online credentials as well as other information through the browser.
Although crypto-related browser add-ons are a key item to watch for with this, the threat can occur with any browser extension, such as file converters and security tools.
In 2020, Google pulled over 100 malicious browser extensions from the Chrome web store, and another 500 earlier in the year. Similar problems have occurred with other major browsers, like Firefox’s ejection of over 200 dangerous add-ons in 2020 as well.
Word to the wise
Online investing is a risky business, no matter which way you slice it, so the best advice is to never invest more money than you are willing to lose — especially when it comes to cryptocurrency.
You can also take a number of steps to reduce your risk. Never login to trading platforms or financial accounts from the same computer that you use to surf the web, check email, or chat on social media. Those activities put you at risk of many types of malware, including the kind that will harvest your online credentials in order to hijack your financial accounts.
It’s also important to use robust antivirus and a firewall, and keep all software updated. Every account should have a strong, unique password and be protected with 2FA. However, 2FA should not be based on a phone number, in case that number is hijacked. Instead, use a special 2FA app like Microsoft Authenticator or Google Authenticator.
Common sense is also important. Never click on links in emails, social media, or SMS from people you don’t know. Avoid installing browser add-ons, lesser-known apps, or other “investment” tools that may be offered on the web.
Jason Glassberg is co-founder of Casaba Security, a cybersecurity and ethical hacking firm that advises cryptocurrency businesses, traditional financial institutions, technology companies and Fortune 500s. He is a former cybersecurity executive for Ernst & Young and Lehman Brothers.