Crypto phishing attacks are evolving into one of the most profitable methods for cybercriminals to steal cryptocurrency (digital assets). These attacks are developing to the point where even cautious users could fall for them. Because we crypto community members don’t rely on anyone else when moving funds, being extra cautious is of great importance. While it is hard to summarize all of the types of attacks, we will list the most frequently used techniques and how can you protect your funds in a proactive way.
Phishing is a fraudulent practice where a malicious entity (“hacker”) uses social engineering to masquerade as a reputable source in an attempt to dupe the user into revealing his/her private information, e.g. login credentials, passwords and credit card numbers. Phishing today is considered to be one of the most commonly used cyberattacks, posing an especially great threat in the cryptocurrency world. In the next few paragraphs, we will expose the most common crypto phishing attacks – which are similar to other phishing attempts, yet distinct in that they are meant solely to steal your information in order to obtain cryptocurrencies.
Phishing is the most used cyberattack
Most often, phishing attacks range from fake emails, seemingly sent from a trusted sender, to downloadable malware to scam websites. This is why staying informed, preparing for the worst and always using a verified, preconfigured step-by-step workflow is crucial. To give you a better idea of what phishing is, we’ll give an example of what a specific attack looks like.
The most common cyberattack is deceptive phishing, also known as fake emails.
In this scenario, the recipient gets an email trying to persuade him/her to make a mistake: to click the link in the email in order to (supposedly) verify account details, reset credentials, verify a transaction, or for a fake giveaway, etc. This sort of email might look as if it came from a known company or a trusted source, e.g. Tokens.net domain (no fear; we have not yet come across such an email!), but do not be fooled. No serious crypto company would ask you to do anything like this. You can determine where the email is from yourself simply by looking at the sender address.
If we at Tokens.net ever send you an email:
a.) It will not be a random email with a request for you to click a link, it will be an email from the Tokens.net platform, a support center answer to your question, or a newsletter.
b.) We will never request your private key (or other confidential information).
If we come across any information regarding phishing attempts using our domain as a sender, we will do our best to notify you as soon as possible. But keep in mind that we are not a bank, so please be careful.
Another popular and even more successful scamming alternative is pharming. This is when a fraudulent website appears to be legitimate and it isn’t as easy to notice it’s a scam website. In this scenario, a victim is presented with a recreated or cloned known webpage so that it looks like the original. In some examples, victims do not even have to click a malicious link in order to be taken to the bogus site. Attackers can infect either the user’s computer or the website’s DNS server and redirect the user to a fake site even if the correct URL is typed in. Malicious websites are most of the time very realistic-looking fake websites, and their main intention is to obtain the user’s credentials.
Always double check page and URL you are visiting
Sometimes you won’t receive an email; the website will be the first hit on Google search, even an ad. This type of hacker steals your information and then steals your money.
Sometimes attackers fool even the Google Play Store, where users can download a wallet app that is malicious. In November 2018, there were at least 4 of these. A recent example in 2019 is the malicious fake Trezor app; the app was nothing like the original SatoshiLabs graphics, yet many people fell for it.
First application is fake and second is the real one.
A combination of the previously mentioned methods and some extra skillfulness can produce downloadable malware, an application coming from a link on a scam website, a link in a fake email, or as an attachment in an email. This ransomware will not steal your credentials, but will lock your computer and you may even get extorted. This sort of phishing was common a year or two ago, where victims received an email with an .exe file that encrypted computer files and the attacker then demanded bitcoins in order to present the victim with a key to unlock his/her data.
Another cyberattack also considered phishing is cryptojacking. This form of attack is more often intended for businesses, but it is not to be disregarded, so take the necessary precautions. Cryptojacking is illicit crypto mining using a computing device to mine cryptocurrency without the knowledge of the device’s owner. Warning signs for this include slowdown of your device, heat generation and shorter battery life. Monero became famous for cryptojacking due to its ability to mine on lower-tier hardware.
Another cyberattack that recently became known is the Electrum wallet attack, where Mac Electrum wallet users lost 2.3M in stolen coins.
