March 20, 2019
Since the advent of Bitcoin in 2008, the number of Blockchain wallet users has grown to 28 million worldwide. As with any new technology, rapid growth created new risks for cryptocurrency users and new opportunities for hackers. We’re tracking the rise of crypto phishing. Crypto phishing is the most common cryptocurrency scam costing users and investors millions each year. Attackers continue to develop new tactics to target not only vulnerabilities in the cryptocurrency services, but most often - unsuspecting crypto users.
Same scam, different victim: Smishing in cryptocurrency
One of the most common ways to steal data is smishing or SMS phishing, using fraudulent text messages to trick a user into revealing valuable personal information. Attackers will send a seemingly legitimate text message from your crypto wallet provider that requires you to perform an action, such as cancel a transaction or login to your account. Think twice before completing the request. Authentic financial institutions will never ask for identifying information via text.
If you don’t recognize the sender of a text, ignore and delete the message. Even if the sender appears legitimate, it’s most likely a scam trying to trick you. These texts try to convince you to take a fast decision by creating fear or anxiety. If you are in doubt and want to validate whether you need to take action, login to your crypto app account via the browser to confirm the request.
Data thieves take advantage of a tactic called URL padding to convince you to click on fake links. Scammers create a realistic looking URL, taking advantage of the limited URL space on mobile devices. If you open the link on your mobile device, a fake page will pop up on your screen, and you won’t even suspect that you’re one step away from giving up your crypto wallet account details.
If you receive an email from someone claiming to be your cryptocurrency provider and urging you to click on the link provided, check a couple of things before you take any action. The reason ‘phishers gonna phish’ for your details again and again, is that the payoff is worth it. First, they steal your credentials, and then your cryptocurrencies. The money can disappear in a flash, so beware of any suspicious emails. Here are a few tips to allow you to outsmart the scammers:
Check the domain name. Does the domain name in the link look legitimate or a bit odd? Cybercriminals tend to buy domain names that look very similar to valid ones, but have different endings such as ‘.biz’, ‘.to’, ‘.help’ or similar. Always confirm that the domain name in the message exactly matches the one you see when you open the site in a browser.
Don’t do what they ask you to do. Even if the email states something along the lines of “We have detected suspicious behavior, click here to cancel your transaction” - don’t click on it. If you click on that link, it will take you to the legitimate-looking fake website, and once you enter your details, criminals will have them. Instead, go to the crypto service provider’s website, login to your account and check your recent transactions. Another option is to call the company’s customer support line or reach out via social media channels.
Check for HTTPS & grammar mistakes. You shouldn’t stay on websites whose URLs don’t begin with HTTPS. If a URL starts with HTTP only, the site is not secure, and the connection can be intercepted. This is not a foolproof check. As attacks get more sophisticated, criminals now purchase SSL certificates to provide HTTPS for their fake web addresses making it more difficult for people to spot the scam. The best advice is to examine the URL quickly, but leave the site if you have any doubt.
Malicious ads or adware
If you search for any cryptocurrency information on Google, and find new crypto-related ads, be careful. You might click on a malicious link which can install adware on your device. If you see a promo that is too good to be true as a ‘become an instant millionaire’ type of apps and deals, do your research first. Learn about their business model, what problem they’re solving and who the people are behind the company.
In a recent example, scammers urged users to take part in a fraudulent 10,000 BTC giveaway via a hacked G Suite’s Twitter account. Although Google banned cryptocurrency ads in June 2018, in September 2018 it rolled back some restrictions and now allows several crypto service providers to advertise, potentially creating an opportunity for more sophisticated scams.
Phishing on social messaging channels
Crypto phishers go all-in to lure victims into giving up data. Before you join any Slack or Telegram cryptocurrency groups, verify their authenticity. Fake groups can appear trustworthy, but often try to give you fake cryptocurrency addresses to steal your coins. Just as you shouldn’t accept unknown coin addresses, you shouldn’t share your private key anywhere or with anyone.
If you are a part of an authentic crypto service provider’s confirmed Slack group or other social media channel, look out for scam messages posted by other members or Slack bots. Attackers can take over Slack bots to send scam messages in a trusted environment. If you’re an avid Twitter follower, be aware of scam messages from reliable accounts there as well.
Beware of fake wallets or phishing wallets
If you look for a new crypto wallet, don’t just pick the first attractive design you see on the Google Play Store. Crypto wallet clones and phishing wallets are set up to request private keys and wallet passwords on fake apps. Once you enter your data, you’re done. Fake wallets threaten not only your cryptocurrencies but also mobile banking credentials and credit card information. Take the time to research the best wallet to facilitate secure trading.
One of the most common cryptocurrency phishing tactics is ICO phishing. An ICO (Initial Coin Offering) allows cryptocurrency startups to raise money by issuing their own digital tokens in exchange for a virtual currency like Ethereum (ETH) or Bitcoin (BTC). By creating viral marketing campaigns, phishers persuade users to buy fake ICO. To avoid falling for such a scam educate yourself about:
- The people behind the ICO
- The problem they’re solving
- Their roadmap
- White paper legitimacy
- Marketing consistency and coherence
Don’t fall for an urgent message. Take your time to be sure. As ICOs are currently unregulated in the majority of the world, investors do not have any protection if an ICO turns out to be a scam and the perpetrators disappear with investors’ money.
It’s clear that no technology is safe from phishing scams. We built Fyde app to protect your crypto investments from the same threats that plague other online transactions. Fyde app’s security blocks malicious text messages, emails, ads, trackers, spy apps and mining sites so you can enjoy your life online. Download the app and let us know what you think!