How to Recognise Phishing Attempts (Real Life Examples)

Phishing Scams in Web3 and Crypto

Recent assessments indicate phishing remains a global threat, with organised groups using ever-cheaper tools to scale their schemes. Reports from law-enforcement and industry note increasing volumes of phishing campaigns and greater sophistication, including the use of AI. 

Here, we outline how phishing commonly targets cryptocurrency users, and how to protect yourself.

What Is Phishing?

Phishing is a social-engineering technique where scammers persuade people to disclose sensitive information or take risky actions. Targets may be asked for personally identifiable information (PII), credentials, banking details, or wallet recovery phrases. The goal is often to access accounts and, ultimately, funds.

Unlike technical intrusions, phishing relies on deception and urgency rather than directly breaking into devices. Attackers impersonate trusted organisations (banks, employers, telecoms, exchanges) via convincing emails, SMS, instant messages, social-media profiles, or phone calls. Links in these messages can lead to look-alike sites designed to collect credentials.

Phishing can be targeted (e.g., at a company’s staff or a service’s user base after a data breach) or opportunistic (e.g., wide campaigns to blocks of phone numbers or scraped email lists). Campaigns may support short-term aims like installing ransomware or draining accounts, or long-term aims like persistent access to corporate systems for surveillance or extortion.

Types of Phishing

Phishing spans multiple channels. The main ones you’ll encounter are:

• Email
• SMS (often called ‘smishing’)
• Social media & instant messaging
• Phone calls/voice calls (often called ‘vishing’)

Authoritative bodies define smishing and vishing as text- and voice-based social-engineering methods used to obtain sensitive data or money. 

1. Emails: ‘Click This Link to Avoid…’

Attackers send emails that closely resemble genuine notices, often with a call to action: ‘verify your account’, ‘pay an overdue invoice’, or ‘reactivate access’. The branding, tone, and formatting may mirror the real organisation to lower your guard.

Take a Close Look at the Sender

Scammers may pad the sender address (e.g., contact@crypto.com.fakedomainname.com) or hide malicious URLs behind legitimate-looking anchor text. 

Some go further with homograph tricks, using look-alike characters from different alphabets to mimic well-known domains (e.g., Cyrillic letters that resemble Latin ones). This makes the address appear correct at a glance. 

Tip: Hover (don’t click) to preview links. Check for misspellings, unusual subdomains, or characters that don’t look right.

2. SMS Messages Are Easy to Imitate

Smishing requires less visual polish, so messages may be basic but urgent. Typical hooks play on FUD (fear, uncertainty, doubt), with some examples being ‘unauthorised card transactions’, ‘act now’, or ‘last chance for a special offer’. 

In both cases, the link leads to a credential-harvesting page. Authoritative guidance warns that such messages are common tactics used to obtain sensitive data quickly. 

3. Phishing on Social Media

On social platforms or in direct messages (DM), attackers may pose as customer support or staff members, urging you to ‘verify details’ or ‘claim a reward’. Often the goal is to get you to click a shortened or redirecting link.

Be wary of usernames that mimic official handles (e.g., underscores, extra punctuation, or spacing). When in doubt, navigate to the brand’s verified page yourself and contact support through official channels.

4. Watch Out for Unexpected Phone Calls

Vishing uses voice calls (sometimes robocalls) to pressure you into sharing details or making payments. 

Caller ID can be spoofed, so a display name alone is not proof of legitimacy. Voice phishing may direct victims to call back a specific number or to ‘verify’ information immediately. 

When in doubt, hang up and call the organisation back using a publicly listed number. 

Also remember: legitimate agencies and banks do not demand payment via gift cards. That is a well-known scam red flag.

Recognising Phishing and Protecting Yourself

The first safeguard is a healthy scepticism toward unexpected messages that urge quick action. Use this checklist:

• Check the sender’s address or handle carefully. Is the domain correct, or padded (e.g., @crypto.com.somethingelse.com)?
• Use anti-phishing codes where available. If enabled, your personal code appears in official emails; absence or mismatch is a warning sign. (Crypto.com provides anti-phishing codes across App, Exchange, and NFT marketplace.)
• Hover to inspect links before clicking. Does the URL resolve to the true domain?
• Look for spelling or grammar errors. Not definitive, but common.
• Note how you were contacted. Genuine teams rarely cold-DM users; initiate contact via verified accounts if you need support.
• Beware of ‘too good to be true’ offers and pressure tactics to act immediately.
• When unsure, stop. Contact the organisation via official channels only: type the URL yourself or use in-app support.

Phishing Attempts Targeting Crypto Users: Seven Practical Examples

Below are hypothetical scenarios illustrating common red flags.

1. Companies Rarely Initiate DMs 

A phisher reaches out first, posing as support. Most reputable teams don’t DM you unsolicited. 

Two limited exceptions: contest fulfilment and permission for user-generated content.

Even then, verify the handle and context. Avoid shortened or unfamiliar links.

2. No ‘Get-Rich-Quick’ Offers From Legitimate Teams

Impersonation accounts may offer ‘exclusive investments’ or ‘guaranteed returns’. Treat these as high-risk signals and avoid engaging. 

When in doubt, report the account on-platform.

3. You Should Not Be Auto-Added to ‘Official’ Channels

Scammers clone community groups (commonly on Telegram) and add users en masse, then request logins or seed phrases. 

Real teams publish official links and expect you to join them, not the other way around.

4. Only Use Official Websites

Copycat sites may use similar colours or logos and ask for seed phrases or private keys, which should never be shared. 

Watch for basic site structures, missing or low-quality branding, and pushy calls to action. Some campaigns even place look-alike ads to rank above genuine results; this tactic has been observed in the wild. 

5. Verify Social Media Accounts

Phishers can create convincing profiles of well-known projects (e.g., NFT collections) and promote fake airdrops. 

Look for verification badges, cross-check with the project’s official website, and treat unsolicited follow-backs with caution.

Can you identify the phishing account from the below two images?

6. Check URLs Carefully

Look for typos, extra characters, or look-alike letters (homographs) in URLs and ad results. For example, a single character from another alphabet can make a malicious domain appear legitimate at first glance.

7. Be Cautious With Third-Party Promo Codes

Search results for ‘promo codes’ are frequently abused. Stick to official websites and verified channels only.

Closing Word on How to Protect Yourself From Phishers

Phishing evolves constantly, but most campaigns still rely on the same fundamentals: urgency, impersonation, and convincing-looking links. 

Stay alert to subtle inconsistencies, verify through official channels, and enable features like anti-phishing codes where offered. If something feels off, pause — then validate independently and thoroughly.

Due Diligence and Do Your Own Research

All examples in this article are for informational purposes only. You should not construe any such information or other material as legal, tax, investment, financial, cyber-security, or other advice. Nothing contained herein shall constitute a solicitation, recommendation, endorsement, or offer by Crypto.com to invest, buy, or sell any coins, tokens, or other crypto assets. Returns on the buying and selling of crypto assets may be subject to tax, including capital gains tax, in your jurisdiction. Any descriptions of Crypto.com products or features are merely for illustrative purposes and do not constitute an endorsement, invitation, or solicitation.

Past performance is not a guarantee or predictor of future performance. The value of crypto assets can increase or decrease, and you could lose all or a substantial amount of your purchase price. When assessing a crypto asset, it’s essential for you to do your research and due diligence to make the best possible judgement, as any purchases shall be your sole responsibility.