| How it starts | Text messages appearing to come from a legitimate crypto exchange, warning of account access attempts |
| What the scammer does | Creates urgency, gets victim to call a fake support line, then gains remote access to the account |
| How fast funds disappear | Accounts can be emptied in minutes once access is granted |
| Recovery rate | Very low - crypto transactions are irreversible; Action Fraud success rate is limited |
| Report to | Action Fraud (actionfraud.police.uk) and your bank if any fiat currency was also moved |
Last reviewed: 20 June 2026 | Sources: Action Fraud, FCA, gov.uk
What happened to Sam Little
Sam Little, a contestant on the fourth series of BBC's The Traitors who appeared as a Faithful, has spoken publicly about losing £40,000 to a sophisticated cryptocurrency phishing scam. The 35-year-old account manager from North Yorkshire said the funds represented years of savings set aside for his future, including plans to start a family with his wife.
The scam began with a series of text messages appearing to come from Little's cryptocurrency platform, warning that there had been repeated attempts to access his account. After receiving two or three messages over three days, he called a number that appeared to be the exchange's customer support line. The line was a fake created by the fraudsters.
Little described the moment his wife searched the phone number online and found it had already been linked to phishing scams as sickening. By that point, the account had been emptied in minutes. He told the BBC: "They didn't ask me for any passwords. I like to think I'm savvy, but it can catch anyone."
- UK crypto fraud reports to Action Fraud: tens of thousands annually
- Crypto transactions are irreversible - there is no bank chargeback mechanism
- FCA does not regulate most cryptocurrency exchanges used by UK consumers
- Fraudsters use SMS spoofing to make messages appear from legitimate numbers
- Fake customer support numbers are often indexed on search engines
- Police have said targeting is now a question of when, not if
How cryptocurrency phishing scams work
The scam described by Little follows a well-documented pattern. Fraudsters send text messages that appear to originate from a legitimate cryptocurrency exchange, using SMS spoofing technology that makes the sender ID display as the genuine platform name. The messages create urgency by claiming suspicious access attempts have been detected on the account.
When the victim calls the number provided - or finds what appears to be the exchange's support number via a search engine - they reach a call centre operated by the fraudsters. Agents then use a combination of technical jargon and social engineering to convince the victim to take steps that give the fraudsters control of the account. This may involve directing victims to a convincing replica of the exchange's website and asking them to log in while under observation.
Because cryptocurrency transactions are irreversible by design - unlike bank transfers, which can sometimes be reversed under the Contingent Reimbursement Model (CRM) code or Payment Services Regulations 2017 - victims have very limited options for recovery once funds are moved.
Why crypto fraud is hard to recover from
Unlike bank account fraud, where the Payment Systems Regulator's mandatory reimbursement scheme (effective October 2024) obliges banks to reimburse most victims of authorised push payment (APP) fraud up to £85,000, cryptocurrency losses sit outside this framework. Crypto assets are not covered by the Financial Services Compensation Scheme (FSCS). Most exchanges operating with UK customers are not FCA-authorised for investment activity, meaning FOS complaints routes are also limited.
If a victim transferred fiat currency (pounds) from a bank account to buy the cryptocurrency that was then stolen, that bank transfer may fall under APP fraud protections. Victims should contact their bank immediately and report the transfer as fraud, providing evidence of the scam. The outcome depends on the specific circumstances and the bank's assessment.
How to protect a cryptocurrency account
The FCA and Action Fraud both advise the following steps for anyone holding cryptocurrency: use only the official app or website address typed directly into a browser - never follow links from text messages or emails; enable two-factor authentication using an authenticator app rather than SMS; never call a number found in a text message or via a search engine - always retrieve customer support numbers from within the exchange's verified app; treat all unsolicited contact about account security as suspicious; and search any number before calling it to see if it has been flagged as fraudulent.
What to do if targeted
Anyone who suspects they have been targeted by a cryptocurrency scam should stop all contact with the suspected fraudsters immediately. Report the incident to Action Fraud at actionfraud.police.uk or by calling 0300 123 2040. Contact the bank immediately if any fiat currency transfers are linked to the account. Preserve all evidence including text messages, call logs and screenshots. Report the fraudulent number or website to the NCSC via report.ncsc.gov.uk.
How do cryptocurrency phishing scams start in the UK?
Most start with a spoofed text message appearing to come from a legitimate crypto exchange, warning of unauthorised account access. The fraudster then directs the victim to call a fake support line and uses social engineering to gain control of the account.
Can UK crypto fraud victims get their money back?
Recovery is very difficult. Crypto transactions are irreversible. If fiat currency was transferred from a bank account to buy the stolen crypto, an APP fraud claim may apply. Victims should contact their bank immediately and report to Action Fraud.
Is cryptocurrency covered by the FSCS in the UK?
No. The Financial Services Compensation Scheme does not cover cryptocurrency assets. Most UK crypto exchanges are not FCA-authorised for investment activity. This means victims have limited regulatory protection compared to losses from authorised bank fraud.
How do I report a cryptocurrency scam in the UK?
Report to Action Fraud at actionfraud.police.uk or by calling 0300 123 2040. Also report suspicious websites and phone numbers to the National Cyber Security Centre at report.ncsc.gov.uk. Contact your bank immediately if fiat currency was involved.
What is SMS spoofing and why does it make crypto scams convincing?
SMS spoofing allows fraudsters to make their text messages appear to come from a legitimate sender name or number, such as a crypto exchange. The message appears in the same thread as genuine messages from the platform, making it extremely convincing even to cautious recipients.
