How-to guide: Implementing a policy to avoid cryptocurrency-related scams in business (USA)

Introduction

As businesses increasingly use cryptocurrencies for payment methods and customer rewards, the risk of loss due to cryptocurrency scams also rises. To mitigate these risks, businesses can implement robust policies and procedures. This guide provides in-house counsel, private practice lawyers and compliance personnel with guidance to put security and operational measures in place to protect against cryptocurrency-related scams.

This guide covers:

What are cryptocurrency scams?
How to protect the business?
Adopting and implementing additional operational procedures
Reporting cryptocurrency scammers
Outlook

This guide can be used in conjunction with the following How-to guides: Understanding corporate criminal liability, Mitigating the risk of criminal activity, Understanding the use of cryptocurrency for payments in business, How to address tax and accounting considerations when using cryptocurrency; Checklists: Conducting an internal investigation into suspected criminal activity; Key steps to mitigate risks associated with using cryptocurrency; Quick views: Introduction to cryptocurrency and how it works, Cryptocurrency regulation and enforcement, and Understanding data privacy compliance challenges in blockchain and cryptocurrency.

Section 1 – What are cryptocurrency scams?

1.1 Similarities and differences from traditional digital scams

Cryptocurrency scams have become increasingly sophisticated as digital currencies gain popularity. These scams often involve luring victims into investing in fake cryptocurrencies or fraudulent investment schemes. Scammers may use various tactics to deceive individuals, from creating fake websites and social media profiles to sending out phishing emails. The anonymity and lack of regulation in the cryptocurrency market make it an attractive target for fraudsters. Common methods include impersonating legitimate companies or individuals to build trust and then convincing victims to transfer their cryptocurrency or personal information. Once the scammer has obtained the cryptocurrency, it is often difficult to trace or recover the funds due to the decentralized nature of the blockchain.

Cryptocurrency scams share many similarities with traditional digital scams, such as phishing, spoofing, business opportunity scams, celebrity endorsements on social media, and blackmail/extortion. Phishing in both realms involves tricking individuals into providing sensitive information by pretending to be a legitimate entity. For example, a cryptocurrency phishing scam might involve an email that appears to be from a well-known exchange, asking users to verify their account details. Spoofing, where scammers create a fake website or email address that looks like the real thing, is also common in both traditional scams and cryptocurrency scams.

Business opportunity scams, which promise significant returns on investment, are prevalent in both areas. In traditional scams, this might involve a fake real estate investment or a fraudulent stock market tip. In the cryptocurrency world, it could involve a new, too-good-to-be-true initial coin offering (ICO). Celebrity endorsements on social media are another tactic used. Scammers may hack or create fake social media accounts of celebrities to promote fraudulent investment opportunities. Finally, blackmail and extortion are tactics that can cross over into the cryptocurrency space, with scammers threatening to release compromising information unless they are paid in cryptocurrency.

However, there are key differences as well. The decentralized and anonymous nature of cryptocurrencies makes it harder to track transactions and recover funds compared to traditional bank transfers. Additionally, the lack of a central regulatory authority in the cryptocurrency market often leaves victims with little recourse for compensation or redress.

1.2 Cryptocurrency scam red flags

There are several red flags that can help identify potential cryptocurrency scams. Being contacted out of the blue by someone offering an investment opportunity should be a major warning sign. Legitimate investment firms do not typically cold-call potential investors. Another red flag is being pressured to invest quickly. Scammers often create a sense of urgency to prevent victims from doing due diligence. Promises of unrealistic rates of return, such as guaranteed daily profits or extremely high returns with little to no risk, are also clear indicators of a scam. If an investment opportunity sounds too good to be true, it probably is.

Another critical red flag is the lack of information about the investment or the people behind it. If the details are vague or the team is not transparent, it’s wise to steer clear. Genuine investment opportunities should be verifiable and have a clear, transparent team and business model.

In the USA, the Securities and Exchange Commission (SEC) maintains a register of authorized investment providers, which can be a valuable resource for investors seeking to verify the legitimacy of a company or individual. The Financial Industry Regulatory Authority (FINRA) also offers tools like BrokerCheck to help verify the credentials of brokers and investment advisors.

Other red flags include promises of inside information, pressure to keep the investment a secret, and requests to transfer funds to a new or unusual account. Always be wary of unsolicited advice and ensure that any investment is thoroughly researched and verified before proceeding.

Section 2 – How to protect the business?

2.1 Implement additional security measures

To protect against cryptocurrency scammers, businesses must continually update and adapt their security measures to address the unique risks associated with digital currencies. This process begins with staying informed about the latest threats and vulnerabilities in the cryptocurrency space. Subscribing to cybersecurity bulletins, participating in industry forums, and attending security conferences can help businesses keep up-to-date with emerging threats and mitigation strategies. Implementing robust cybersecurity protocols is essential. This includes firewalls, intrusion detection systems, and encryption for all sensitive data.

Regular security audits and risk assessments should be conducted to identify potential weaknesses. These assessments can help businesses understand where they might be vulnerable to attacks and what steps are necessary to fortify their defenses. Additionally, ensuring that all software, including wallets and exchanges, is up-to-date with the latest security patches is crucial. Outdated software can have known vulnerabilities that are easily exploited by scammers. Employee training is another critical component. Staff should be educated about the specific tactics used by cryptocurrency scammers, such as phishing and social engineering attacks, and how to recognize and respond to these threats. Regular training sessions and simulated phishing attacks can help reinforce these lessons and keep security top of mind.

For additional information, see How-to guide: How to evaluate the effectiveness of a data security or data privacy compliance program and Quick view: Key data privacy and data security terms.

2.2 Monitor transactions

Constantly monitoring cryptocurrency transactions is essential for detecting and preventing fraudulent activities. Businesses should implement real-time transaction monitoring systems that can flag suspicious activities, such as large or unusual transactions, and trigger alerts for further investigation. These systems can be integrated with machine learning algorithms to identify unusual patterns that could indicate fraudulent behavior. By analyzing transaction data in real-time, businesses can take immediate action to mitigate potential losses and prevent further unauthorized activities.

Maintaining detailed records of all transactions is also critical. This not only helps in monitoring but also aids in forensic investigations should a scam occur. Regularly reviewing transaction logs can help identify any unauthorized access or anomalies that might indicate a security breach. Businesses should also consider implementing automated reconciliation processes to match transactions against expected activity, further reducing the risk of undetected fraud. In addition, working with blockchain analytics providers can offer deeper insights into transaction flows and help identify suspicious behavior across the blockchain, which allows businesses to analyze transaction flows and identify suspicious behavior by utilizing specialized tools and algorithms to proactively detect potential threats, such as money laundering or fraud.

2.3 Utilize multi-factor authentication

Implementing multi-factor authentication (MFA) is a critical security measure to protect against unauthorized access to cryptocurrency assets and accounts. MFA requires users to provide two or more verification factors to gain access, such as a password combined with a one-time code sent to a mobile device or an authentication app. This adds an extra layer of security beyond just using a password, making it significantly harder for scammers to compromise accounts.

Businesses should enforce the use of MFA for all employees, especially those with access to sensitive information or financial assets. Utilizing hardware security keys, which are physical devices that must be present to log in, can further enhance security. These keys provide a higher level of protection against phishing and other types of attacks. Additionally, businesses should implement strict policies regarding password complexity and regular password changes to complement MFA. Ensuring that MFA is in place for all critical systems and accounts can greatly reduce the risk of unauthorized access and provide peace of mind that sensitive assets are protected.

2.4 Consider multi-signature wallets

Multi-signature (‘multi-sig’) wallets provide an additional layer of security by requiring multiple private keys to authorize a transaction. A private key is a secret cryptographic key that allows an individual to access and control their cryptocurrency assets. In the context of multi-signature wallets, multiple private keys are needed to authorize a transaction, enhancing security by ensuring that no single person has sole control over the funds. This means that even if one key is compromised, the attacker cannot access the funds without the other keys. Businesses can set up multi-sig wallets to require signatures from several trusted employees or devices, reducing the risk of internal fraud and external hacking.

Implementing multi-sig wallets involves careful planning and consideration of the specific needs and structure of the business. For example, a business might require three out of five signatures to approve a transaction, ensuring that no single individual has complete control over the funds. This approach also adds a layer of checks and balances, as multiple parties must agree on a transaction before it can proceed.

