Abstract:IOSCO warns of fake emails posing as officials to extract “release” fees. See how the scam works and what proves a message is not from IOSCO.
The warning
The International Organization of Securities Commissions (IOSCO) has raised the alarm over a new round of frauds in which criminals present themselves as commission staff and pressure investors to pay “processing” or “release” charges. The approaches include letters that directly ask for money and emails that claim to come from invented departments—one recent example cited a so-called “Financial Control Service of Investment Company of IOSCO”—and then request bank details or copies of personal documents. IOSCO stresses it does not charge fees to unlock funds, does not solicit payments, and communicates only from addresses ending in @iosco.org.
Background: what IOSCO actually is
IOSCO is the global association of securities regulators. It develops common standards for market integrity and investor protection and helps authorities cooperate across borders. It does not license brokers, hold client money, resolve individual disputes, or ask investors to pay for “certificates,” “clearances,” or “fund releases.”
Any message invoking IOSCO and demanding money or sensitive data should be treated as a red flag.
How the hook targets online traders
The pitch is tailored to people active in online markets, including forex and CFDs. Victims are told a final “compliance step” or “clearance” is required before their money can be released, or that a certificate must be issued urgently—if they pay first. Because the notes borrow IOSCO‘s name and tone, and sometimes mimic official formatting, they can look convincing to retail traders who are used to KYC requests and platform notifications. IOSCO’s advisory is unequivocal: if the message asks for money or sensitive data, it isnt from them.
Not just the header: domains and branding tricks
The brand-copying doesnt stop at logos. IOSCO also cautions that web addresses— even financial-sounding endings like .forex, .markets, or .trading—do not prove a website or broker is authorised. For forex and CFD traders, that matters: a polished domain name and a familiar platform template can still sit behind an unregulated operation or a straight impersonation. The takeaway is simple: never infer legitimacy from a URL alone.
Why the scam keeps working
These messages exploit familiar habits: uploading documents, responding quickly to platform prompts, and ticking compliance boxes. By copying the cadence of genuine requests—“final verification,” “funds release,” “account unfreeze”—fraudsters nudge recipients into paying a fee or handing over banking details. The rule of thumb holds: real oversight bodies don‘t ask you to pay to unlock money that is already yours, and they won’t email from look-alike domains.
