Cryptocurrency Scams & Phishing Warning: How Do Phishing Scams Work?
Google search results are being manipulated and fake websites are looking more and more like the legitimate ones.
What is a Phishing Scam?
The goal of a phishing scam is to spoof a real organization’s online identity (whether it’s through email, a url or even a social media account) and trick users into thinking they’re talking to someone in authority when it’s really the scammer. Being very popular outside of the cryptocurrency world, phishing scams have been used to try to steal users information from sites like Google, Microsoft, Adobe, Blizzard and hundreds of other organizations.
Once scammers successful spoof an organization, they will ask users for their personal details, either by asking them to reset their password, divulging personal information of just clicking on a link. Today, the most popular form of Phising scams in Cryptocurrency will try to impersonate popular wallets (Such as My Ether Wallet), or a major ICO that has just launched (such as Distric0x or Bancor).
As blockchain technology strides forward, it has not been spared of malicious, opportunistic entities looking to make quick bucks off investors. The cryptocurrency industry is particularly attractive—with users getting more active in online trading and storing their money in web exchanges, the potential incentives become worthwhile for predators. Initial coin offering (ICO) websites, trading platforms, exchanges, and online wallets are a primary target.
While there is a huge amount of money in the industry, security measures are also sophisticated, and its patrons are (somewhat) wiser. As such, stealing from tight defences requires equally sophisticated swindles—and this is exactly what scammers are on to.
A few months ago, crypto-investment platform Enigma’s followers were duped of 1,492 ETH (then amounting to close to $500,000) before the company launched their ICO after scammers spread Slack messages urging investors to visit a decoy website. Several users have lost money to phishing websites—sites that look like legitimate websites but are actually fake. If you use your credentials to log in through these scam websites, the thieves collect your password and clean out your accounts.
A report by Chainalysis outlines how rampant and utterly worrying cybercrime is, particularly on the Ethereum blockchain: “10% of Ethereum holdings marked for ICO investment lies in the hands of criminals. Chainalysis estimates that there have been approximately 30,000 victims of cybercrime on Ethereum losing on average $7,500 each.”
Much like an evolutionary adaptation race where the predator hikes up its tolerance of its prey’s defences, scammers are stepping up their game to prey on users as well. Scammers can now fiddle with Google results to put their fake website on top of search results, so they can lure people who are looking to log in to their exchange wallets. To complete their scheme, the fake website looks more and more like the legitimate ones.
As a countermeasure, it is best to verify and type in the web addresses of legitimate exchange websites and bookmarking them, instead of clicking at Google search results. To help the community out further, it is also important for users to report phishing websites to Google.
How Do Phishing Scams Work?
Scammers will pick a well known social identity that has a lot of value tied to it. For example, MEW (My Ether Wallet) is a very popular choice for investing in both Ethereum and ERC-20 tokens. Many users use this service as a way to invest early in ICO’s. Scammers will look at different parts of the service to create replica identities, pulling inspiration from:
- Companies URL
- UI Design
- Email Signature
- Social Account Names
They then will attempt to register names/identities to look nearly identical to the target identity.
They will then copy the UI from MEW and connect their own storage system to collect information.
Next, scammers will then target popular open platforms for cryptocurrency users (like slack channels, reddit or telegram) and pick authoritative names that match the target identity. A recent example is users signing up as ‘ether-security-team’ or ‘vitalik-buterin’ in public channels.
Scammers will then send a message to as many users as possible, informing them of some issues. Here’s the text of a recent scam I was sent:
To all Ethereum Holders:
Due to the increasing number of phishing attacks and holders requests from the ETH network, we decided to implement Two-factor Authentication on all ETH wallets.
Please visit Myetherwallet.com to upgrade your wallet to the new security level.
Please be aware that you will not be able to access your funds, tokens and wallet anymore if the new security protocol is not implemented.
We are taking this measures to protect both you and our network from phishing and malicious attacks.
Thank you for your cooperation and understanding,
The Ethereum DEV team.
Users, not knowing any better, will click on the link for myetherwallet.com and instead, be taking to myethervvallet.com (notice the two v’s) to enter in their private information. By massively spamming this message across many channels, users click on this think and hand over their private keys, passwords and other important information.
Once the information has been given, the scammers now have direct access to users private keys and, therefore, funds. The scammers will then use automated tools to extract funds from the victim’s address and into their own secure wallet. Once these transactions are done, they are irreversible and unlikely to be recovered.
How to Avoid Becoming a Victim of a Phishing Scam
There are a few steps you can take in order limit your risk of falling for a phishing scam:
Use Your Own Bookmarks and Known Links to Travel to Secure Sites
If Coinbase really needs you to reset your password, they’ll announce it on their main site or through an announced email. Always be suspicious of links being sent over PM or email. If you must travel to one of your sites to confirm announcements, use a method you are familiar with, such as a bookmark or saved website link.
Confirm Through Multiple Sources
If there has been a critical bug found in software you use, it will be announced through the company’s blog, social media sites and even in the general media. Always confirm through multiple sources about any breach or critical bugs.
Only Communicate with Teams on their Official Channels
Projects are very open about when/where they will contact people, whether this is through email, reddit or slack. If you are being contacted out of one of these normal channels, you can assume it’s a phishing scam and flat out ignore it.
If you are calm, tempered and willing to wait, these scams will have no power over you. As opposed to Pump and Dump schemes, which prey on your Fear of Missing Out (FOMO), Phishing attempts prey on your Fear of Security (FOS). These team’s succeed when they make users fearful that something bad will happen to them if they don’t comply. However, if you are patient and wait for more details, you can almost always avoid these sorts of problems.