For businesses managing large amounts of cryptocurrency, multi-sig wallets are particularly useful. They provide a robust defense against unauthorized transactions and can be integrated with other security measures, such as cold storage and blockchain analysis. Regularly reviewing and updating the list of authorized signatories and their security practices is also essential to maintain the integrity of the multi-sig system.

2.5 Consider cold storage

Cold storage refers to keeping cryptocurrency assets in an offline environment, disconnected from the internet, which makes them less vulnerable to hacking. Businesses can use hardware wallets or paper wallets to store the private keys of their cryptocurrencies securely.

Hardware wallets are physical devices designed to securely store private keys offline, making them less vulnerable to hacking and online threats. In contrast, paper wallets involve printing the private keys on a physical piece of paper, which can be stored safely but may be at risk of damage or loss. While both methods aim to enhance security, hardware wallets offer more convenience for regular access and transactions compared to the static nature of paper wallets.

Cold storage is particularly useful for long-term storage or holding large amounts of cryptocurrency that do not need to be accessed frequently. By isolating these assets from online threats, businesses can significantly reduce the risk of cyber-attacks. It is crucial to ensure that the physical security of cold storage devices is also maintained, with backups and secure locations for storing hardware.

2.6 Blockchain analysis

Blockchain analysis tools can provide valuable insights into the transactions and activities on the blockchain, helping businesses detect and prevent fraudulent activities. These tools can trace the origin and destination of funds, identify suspicious patterns, and flag transactions linked to known scam addresses or malicious entities. By leveraging blockchain analysis, businesses can monitor the flow of their assets and ensure compliance with regulatory requirements. Additionally, these tools can assist in forensic investigations if a scam occurs, providing a detailed view of the transaction history. Integrating blockchain analysis into the security strategy can enhance the overall protection against cryptocurrency scams.

Section 3 – Adopting and implementing additional operational procedures

3.1 Updating existing security procedures to incorporate cryptocurrency considerations

Incorporating cryptocurrency considerations into existing security procedures is crucial for businesses looking to protect themselves against crypto scammers. This begins with updating current policies to address the unique risks and requirements of handling digital currencies. For instance, businesses should revise their incident response plans to include scenarios involving cryptocurrency theft or fraud. Additionally, data protection policies should be expanded to cover the secure storage and transmission of cryptocurrency-related data, such as private keys and transaction records. By integrating these considerations into existing frameworks, businesses can ensure that their security procedures are robust and relevant to the evolving threat landscape.

Businesses should incorporate specific guidelines for securing cryptocurrency exchanges and wallets into their broader cybersecurity policies. Typically, the signing off on such guidelines and policies, including those for securing cryptocurrency exchanges and wallets, is done by senior management, such as the Chief Information Officer (CIO) or Chief Security Officer (CSO), as well as compliance officers and legal advisors to ensure alignment with regulatory requirements. Input from IT and cybersecurity teams is vital to ensure the policies are practical and effective against threats.

This includes specifying the types of wallets that are considered secure (eg, hardware wallets) and setting procedures for securely transferring funds. Policies should also cover encryption for protecting sensitive information and require regular security audits to verify compliance and efficacy. By embedding these cryptocurrency-specific measures into the core security policies, businesses create a cohesive and comprehensive strategy that enhances overall protection.

It is also advisable to develop new, cryptocurrency-focused policies and procedures. These should include guidelines for handling, storing, and transferring cryptocurrencies. For example, a cryptocurrency handling policy might cover use of multi-sig wallets, cold storage and transaction approvals. It is also important to have regular cryptocurrency audits to check for any irregularities or signs of fraud. Clear cryptocurrency policies help employees manage digital assets securely and effectively. This in turn benefits senior management, internal oversight and other internal monitoring bodies, and external auditors from an oversight and monitoring perspective.

New policies should cover the creation and management of private keys, including best practices for generating, storing, and backing up these keys. Procedures should be put in place for the secure disposal of old or compromised keys to prevent unauthorized access. Businesses should also develop protocols for responding to cryptocurrency-related breaches, detailing steps for containment, investigation, and recovery. Establishing a clear chain of command for reporting and responding to cryptocurrency-related incidents ensures that all stakeholders (eg, employees, compliance personnel, IT and security, and external auditing assistance and legal counsel) know their roles and responsibilities, leading to a more coordinated and effective response.

