In a world where Elizabeth Holmes, Anna Delvey and the Tinder Swindler co-exist, it seems like scammers are waiting for unsuspecting victims around every corner. Sometimes, those victims are even sophisticated finance professionals.
Andrew, a 27-year-old certified financial planner, learned this lesson the hard way last month when he was conned out of $3,000 by someone impersonating an investment advisor on Instagram. According to cybersecurity experts, Andrew – who asked for his last name to be withheld to protect his job security – is far from alone.
More than 95,000 people lost a collective $770 million in scams or hacks initiated on social media platforms in 2021, according to the Federal Trade Commission. Such issues "will become part of our daily life," Theresa Payton, CEO of Fortalice Solutions and a former White House CIO, tells CNBC Make It. "We're going to have to put up with them, just as there used to be people trying to cash out fake checks."
Part of the reason social media scams and hacks are so frequent, Payton says, is because of who and how they target their victims online. She says several high-profile people, from Elon Musk to President Joe Biden, have been caught in similar types of schemes.
"Fraudsters and cybercriminals could actually teach a masterclass in human behavior," she said. "They find people who are legitimate, who have a following, who have a great background, then lure them in using social media engineering, so they can lure in other people, too."
Andrew's story, while harrowing, ends on a positive note: He was able to recover his $3,000. But it's proof that everyone's at risk these days – even financial professionals. Here's how Andrew got scammed, and the four major red flags he missed, according to Payton:
1. A pitch that's too good to be true
It all started when Andrew saw his friend post a video on Instagram. In the video, the friend said he'd received a large return on a $3,000 cash investment in less than 24 hours, from working with an investment advisor. The friend tagged the advisor in the post, and added screenshots purporting to show how his investment had quickly ballooned to $40,000.
Andrew felt suspicious, but intrigued: He and the friend shared an interest in the stock market and cryptocurrency. So he direct messaged the friend to learn more, and quickly received a personal endorsement of the strategy.
"The first red flag is his friend suddenly bragging about what they're doing and how much money they're making," Payton says. "If you're making money, who has time to brag about it? It's like when your friends get hacked and start posting, 'I lost this much weight in seven days.' If it's anything sounds too good to be true, even if it matches your friend's career background, it probably is."
She also recommends picking up the phone and calling that friend directly, in case someone else is controlling their account. Or, if you don't have their number, message them asking for a "unique or special" detail. Who is my favorite NASCAR driver? Who is your favorite college sports team?
"Sometimes those questions actually make fraudsters abandon the account," Payton says.
2. A consistent back-and-forth
Still, Andrew wasn't sold. He reached out to the advisor tagged in his friend's post, inquiring about the impossibly high return on investment. The advisor "inferred that there's some kind of derivative [crypto market] that most people aren't privy to," Andrew says.
Quickly, the two established a rapport. The more crypto-related jargon the advisor used, the more Andrew believed he was legitimate.
The speed of the advisor's response should have been another red flag, Payton says.
"If somebody is frequently responding to your DMs, it's less likely that it's really a person responding," she says. "It's more likely that it's from a script with canned responses."
3. An ultimatum
Andrew, following instructions, put $1,000 in a Zelle account and another roughly $2,000 in bitcoin in Cash App. He gave the accounts' information to the advisor, who sent Andrew a link to a site that appeared to be Forex, an online foreign exchange market. Within five minutes, Andrew watched his $3,000 investment jump to more than $42,000.
Starting to feel uneasy, Andrew said he was ready to cash out. The advisor, who now controlled the accounts, agreed to release the funds — but only if Andrew recorded a video of himself endorsing the process.
Andrew says he initially resisted, because "it's against the CFP code of conduct to provide unsolicited financial advice while promising returns." But the advisor assured him the video would only be viewed by potential clients, and never published externally.
Payton says this is the third red flag: Andrew should have recognized the tactic from his own personal experience, "because that's how [Andrew] got hooked – a video posted by his friend."
4. Strange links
Andrew recorded a video with disclaimers, saying he wasn't endorsing the advisor's services, and sent it to the advisor. The advisor then sent Andrew a link to extract his profits, but instead of leading to Forex, the link opened what appeared to be Instagram's login page. Andrew entered his username and password, and was almost immediately locked out of his account.
At this point, Andrew says, he realized he had been conned. He called the police to file an incident report, opened up his side hustle's Instagram account and started broadcasting warnings about his personal Instagram account and the account of the so-called advisor.
Weeks later, he still doesn't have access to his personal Instagram account — which, until recently, was reposting edited videos appearing to show Andrew endorsing the scammer. When contacted by CNBC Make It, a spokesperson from Facebook, Instagram's sister brand, said they'd investigate further.
"We have sophisticated measures in place to stop bad actors in their tracks before they gain access to accounts, as well as measures to help people recover their accounts," the spokesperson said. "We know we can do more here, and we're working hard in both of these areas to stop bad actors before they cause harm, and to keep our community safe."
As for the money, Andrew called his bank — which immediately halted the $1,000 Zelle transaction, and directed him to file a separate claim through Visa and Cash App to recover the other $2,000. Ultimately, Andrew got the money back. But by this point, his credibility as a financial expert was at risk.
Together, he says, he and his boss alerted the CFP Board of Standards, which monitors the competency and ethical practices of all CFPs across several countries. Unsure of how his Instagram username and personal information could be linked to his company, he also asked his employer's IT department to monitor any suspicious activity.
Today, Andrew's career as a CFP remains intact. And as far as he knows, the scammer was unable to get into any of his other social media accounts or — more crucially — bank accounts.
Payton says that after the scam occurred, Andrew "did all the right things" to protect his personal information. For others hoping to avoid similar predicaments, here's her advice:
- Consider using different email accounts for your social media, financial and health care accounts. Use an encrypted service like ProtonMail for any account linked to highly sensitive or confidential information.
- Turn on multi-factor authentication for all of your accounts. If you get a notification of unusual activity on your account, don't click on any links. Instead, go directly to your profile and change your password manually.
- Authorize a friend or family member to have emergency access to your account. Some social media platforms allow you to assign a backup user on their "privacy and settings" page. Instagram doesn't yet, but the Facebook spokesperson told CNBC Make It that the feature is currently being tested.
- Report the account to the social media platform, file a police report and submit claims to FBI at IC3.gov and the Federal Trade Commission at ftc.gov.
Sign up now: Get smarter about your money and career with our weekly newsletter