Team Confiant

 •  4 minute read

Ad-Based Financial Investment Scams - Part I

We have all seen the recent stories on BBC, Guardian, CNN, Reuters, and other news outlets regarding the rise of ad-driven consumer investment scams in the UK, throughout Europe and around the world. Confiant has been tracking these types of scams for several years now. Over the past two quarters we have seen a significant increase in instances of financial investment scams victimizing people around the globe. Some areas that have been particularly hard-hit are the European Union (EU), Australia, Canada, South and Central America, South Africa, India, Malaysia, Taiwan, Hongkong, the United Arab Emirates (UAE), Saudi Arabia, and Russia. It has been particularly prevalent in areas with unstable economic conditions, where people switch to Cryptocurrencies as a protection against inflation.


The growing threat of financial scams often involves false front financial institutions that are legally registered in Cyprus (37%), a host of other countries considered “Offshore” by Eurostat (37%), Estonia and Malaysia (2% each), and licensed throughout the EU as investment brokers. Additionally, more than 17% of the remaining “Onshore” financial institutions identified as being involved in financial scams are either fake entities, unregistered payment intermediaries or unknown (5%). Threat actors have inserted themselves through the vector of advertising to scam your customers. These fake financial firms are capitalizing on the rise in popularity of cryptocurrencies, online trading and mobile investment apps. Confiant unmasked a financial cryptocurrency scam netting over $1 million per day from victims.

In our “Financial Crime: Ad Driven Investment Scams” document, Confiant tracked and identified threat actors who have utilized common fraudulent advertising tactics to lure their victims into disguised fraudulent investment scams. Here’s an example of some user outcomes.

Scams Have Morphed From Cryptocurrency To “False Front” INVESTMENTS

More recently, we have seen the threat actors go beyond crypto-scams to the creation of advertising for false front EU investment firms that appear legitimate. But their ads hijack the names of trusted brands like Netflix, Amazon or famous celebrities like Elon Musk, to lure investors into their scams that steal their personal information or draw them directly into a financial scam.

Consumers in the United Kingdom have been especially heavily targeted, though we have observed these financial scams throughout the EU and in many other countries. The scams are a significant financial threat to EU consumers as potential victims. TNW news reported that “Google Ads is infested with investment scams that earn it millions” as 90% of adverts it displays when searching for common investments are scams. In the October 14, 2021 article, “Welcome to Britain, the bank scam capital of the world”, Reuters reported that fraudsters had stolen £754 million ($1 billion) through financial scams from UK citizens, in the first six months of 2021 alone.

Financial Scam Kill-Chain

This is a graphic representation of the Confiant STIX v2.1 financial scam kill-chain example. Graphic generated using the CTI-STIX-VISUALIZATION tool from oasis-open, ref:

Sophisticated Fraudsters Design Elaborate Financial Scams

Most of the fraudulent investment firms operate at the end of an elaborate “kill-chain” responsible for a large amount of the current malvertising investment scams. According to victim’s complaints, the fraudulent investment firms are reportedly responsible for a wide variety of unsavory practices that are discussed in Confiant’s, “Financial Crime: Ad Driven Investment Scams” and associated briefing.  In it, we dubbed one leading financial scam threat actor HircusPircus. They are financially and technically savvy as well as ruthless. Their scam usually starts with ads offering investment opportunities in well-known, high-performing companies or cryptocurrencies. Their ploys include customized entry point ads, pre-landing pages, entry forms to gather user personal data, and scam investment portals and payment pages (sometimes third-party payment sites) that make it appear like the victims are making profits on the invested funds through their fraudulent portal.

Confiant’s ongoing threat intelligence work maps some of the tactics in the entire kill-chain of HircusPircus, as well as tracking several other active threat actors that Confiant has previously identified. Increasingly complex scams by the emboldened scammers have gone beyond Europe to other parts of the world as well.

But, the story doesn't end here. In our discussion of Financial Investment Scams Part II, we will explore the deeply deceptive world of financial scams, their global reach, some of the types of ads they use to hook consumers, and what financial fraud departments can do about it.

Interested in learning more? Speak with Confiant’s Threat Intelligence Team at: