Fraudsters Impersonate Anti-Fraud Association; Amateurish Response from CFCA

They say imposter fraud can happen to anyone, but presumably they were not thinking an imposter would pretend to be an anti-fraud association. To use the local vernacular, it appears that some scallies (rascals) from the North West of England are claiming to be the Crypto Fraud Control Association in the hopes of confusing a few followers of the Communications Fraud Control Association (CFCA). However, whilst cryptocurrency scams are legion, they appear to be the only crypto scammers that are neither active on social media nor can be found via a Google search. This begs a question about how these con artists reach their targets. Do they send emails? Or perhaps they go door-to-door?

CFCA Board Member Stephen Ornadel used his LinkedIn account to accuse the Crypto Fraud Control Association of hijacking the identity of his organization and several unnamed individuals.

I want to warn as many people as possible that there are fraudsters impersonating the Communications Fraud Control Association (CFCA) and various Board members.

The supposed need to urgently warn everybody is somewhat undermined by no mention of this fraud appearing on any of the CFCA’s official social media accounts. An ‘important notification’ was added to the CFCA’s website, but its usefulness will be undermined by the page being impossible to find from any other page on the CFCA website. Nothing was stated about imposters on the CFCA’s home page, news feed, blog, or any other place a normal person might turn to find information about the CFCA, suggesting this organization has a deficient understanding of how to advise people about fraud.

There is a serious point to be made here. It is ineffectual to warn people about a scam if you are unwilling to explain the methods used by the scammer. Conventional practice is to share details relating to the SMS messages, emails, web domain, or any other communications channels used by the fraudsters. It beggars belief that nobody in the CFCA has thought to make similar information public even though one board member wants ‘as many people as possible’ to be cautious. Should we be careful about clicking links in an email? How will the scammers try to take our money? None of this information is provided, although being forewarned is key to preventing victims from being caught off guard. And why is this information only being disseminated to the LinkedIn contacts of a single board member, instead of being actively promoted by all their board members and administrators?

My concern is that my contact details, like those of many people, will be known to the CFCA. If the scammers are using this information to find targets then we should all be informed of whether a data breach has occurred and what the CFCA is doing to rectify the situation and prevent it from happening again. If the scam does not rely on outreach to specific individuals then how exactly are the scammers using the official CFCA logo (pictured), as claimed in the CFCA’s warning? Where are we likely to encounter this scam? It seems improbable that scammers would use the logo of a little-known niche professional association if they were seeking to dupe members of the public at random.

I have bitten my tongue in the past, but I know from personal experience that the CFCA has a lousy attitude to data protection. Some years ago RAG had to call off a proposed joint event with the CFCA because their management team acted as if they were ignorant of what was required to comply with GDPR, and hence would have casually broken the law. They did not take their obligations seriously even when the law was explained to them in some detail. It was their belief that they could simply delegate away responsibility for the personal information they had chosen to collect. I now fear that their lackadaisical attitude to personal data may be one of the reasons for the CFCA being so opaque about this new alleged scam.

The more you think about this alleged fraud, the stranger it seems. Why would scammers give a specific address in the North-West of England if they are pretending to be an anti-fraud association that has negligible reach outside of the USA? Why use the word ‘crypto’ in your name if you are passing yourself off as a 35-year old association that mostly deals with old-fashioned voice frauds? If you want to con the maximum number of people, why mimic an organization that has spent the last year running online webinars that rarely receive more than 20 views on YouTube? I cannot make any sense of this scam. The odd way in which it has been made public just adds to the mystery.

One year ago I criticized the CFCA for endorsing another scam association on social media. Some of the usual suspects crawled out of the woodwork and lambasted me for not being ‘nice’, which is code for demanding we all pretend that everything is fine even when individuals behave recklessly. This new scam should hopefully clarify why it is foolish for anyone to lend credibility to an organization when they have no knowledge of how it works or what it does.

I can anticipate another chorus of know-it-alls responding to this article in similar fashion. Do not bother contacting me if you are going to insist that I must investigate further before I am allowed to write an article like this. The onus is on the CFCA to effectively disseminate information that everyone needs to know in order to protect themselves, not on me to do their work for them. I am no more inclined to waste an hour trying to discover the information about this scam that the CFCA should have already made public than I am inclined to waste another hour explaining to the CFCA that being a US-headquartered entity does not exempt them from compliance with foreign laws on those rare occasions when they leave the USA. The people who complain that I am too quick to spread muck should take a deep breath and consider how much other muck I may have chosen to remain silent about.

Like many people, I was surprised that the CFCA came second-bottom in a poll that asked about respect for RAFM collaborations. I had reason to believe the CFCA were doing a poor job based on my own experience, but expected most people would still have a positive impression of an association that ploughs most of its resources into advertising itself, as demonstrated by its flashy new website. Perhaps this incident explains why their reputation is weak when viewed from outside the core group of US telcos that are the CFCA’s raison d’etre. This association claims to be preeminent in educating professionals about fraud, but their handling of this particular fraud has been amateurish. The CFCA’s inaction speaks louder than its words.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.