3.2 Important security protocols to incorporate into policies and procedures

3.2.1 Research other businesses

To improve security, research how other businesses, particularly those in the financial and technology sectors manage cryptocurrency risks. By learning from industry best practices businesses can identify effective strategies and avoid common pitfalls. This research should be documented and incorporated into the company’s own policies and procedures to ensure they use the latest security measures.

Networking with industry peers at conferences or trade fairs and joining professional organizations can also provide valuable insights and collaboration opportunities. Businesses should consider joining industry groups focused on cryptocurrency and cybersecurity to share knowledge and stay updated on emerging threats and solutions. By leveraging industry expertise, businesses can continuously enhance their security measures and stay ahead of potential scams.

3.2.2 Know Your Customer (KYC) process

Implementing a strong Know Your Customer (KYC) process is crucial for verifying the identity of clients and preventing fraud. This involves collecting detailed customer information such as identification documents and proof of address and verifying this information against reliable sources. By ensuring that all customers are thoroughly vetted, businesses can reduce the risk of transacting with fraudulent entities. KYC procedures should be regularly reviewed and updated to comply with current regulations and industry standards.

Ongoing monitoring is a key component of an effective KYC strategy. By establishing robust protocols for flagging and investigating unusual or suspicious activity, businesses can stay ahead of potential fraud. Enhanced due diligence for high-risk customers or large transactions adds an extra layer of security.

Integrating KYC processes with transaction monitoring systems creates a more comprehensive fraud detection framework. Collaboration with regulatory bodies and compliance experts can further enhance the effectiveness of KYC procedures, thus ensuring that they meet all legal and industry requirements.

For further information, see How-to guides: How to assess your organization for money laundering and terrorist financing risk and How to comply with due diligence requirements for financial institutions determined to be of primary money laundering concern.

3.2.3 Ignore unsolicited contacts and unfamiliar links

Training employees to recognize and ignore unsolicited contacts and unfamiliar links, which are commonly used in phishing attacks to trick people into giving away sensitive information or installing malware, is crucial. Policies should clearly state that no sensitive information should be shared in response to unsolicited emails, messages, or phone calls. Furthermore, employees should be instructed to verify the legitimacy of any unexpected communication through independent means before taking any action. This protocol helps prevent social engineering attacks and protects sensitive information from being compromised. Regular awareness training about the importance of vigilance through emails and other internal communications channels is recommended.

To reinforce this policy, businesses should implement technical measures such as email filtering and anti-phishing software to block malicious emails and links. Regular phishing simulation exercises can help employees recognize and respond appropriately to suspicious messages and educate employees to be cautious. By fostering a culture of skepticism and vigilance, businesses can reduce the likelihood of falling victim to phishing attacks. Additionally, clear reporting procedures should be established for employees to report suspicious contacts, enabling the business to take prompt action and investigate potential threats. Encourage open communication between employees and IT/security teams so that employees can feel comfortable reporting suspicious activities.

3.2.4 Verify HTTPS in URL of crypto exchange or wallet address

Ensuring that the URL of any cryptocurrency exchange or wallet address begins with HTTPS is a fundamental security practice. HTTPS indicates that the connection is secure and encrypted, reducing the risk of data interception by malicious actors. Employees should be trained to check for HTTPS in the URL and to avoid entering sensitive information on websites that do not use this secure protocol. This simple yet effective measure can significantly reduce the risk of falling victim to phishing scams and other online threats.

A practical example of this security practice can be seen in a business’ training session for employees handling cryptocurrency transactions. During the session, employees are shown how to identify secure websites by looking for ‘HTTPS://’ in the URL of a cryptocurrency exchange, such as ‘https://www.secureexchange.com.’ They are then instructed to always verify that they are on the correct site before entering any sensitive information, such as login credentials or wallet details. Ensure that browsers and security software are kept regularly updated to protect against the latest threats.

