The Anatomy of a Scam

This article is not legal or financial advice.

“When I first got into Bitcoin in 2010, I purchased 150 BTC through a convoluted process of buying and exchanging gold-backed currencies, without any sort of KYC, into a ‘wallet’ I didn’t fully understand. I was promptly scammed out of the hard-earned BTC by what is known as phishing. This was not the last time I lost money to a scammer. These attacks have become more sophisticated as the value derived from the exploits increases with Web3 technology and infrastructure value. This article aims to spread awareness and hopefully prevent these crimes going forward.” — Said Synchrony's founder, Andrew Keh.

The Federal Trade Commission estimates that 1bn has been lost to crypto scams since 2021*1. Jared Sparhawk, a Web3 forensic expert from Advisory X, states, “Fraud, deceit, and data breaches are prevalent in all fields today. Even more so now that much of our business dealings are done online.”. While alarming, these metrics represent opportunities to improve security and the Web3 experience.

Motive of scams

Scammers are generally looking to accomplish a single goal — Get your money!

They use traditional and Web3-specific tactics to get the victim to send money, sensitive information or otherwise compromise assets.

The Kinds of Scams We See

Phishing (Pronounced: fishing)

“Phishing is a type of social engineering where an attacker sends a fraudulent message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure like ransomware.”

Most people reading this have probably been exposed to or are victims of a phishing scam. This is one of the most common types of scams. They come in many forms: websites, emails, chats, physical mail, etc. The messages generally pretend to be an authority, a familiar person, or someone they are not. The messages contain directions or a link or are themselves malicious. Sometimes the scammer even tries to blackmail victims for incriminating data they have found or stored on their devices. If the victim interacts with the message or follows the directions, sensitive data is released, money is drained, or the system is compromised. Phishing can also be done through entirely fake websites that seem like your bank, marketplace, exchange, wallet web app, etc.

How to Avoid Getting Phished

Verify all incoming messages’ authors and point of origin, don’t click on unfamiliar links, and never give away compromising information regardless of the authority(unless verified). Check the username and ensure it is the same user you know(e.g., sometimes they switch a lowercase L with an uppercase i). Always check the URL, never provide private keys, and only provide information if the site is verified. Often, phishing comes from an authority figure who might have had their credentials hacked, so even if it is the admin of a Discord server or a dm from your favorite KOL unless you expect them to send you something, verify everything before you proceed. If you do NEED to click on a link, do so on a device that is not connected to any of your accounts or has any sensitive information. Some service providers, like KuCoin, have a page to check the authenticity of users and email addresses https://www.kucoin.com/cert.

Social Media Scams

There is some overlap between Phishing and social media scams because social media is generally at the top of the scam conversion funnel. That being said, social media is one of the primary channels and must be monitored and approached cautiously, especially for cold calls.

You might not fall prey to being phished or have your system compromised, but someone in your network might have been. We have seen a single user account get exploited.

The contacts of that account are then leveraged to build authenticity around another fake account, so when the exploited account owner regains control of the account, the other fake account has all it needs to seem like a legitimate contact.

There are entire TV shows and documentaries on the subject, e.g., The Tinder Swindler(Netflix) and Catfish(MTV). See Phishing ‘How to avoid’ for tips on how to avoid social media scams. John Keh, the founder of Run The Chain, said one of the most common scams he saw while at Genesis Block was the ‘Romance Scam.’ The Romance Scam is where an attractive person will reach out to the victim. Generally, this is a fake account with images pulled from another real account.

They will try to get to know the victim and then request funds to meet the individual or pay for some critical event.

How to Avoid Social Media Scams

If a user approaches you who you do not know or have no connections with, do not respond.

If a friend of a friend or someone with shared connections approaches you, always be skeptical unless you are expecting this person to reach out to you.

If someone you know reaches out to you asking for any information or money, verify the interaction through another platform before continuing.

Inform users with compromised accounts through other non-compromised channels and have them reach out to anyone their account might have interacted with.

Token/NFT scams

Token or NFT scams are a bit more sophisticated but follow the same path as most scams. Users will receive NFTs or tokens in their wallets. If the user interacts with the tokens or NFTs, their account can be drained. Many times these scams are caught early, and tokens or NFTs are labeled as such:

How to avoid Token/NFT Scams:

If you ever receive tokens or NFTs you do not recognize or are not expecting, do not touch them or do anything with them. If you try to move them or even burn them, they can sometimes drain or otherwise compromise your wallet.

Airdrop Scams:

Airdrops as a marketing tactic by Web3 companies to generate interest in their project.

Generally, airdrops are used for a marketing campaign or competition to generate hype and entice new users to their platform or services.

The ‘airdrop’ scam can sometimes look like the token/NFT scam mentioned above, but there are also instances of a promise of amplified returns if you send money to a wallet or contract address.

For example, if celebrities or discords get hacked and post something like the following:

How to Avoid Airdrop scams

If it sounds too good to be true, it is. Don’t send money to an address with a promise of having more sent back unless it is a verified contract address from a legitimate party (e.g., Synchrony’s staking contract).

The Finger Trap

This scam is a little more technical, involving giving private keys to a wallet with real money inside but no gas fees for moving the money off. The victim will send the gas fees required to move the funds off, but as soon as funds are deposited, they are drained into another account.

The Finger Trap is a wallet that sits on top of a smart contract that drains any funds sent to the wallet.

Intercept Scams (man in the middle)

The Man-in-the-Middle attack existed long before Metamask or the blockchain, but it is just as detrimental today. This particular exploit happens when the victim is connected to a public network or has compromised their network. The scammer can scrape data you send or receive from others.

This can be used to pretend to be the victim or a legitimate source and send their wallet address as the destination of the buyer and the seller.

How to Avoid Intercept Scams

Don’t use public networks to conduct sensitive actions like banking, interfacing with your wallet, etc.

When you need to interact with networks to make transactions or possibly expose passwords or keys in any way, do so on a private network and behind a VPN. https://protonvpn.com/

Project / Protocol Scam

Some particularly motivated scammers build out entire projects from the ground up. These projects might seem legitimate, with strong communities and marketing promising high returns, but they end up collecting the money and running. These can be look-alike projects, exchanges, decentralized exchanges, etc.

There are two kinds of scams in this category-

1. Copycat
2. Exit Scams(soft/hard)

• Copycat scams are built to take users’ money by tricking them into believing the site they are on is a site they already use. This can be through phishing or having a similar domain name. An analogy to this would be an ATM hardware scam, Where the scammer places a device on top of the ATM to scrape card data, access the user’s pin, and steal their money. The ATM looks authentic, just like a copycat website looks like the real thing.
• The exit scam could be an article in itself as there are many variants of this type; some can be considered ‘not a scam’ and just poor fundamentals. Essentially they are real or somewhat real projects that might have a flashy pitch deck or landing page. Generally, the team is anonymous, and the project promises huge short-term gains.

How to Avoid Project / Protocol Scams

Check their socials and documentation. How long ago did they create these accounts? What is the credibility of the team? Anonymous teams are generally anonymous for a reason.

If the team information is public, check their LinkedIn. Read the project docs and listen in on AMAs. Do your research and talk to other community members.

Business to Business Scams

While the following scams might contain elements similar to the above, these are directed at projects or businesses and can get even more sophisticated and dangerous.

OTC Scams (b2b)

An Over-The-Counter transaction is done through a broker or between two parties instead of an exchange. This is done for several reasons- the token is not listed, the amount of tokens requested is large enough to affect market conditions, transaction fees are saved, or a discount is involved through a contract between the buyer and seller.

Victims will be approached through some communication channel for an O.T.C. offer(Discord, Telegram, LinkedIn, etc.).

The offer will generally be time-sensitive and favorable. Sometimes these can be legitimate buyers or sellers who will transfer funds but could act on behalf of a scammer to launder stolen money.

If the victim puts the funds on an exchange, the funds could be frozen and seized. Another way OTC scams can happen is when the victim is sent fake tokens or has the tokens charged back through a claim of the victim being a scammer.

A buyer and seller victim can be scammed simultaneously through an intercept scam.

How to Avoid OTC Scams

As mentioned in the subheading of this article, this is not legal or financial advice.

Brokers and OTC desks exist for a reason.

Verify all parties involved and apply the lessons from the previous scams to ensure you are dealing with the right person or entity.

