When 7.7 billion dollars worth of cryptoassets have been stolen from users in just 2021, you might wonder what is happening here? Why is everyone losing money? Is crypto and Bitcoin all a scam?
You would not be the only one. But what if you were to dive into the details behind how these billions were lost? Then you may realize that there is a difference between genuine hacks and scams.
Hacks are where programmers discover a bug within the code of a blockchain protocol or application and exploit that bug to siphon cryptoassets or NFT’s from others. Scams, on the other hand, are confidence schemes set up to gain the trust of others so that they may give up their funds or sensitive information in return for a gain.
These scams should not be underestimated – you have already seen the numbers. How do you make sure you do not end up as another victim for a scam? In this article, we want to dive into a particularly nasty subset of scams: phishing scams.
This scam occurs when an attacker pretends to be a trusted entity in order to make you perform an action that compromises your funds. This may look like you giving up your personal information or even just sending an attacker your money. You may have heard the term before. These are nothing new and have been around since before the Internet.
In the past, conmen would go around selling fake insurance policies or raising funds from investors for nonexistent enterprises. In our current digital world, these scams adapted to new mediums through the Internet such as email and messaging applications. If you want to make sure you adapt as well, here is what you need to know in the world of crypto.
Getting Direct Messaged
There is a running joke on crypto Twitter that simply mentioning “metamask”, a well known crypto wallet provider, in a tweet will get you instantly hit with multiple replies from bots claiming to be MetaMask support to help you with your problem.
They are all bots run by phishers who will attempt to gain your confidence and have you reveal either your private key or seed phrase to them so that they can drain everything from your wallet.
It is extremely unlikely that you will be directly contacted by any platform first without initially setting up a support ticket or something of that fashion. This goes for any well known platforms that have many crypto communities built on top of them. The biggest ones include Twitter, Discord and Reddit. All are filled with bots ready to hunt you down and pry your funds away from you.
Protecting Yourself: First, never ever give away your private key or seed phrase to anyone. Second, always verify who it is that you are talking to. Most of them, it’s obvious from their username that it’s fake. For example, on Twitter, they may make their name appear as “MetaMask Support” but their twitter handle may be @cryptochicken or something just as nonsensical. You could and should take the extra step to verify with other parties that you are talking to the right person as well.
Back when email was just getting started, phishing came along as its darker twin. If you were around then, you would have seen the popular Nigerian prince emails. For every one of those, there are countless other spam emails with clickbait subject lines to incentivize you to open the email and/or click links within the email. One click on any attachments and your computer could get infected by malware.
These phishers have gone beyond email now.
If you have not already seen this, there are plenty of people who call you or text you pretending to be a well known bank. They send you a link that looks like the official website and ask you to verify some information. But this is just their attempt to get your login information. In crypto, instead of a bank, they may pose as Coinbase or some other well known exchange. Their goal remains the same.
How advanced can this get? Scammers can get a number with your area code and update their caller ID to look like someone you would know. They can pretend to be from some type of service with the goal of directing you to their “billing department” to take down your credit card and identity information. They can be anyone from Netflix, debt collection agency to even the IRS.
Protecting Yourself: The principle here is to not be in contact with anyone whose number you do not recognize. Phishers will pretend to be anyone, from the IRS to Coinbase. If you do not recognize the caller ID or the number, reject the call. Even if the name looks like a friend, do not pick up.
Of course, if you are expecting a call at that time, double check on the call that it is who you are expecting and they are not asking for any personal information. For all text messages from unrecognized numbers, ignore, block and delete.
Chat apps have a similar story. Phishers can approach you from anywhere. They can comme from strangers direct messaging you on Instagram to your Tinder matches asking you to move your conversation to the likes of WhatsApp. Sometimes, phishers might even hack your friends’ accounts to try to get to you into whatever scheme they have planned. While not every scammer may be the Tinder Swindler, there are many phishers who pretend to be attractive and wealthy individuals who want to help you.
Either way, anytime someone asks you to click on a link, be extremely wary of it. These links can look very convincing. They may have the word “coinbase”, “binance” or some other well known crypto brand in the link. They may entice you with a great deal or opportunity. And once they think they have built up enough rapport with you, they ask you for help. That is how they try to lure you into sending them funds or giving up personal information.
Protecting Yourself: If the chat app you’re using has the feature to reject messages from unknown contacts, use it. If not, look for a different app that can block unknown contacts to proactively guard yourself from scammers and spammers. If you are intentionally talking to strangers (such as with dating apps), be on guard for any requests for money or to move off the dating platform to WhatsApp.
Lastly, you must be careful of using Google or any other search engine to find a website you usually go to. There are plenty of phishers who create fake websites that look very similar to what they intend it to be. Sometimes these can be easily detected since they have misspellings or do not have the right top level domain (.net vs .com).
However, because these phishers also buy ads on Google, their fake websites are often on the first page of a Google search and unless the user is inspecting the URL, they may blindly click on what seems to be a legitimate title.
Other times, phishers gain victims by utilizing other alphabets, such as the Cyrillic alphabet, to replace certain letters. These can be extremely difficult to discern unless you are looking for them.
Protecting Yourself: Bookmark your financial sites just so you never accidentally click into a fake website and enter your user information.