3.2.5 Limited access to wallets and cryptocurrency accounts

Limiting access to wallets and cryptocurrency accounts to only those employees who absolutely need it is another essential security measure. Access controls should be implemented based on the principle of least privilege, ensuring that employees have only the permissions necessary to perform their job functions. For example:

role-based access controls (RBAC) can help manage these permissions effectively;
defining roles and assigning responsibilities based on job functions will ensure that employees only have access to the resources they need;
conducting periodic reviews of access rights to ensure that only authorized personnel retain access to sensitive accounts and wallets. This helps to identify and revoke unnecessary permissions;
implementing multi-factor authentication (MFA) for all wallet and cryptocurrency account access. This adds an extra layer of security beyond just passwords, requiring users to verify their identity through multiple methods (eg, a code from a mobile app, a fingerprint scan); and
utilizing hardware security modules (HSMs) or dedicated hardware wallets for storing private keys. These physical devices provide a highly secure, tamper-resistant environment for cryptographic keys, significantly reducing the risk of software-based attacks.

3.2.6 Reporting requirements

Establishing clear reporting requirements for any suspicious activity or security incidents is crucial for timely detection and response. Employees should be trained to recognize and report potential threats, such as phishing attempts or unauthorized access, immediately. A centralized reporting system can help streamline this process and ensure that all incidents are documented and investigated promptly. A centralized reporting system means that all security incidents, such as breaches, fraud attempts, or suspicious activities are recorded in a single, organized platform. This allows businesses to efficiently track and manage incidents, ensuring that they are addressed quickly and thoroughly. This is discussed in more detail at section 4 below.

3.3 Education and training personnel on crypto scams and security procedures

Regular training sessions should be conducted by the IT security team, compliance officers, external experts, or Human Resources to keep employees updated on the latest crypto scams and the security measures in place to combat them. These sessions should include real-world examples and hands-on exercises to ensure that employees can apply their knowledge effectively. Additionally, providing access to educational resources such as online courses, webinars, and workshops can further enhance their understanding of cryptocurrency security. Interactive training platforms that engage employees through quizzes and simulated phishing attacks can be particularly effective in reinforcing their learning. Implementing a feedback mechanism where employees can share their experiences and suggest improvements to the training program can enhance the training program, making it more robust and responsive.

The training sessions should also include information about industry standards, legislative changes, and regulatory requirements. Encouraging employees to attend industry conferences, subscribe to relevant publications, and participate in compliance seminars can help them stay up-to-date with the latest developments.

3.3.1 Keeping procedures under review – audit and monitoring:

Regular audits and continuous monitoring of procedures and processes are essential for ensuring that security measures remain effective.

Consider the following:

audit frequency: scheduled audits should be conducted periodically (the frequency of such audits depends on the business activities, but should be not less than annually), using both internal and external auditors to provide a comprehensive assessment of the security framework.
automated monitoring tools: implement tools to detect and alert on suspicious activities in real-time, providing detailed reports for review. These tools can help detect anomalies and suspicious activities promptly;
review and action: regularly review audit findings to identify and address any weaknesses in the security protocols. Implementing corrective actions promptly based on these findings can prevent potential vulnerabilities from being exploited by scammers;
continuous improvement: fostering a culture where feedback from audits and monitoring is used to continuously enhance security measures and procedures can significantly strengthen the business' defenses against cryptocurrency scams. Encourage employees to engage in the process by sharing insights and suggestions;
scenario-based testing and red teaming: Beyond traditional audits, conduct regular scenario-based testing and ‘red team’ exercises where internal or external security professionals simulate real-world attacks. This proactive approach helps identify vulnerabilities that might not be uncovered through standard audits and allows for the refinement of response procedures; and
compliance with regulatory requirements and industry standards: Ensure that audit and monitoring processes also verify compliance with relevant cryptocurrency regulations (eg, AML/KYC) and industry security standards (eg, ISO 27001, NIST Cybersecurity Framework). This not only strengthens security but also helps avoid legal and reputational risks.

For further information, see How to Guide: How to develop, implement and maintain a US information and data security compliance program; and Checklist: Completing a data and information security risk assessment.

Section 4 – Reporting cryptocurrency scammers

As noted at section 3.2.6, establishing robust procedures for reporting cryptocurrency scams is crucial for businesses to protect their assets, reputation, and employees. Cryptocurrency scams can lead to significant financial losses. Having a clear reporting procedure and culture of vigilance can mitigate these threats. This information helps to improve security measures and protect against attacks. A formal reporting process raises awareness about the importance of staying alert to scams.