Jared Sparhawk from Advisory X has this to say about Due Diligence

“Due diligence/Background checks should be done on all contacts you think you will potentially do business with. This will greatly increase the fact that you are dealing with a legitimate, live, traceable entity. Even if you meet someone in person, that is little guarantee that who or what they say they claim to be, is true.”

Know Your Customer(KYC) is a process of identifying who you are dealing with. KYC is also mandated as part of many operating jurisdictions' regulatory conditions for conducting business. This also provides a paper trail of who specifically you have interacted with in case anything should happen.

There are substantial well tested KYC services out there.

We also recommend a video call with the individual or entity representative.

This is a red flag if the other party refuses to get on a call or KYC.

Listing Scams/Investment Scams

Listing scams follow the same pattern as phishing and social media scams.

The victims, in this case, are projects that have raised capital, are looking to be listed, or have already been listed on some exchanges.

The scammer pretends to be a listing representative or investor and might even have the projects fill out fake google forms, get on calls, and perform due diligence.

The scammers could have a fake exchange, an exchange that works or is a real top-tier exchange, or an investor.

They will ask for project tokens or stable coins for liquidity and then run off with the money. See previous scams on how to avoid listing scams. As always, don’t trust; always verify.

IRL Scam

This is the most dangerous type of scam because it can lead to bodily harm.

Individuals will approach victims under several guises.

1. They will want to do an OTC deal in person.
2. They want to invest in the victim’s business and want to meet
3. They want to plug the victim in with another investor and fly them out somewhere in Europe.

The point of the IRL scam is to lure the victim out to a location where the scammers have people in place to perform the exploit.

For example, we heard of a scam where a rich Swiss individual was going to get divorced and was trying to hide some of his wealth by buying BTC with cash. He lured the victim with a promise of a high fee and first-class tickets. He showed up with two others with real cash in hand. After the BTC had cleared into the scammer’s wallet, they switched the bags and ran.

There are some commonalities between these different types of scams that one should look out for:

1. Above average returns for the effort or investment
2. Short time frame to do the deal
3. Refusal to do KYC before they meet
4. An ask for the victim to send money or prove they have access to money

How to Avoid IRL Scams

Sometimes it is necessary to meet investors in person, especially for larger deals. If this is the case, ensure you have performed the necessary background checks and meet in a mutually agreeable location.

The location should be public and safe. You should not need to have money on your person or account access. Generally speaking, and especially in this post-covid world, you should not need to meet in person.

The only projects we know meet with investors at conferences or if they happen to be in the same city as their investors.

What to do if You Have Been Scammed

The sooner you act, the higher the probability you get funds back.

1. File a police report where you were so you have a record to show exchanges.
2. Keep track of where the money moves using tools like https://etherscan.io/. Scammers need to offramp funds, and exchanges are common to turn victims’ funds into fiat. If funds move to exchange and you show them the police report, they can freeze the scammer’s account and provide authorities with the KYC information required to have the account.
3. Reach out to a forensics expert in the field to begin the process of getting your funds back.

Summary TL/DR

1. Don’t trust; always verify every interaction you have that could contain sensitive information or involves the transfer of funds. Verify who the user is, the contract address you are interacting with, the social account, etc.
2. If it sounds too good to be true, it probably is. High returns in short periods from anonymous teams are huge red flags. Elon Musk is not going to send you BTC.
3. Cold storage wallets or exchanges are more difficult to deal with but are safer than hot wallets.
4. Use a 3rd party service that specializes in privacy protection.

A piece of advice from Jared Sparhawk at Advisory X

“Monitoring accounts, data, private/personal information, entities, and company email accounts for breaches.

Knowing that you have a security breach will help you take swift action to greatly reduce the risk of theft, PR nightmares, and extortion.

Third-party services specializing in privacy protection should be part of your team or inner circle. This is as important as having insurance and does you no good if the thought of after an incident. “

Reference links:

*1 https://techinformed.com/consumers-have-lost-over-1bn-in-crypto-scams-since-2021-ftc-finds

*2 https://artsandculture.google.com/entity/phishing/m027b9k?hl=en

*3 https://en.wikipedia.org/wiki/Man-in-the-middle_attack

This article was put together by our founder at synchrony, Andrew Keh.