In the previous installment of “Know Your Cryptocurrency Scams”, we discussed how to avoid Pump and Dump groups. This week, we want to discuss Phishing Scams.
What is a Phishing Scam?
The goal of a phishing scam is to spoof a real organization’s online identity (whether it’s through email, a url or even a social media account) and trick users into thinking they’re talking to someone in authority when it’s really the scammer. Being very popular outside of the cryptocurrency world, phishing scams have been used to try to steal users information from sites like Google, Microsoft, Adobe, Blizzard and hundreds of other organizations.
Once scammers successful spoof an organization, they will ask users for their personal details, either by asking them to reset their password, divulging personal information of just clicking on a link. Today, the most popular form of Phising scams in Cryptocurrency will try to impersonate popular wallets (Such as My Ether Wallet), or a major ICO that has just launched (such as Distric0x or Bancor).
How Do Phishing Scams Work?
Scammers will pick a well known social identity that has a lot of value tied to it. For example, MEW (My Ether Wallet) is a very popular choice for investing in both Ethereum and ERC-20 tokens. Many users use this service as a way to invest early in ICO’s. Scammers will look at different parts of the service to create replica identities, pulling inspiration from:
- Companies URL
- UI Design
- Email Signature
- Social Account Names
They then will attempt to register names/identities to look nearly identical to the target identity. The real url for MEW is https://www.myetherwallet.com/, so a scammer might try and buy the url for https://www.myethervvallet.com/ (notice the two v’s) or https://www.myetherwallet.com.net/. They will then copy the UI from MEW and connect their own storage system to collect information.
Next, scammers will then target popular open platforms for cryptocurrency users (like slack channels, reddit or telegram) and pick authoritative names that match the target identity. A recent example is users signing up as ‘ether-security-team’ or ‘vitalik-buterin’ in public channels.
Scammers will then send a message to as many users as possible, informing them of some issues. Here’s the text of a recent scam I was sent:
To all Ethereum Holders:
Due to the increasing number of phishing attacks and holders requests from the ETH network, we decided to implement Two-factor Authentication on all ETH wallets.
Please visit Myetherwallet.com to upgrade your wallet to the new security level.
Please be aware that you will not be able to access your funds, tokens and wallet anymore if the new security protocol is not implemented.
We are taking this measures to protect both you and our network from phishing and malicious attacks.
Thank you for your cooperation and understanding,
The Ethereum DEV team.
Users, not knowing any better, will click on the link for myetherwallet.com and instead, be taking to myethervvallet.com (notice the two v’s) to enter in their private information. By massively spamming this message across many channels, users click on this think and hand over their private keys, passwords and other important information.
Once the information has been given, the scammers now have direct access to users private keys and, therefore, funds. The scammers will then use automated tools to extract funds from the victim’s address and into their own secure wallet. Once these transactions are done, they are irreversible and unlikely to be recovered.
How to Avoid Becoming a Victim of a Phishing Scam
There are a few steps you can take in order limit your risk of falling for a phishing scam:
Use Your Own Bookmarks and Known Links to Travel to Secure Sites
If Coinbase really needs you to reset your password, they’ll announce it on their main site or through an announced email. Always be suspicious of links being sent over PM or email. If you must travel to one of your sites to confirm announcements, use a method you are familiar with, such as a bookmark or saved website link.
Confirm Through Multiple Sources
If there has been a critical bug found in software you use, it will be announced through the company’s blog, social media sites and even in the general media. Always confirm through multiple sources about any breach or critical bugs.
Only Communicate with Teams on their Official Channels
Projects are very open about when/where they will contact people, whether this is through email, reddit or slack. If you are being contacted out of one of these normal channels, you can assume it’s a phishing scam and flat out ignore it.
If you are calm, tempered and willing to wait, these scams will have no power over you. As opposed to Pump and Dump schemes, which prey on your Fear of Missing Out (FOMO), Phishing attempts prey on your Fear of Security (FOS). These team’s succeed when they make users fearful that something bad will happen to them if they don’t comply. However, if you are patient and wait for more details, you can almost always avoid these sorts of problems.