4.1 Establish clear reporting procedures

4.1.1 Define reporting channels

Designate points of contact by assigning specific individuals or teams responsible for handling reports of cryptocurrency scams. Typically, this could be your IT security team, compliance officer, or a dedicated fraud prevention team. Ensure these points of contact are well publicized and are well known within the business in the event of a scam. If it is a small business, assign dual roles as needed (ie, where roles may have to be managed by the same person) or utilize external resources (eg, hire cybersecurity consultants or fraud prevention services on a contract basis to undertake these oversight and monitoring tasks).

It is advisable to create a standardized reporting template for reporting incidents. This should include fields for the date and time of the incident, details of the scam, whether any reports have been made to, for example, law enforcement, and any supporting documentation (eg, screenshots and emails). Ensure the template is easily accessible to all employees and available in both digital and printed formats.

4.1.2 Encourage prompt reporting

Set up an anonymous hotline or secure online reporting form to facilitate employees to report scams anonymously. Ensure that these reporting channels are managed by a trusted third party to guarantee continued anonymity.

Implement and communicate a non-retaliation policy to ensure employees feel safe reporting scams. A non-retaliation policy is a formal guideline that protects employees from adverse actions or consequences when they report misconduct, such as scams or unethical behavior within the business. This policy ensures that individuals who come forward with concerns (often referred to as whistleblowers) will not face retaliation, harassment, or disciplinary measures for their actions. Display this policy prominently in common areas and include it in employee handbooks.

For further information, see How-to guides: How to develop a whistleblower policy and reporting program; and How to draft the key provisions of an employee handbook.

4.1.3 Continuous improvement

Creating a feedback loop: Set up a system where employees can provide suggestions to improve the reporting process. Regularly review and update procedures based on this feedback. Use anonymous surveys to gather honest opinions on how well the current reporting process works.

Incident review: After handling a reported incident, review what happened to find any lessons learned or areas for improvement. Hold meetings with everyone involved to discuss what went well and what could be better.

4.2 Report to IT security team

4.2.1 Immediate action

Threat containment: When a report is received, the IT security team should act quickly to contain the threat. If you do not have an IT security team, report to the designated IT security person within your business. If you do not have a designated IT security person, or a person who holds this role in addition to another role, report to your business’ external IT security resource (or utilize an external IT security resource). This may involve isolating affected systems, blocking suspicious IP addresses, and removing any malicious software. Quick action can prevent further damage and limit the spread of the scam. Make sure containment procedures are well documented and that team members are trained to follow them efficiently.

Preserving evidence: Ensure all evidence related to the scam is preserved including logs, emails, and any other relevant data. Proper evidence preservation is crucial for both internal investigations and potential legal actions. Use secure, tamper-proof methods to store evidence.

4.2.2 Investigation

The IT security team should work to identify the source of the scam and assess the extent of the breach. This might involve tracing phishing emails, analyzing network traffic, and checking access logs. Use advanced forensic tools and techniques to gather as much information as possible.

Assess the impact by determining how the scam could affect the business, including potential financial loss, data exposure, and operational disruption. A thorough impact assessment helps shape the company’s response strategy. Collaborate and work with other departments, such as finance and legal, to accurately assess the impact and have a full picture as to what has happened. If the business is small, appoint an IT security person to fill the role on an ad hoc or ‘as needed’ basis, or utilize an external IT security resource. Quick reactions to incidents are important. ‘Dummy’ drills and other training simulations are effective educational tools to improve readiness for incidents. These can be organized by specialized third parties.

4.2.3 Documentation

Incident reporting: Create a detailed incident report documenting the findings of the investigation including the nature of the scam, how it was detected, actions taken, and recommendations for preventing future incidents. Make sure the report is stored securely and accessible to relevant stakeholders. Include a timeline of events and detailed descriptions of all actions taken.

Documenting lessons learned: After resolving the incident, document any lessons learned and update training and reporting procedures. Continuous learning and adaptation are key to improving business defenses against future scams. Share these lessons with all employees to enhance their awareness and preparedness.

4.3 Report to law enforcement

4.3.1 Cooperate with information requests

Gather all relevant information and evidence about the scam, including the incident report, evidence, and any communication with the scammers. Provide this to law enforcement when reporting the scam in line with the procedures set out below. Follow-up to confirm receipt and address any further questions or requests for additional information.