Don’t trust, verify!
There are numerous ways for phishing attacks to happen, and we cannot list them all, so the best advice we can give you is the well-known crypto motto: Don’t trust, verify! There is no single cybersecurity technology that can 100% protect you from phishing attacks, but following basic security measures will help you avoid them successfully. Our team of security experts advise you to always use best practices to protect yourself! Even if it sounds boring, you and only you are responsible for your security.
In order to feel as safe as you can, securing your funds doesn’t just mean buying yourself a hardware wallet. If you have more than a month’s worth of salary in crypto, buy one and you will be able to access websites with greater ease. But even cold storage cannot protect you if you enter your private key on a phishing website. You will have all your funds taken. Remember the previously mentioned example of Trezor (the dev team is ensuring Trezor was not compromised). Even some big exchanges have faced phishing and consequently been hacked.
How to secure your funds
Securing your funds means you must go through all the verified steps each and every time. Follow the instructions, which should serve as a basic guideline for the due diligence process, and your probability of being a phishing victim gets smaller. Nonetheless, we are an exchange service providing support; we are not a bank and we need you to understand that we cannot act like one. Secure your funds at all times. If our website is compromised or you accidentally visit a different website, your funds will be stolen. Please consider the actions listed below to protect yourself from phishers and from loss.
- At the very beginning, make sure you have entered the real website, your first access should be from a trusted source.
- Install software or browser extensions that detect phishing domains. Install EAL, MetaMask, Cryptonite by Metacert or the MyEtherWallet Chrome Extension to block malicious websites (although lately this is no longer enough to protect yourself; browser extensions have also become part of hackers’ strategies to carry out malicious attacks).
- Bookmark your verified access point for later reference and always enter from this exact bookmark.
- Enable Two-Factor Authentication because this is harder for a hacker to obtain. Our website prompts you to do so straightaway. If you don’t set it up, you cannot deposit, withdraw or use any other function of our service.
- An optional step for phishing prevention on our platform is setting up an Anti-Phishing message. You can set a message (3-40 characters long) that will be included in emails sent from Tokens.net regarding your account, be careful, as our newsletters do not include the message. Therefore, if you do not see this message, the email was not sent from Tokens.net!
- Be diligent in keeping your private key and password safe. Your private key is sometimes called your mnemonic phrase, keystore file, UTC file, JSON file, wallet file, etc. Do not store your private key in Dropbox, Google Drive, or other cloud storage sites. If that account is compromised, your funds will be stolen. DO NOT share your private keys.
- Buy a hardware wallet. No excuses. It's worth it. We promise.
- Fishy-smelling emails are easily verified with the support team of the supposed sender. There’s no shame in asking. Verifying is a thing in crypto.
When you are not sure if a website that is asking for your credentials is legit, you should follow these common sense steps:
- Never click on any unidentified links! Do not trust messages or links sent to you randomly via email, Slack, Reddit, Twitter, etc.
- Inspect the website and email addresses. Hover over without clicking on it!
- Always check what website you are visiting and that the URL is correct:
- Check that the website is not a homograph. IDN homograph attacks look like the correct URL but are fake.
- Check business’ web domain endings. Hackers will usually change one letter or ending, such as from .com to .org. Normally you wouldn’t pay attention to this, and this is how they can exploit you.
- Check for Google typos. Paste the domain into the Google search bar, and if Google shows you a typo notification then it is the wrong domain name.
- Does the site use https? Check the SSL Certificate validation (this step is less recommended as lately malicious sites do have https encryption, presenting a problem for users as SSL encryption has traditionally been one way to determine whether a website is trustworthy or not).
- Make sure the URL bar looks something like this:
- If it is too good to be true, it probably is.
- Ask questions when you don't understand something or when something doesn't seem right.
- Don't let fear, FUD, or FOMO win over common sense.
The most recommended way to keep calm and trade on is that you stay vigilant and follow routine steps that you set up from the start.
As cryptocurrency prices rise, so do the phishing culprits. Stay vigilant and do your due diligence.