For further information, see How-to guides: Understanding corporate criminal liability; and Mitigating the risk of criminal activity; and Checklist: Conducting an internal investigation into suspected criminal activity.

4.3.2 Reporting to law enforcement

Begin by reporting the scam and filing a complaint with the local police department and the cryptocurrency exchange you use. The exchange can assist law enforcement. Local police can provide immediate assistance and, if necessary, refer the case to specialized units or federal agencies and may have additional resources or advice on how best to proceed. If a scam involves immediate threats, theft, or fraud, individuals should report it to their local police department. This is especially relevant if there is a clear crime, such as unauthorized access to accounts or identity theft.

For more serious or widespread scams, report and file the complaint with the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov. This specialized unit deals with cybercrimes and can offer more extensive resources for investigation.

For issues related to securities, investments, or violations of financial regulations, individuals should contact financial regulatory bodies, such as the SEC or the Commodity Futures Trading Commission (CFTC). Cryptocurrency scams can also be reported to the CFTC at https://www.cftc.gov/complaint and the SEC at sec.gov/tcr. The SEC also has a valuable overview of crypto assets and cyber enforcement actions. These agencies play a crucial role in maintaining the integrity of financial markets and oversee compliance with laws and can act against fraudulent entities.

4.3.3 How to report cryptocurrency scams to the Federal Trade Commission (FTC)

Reporting cryptocurrency scams to the Federal Trade Commission (FTC) is a critical step in combating these threats. The FTC works to protect consumers from deceptive and fraudulent practices, including those involving scams. The agency investigates reports of cryptocurrency and takes legal action against fraudulent entities. The FTC takes action against violators and can impose sanctions such as fines, restitution, and injunctions, for example, see the FTC Celsius settlement.

Follow these steps to report a cryptocurrency scam to the FTC:

Gather information: compile all relevant information about the scam, including details of the scammer (eg, the name of the scammer or company), the type of scam (eg, investment or phishing), addresses, emails, the method of contact, communications with the scammer, and any financial transactions together with transaction details that occurred. Keep and preserve this information as this will be considered as evidence in any potential investigations or legal actions that may follow.
Visit the FTC Complaint Assistant: go to the FTC’s Complaint Assistant webpage at https://reportfraud.ftc.gov – click on ‘Report Now’ to start the process.
Select the type of scam: choose the most appropriate category for your situation (if you are not sure, an option is ‘something else,’ and the FTC will get you to the right place).
Provide details: fill out the online form and provide as much detail as possible. Include any supporting documentation, such as emails, screenshots, or transaction records.
Submit the report: after completing the form, submit your report. You will receive a confirmation email with a reference number for your complaint.

See also the FTC guide, What to Know About Cryptocurrency and Scams.

Section 5 – Outlook

Upon entering office, President Trump vowed to make the US a ‘superpower’ of digital currency and quickly signaled a pro-innovation stance toward the US crypto industry by signing an executive order aimed at fostering its growth with a lighter regulatory touch. This approach is intended to ensure the US remains a leader in global blockchain and crypto innovation. Simultaneously, the SEC announced a ‘Crypto 2.0’ task force, charged with developing clear guidelines for the burgeoning crypto sector. Despite these federal efforts to create a more permissive regulatory environment, crypto companies must still prioritize robust compliance measures and be prepared to navigate the intricate landscape of varying state-level regulations.

What this will mean in terms of protection against cryptocurrency scams is not clear. While many celebrate the favorable environment for the new currency, others fear that a more ‘friendly’ stance towards issuers of cryptocurrency assets could lead to a weakening of the fundamental rules that have historically protected investors, and the ‘crypto’ industry will be allowed to expand with very little regulation or accountability. The next year should give some indications of where the industry will be headed.

Additional resources

Hibatou Allah Boulsane and Karim Afdel, Can Machine Learning Outperform Deep Learning in Financial Fraud Detection?: A Comprehensive Look at Improving Fraud Prevention Strategies
Małgorzata Kutera, Cryptocurrencies as a subject of financial fraud
Asha Sharma and Aditya Mishra, Fraud-proof accounting: the power of blockchain technology