Learn how to spot phishing scams in crypto and beyond. See real-life examples of email, SMS, and social-media phishing, plus tips to stay safe.
Recent assessments indicate phishing remains a global threat, with organised groups using ever-cheaper tools to scale their schemes. Reports from law-enforcement and industry note increasing volumes of phishing campaigns and greater sophistication, including the use of AI.
Here, we outline how phishing commonly targets cryptocurrency users, and how to protect yourself.
Phishing is a social-engineering technique where scammers persuade people to disclose sensitive information or take risky actions. Targets may be asked for personally identifiable information (PII), credentials, banking details, or wallet recovery phrases. The goal is often to access accounts and, ultimately, funds.
Unlike technical intrusions, phishing relies on deception and urgency rather than directly breaking into devices. Attackers impersonate trusted organisations (banks, employers, telecoms, exchanges) via convincing emails, SMS, instant messages, social-media profiles, or phone calls. Links in these messages can lead to look-alike sites designed to collect credentials.
Phishing can be targeted (e.g., at a company’s staff or a service’s user base after a data breach) or opportunistic (e.g., wide campaigns to blocks of phone numbers or scraped email lists). Campaigns may support short-term aims like installing ransomware or draining accounts, or long-term aims like persistent access to corporate systems for surveillance or extortion.
Phishing spans multiple channels. The main ones you’ll encounter are:
Authoritative bodies define smishing and vishing as text- and voice-based social-engineering methods used to obtain sensitive data or money.
Attackers send emails that closely resemble genuine notices, often with a call to action: ‘verify your account’, ‘pay an overdue invoice’, or ‘reactivate access’. The branding, tone, and formatting may mirror the real organisation to lower your guard.
Scammers may pad the sender address (e.g., [email protected]) or hide malicious URLs behind legitimate-looking anchor text.
Some go further with homograph tricks, using look-alike characters from different alphabets to mimic well-known domains (e.g., Cyrillic letters that resemble Latin ones). This makes the address appear correct at a glance.
Tip: Hover (don’t click) to preview links. Check for misspellings, unusual subdomains, or characters that don’t look right.
Smishing requires less visual polish, so messages may be basic but urgent. Typical hooks play on FUD (fear, uncertainty, doubt), with some examples being ‘unauthorised card transactions’, ‘act now’, or ‘last chance for a special offer’.
In both cases, the link leads to a credential-harvesting page. Authoritative guidance warns that such messages are common tactics used to obtain sensitive data quickly.
On social platforms or in direct messages (DM), attackers may pose as customer support or staff members, urging you to ‘verify details’ or ‘claim a reward’. Often the goal is to get you to click a shortened or redirecting link.
Be wary of usernames that mimic official handles (e.g., underscores, extra punctuation, or spacing). When in doubt, navigate to the brand’s verified page yourself and contact support through official channels.
Vishing uses voice calls (sometimes robocalls) to pressure you into sharing details or making payments.
Caller ID can be spoofed, so a display name alone is not proof of legitimacy. Voice phishing may direct victims to call back a specific number or to ‘verify’ information immediately.
When in doubt, hang up and call the organisation back using a publicly listed number.
Also remember: legitimate agencies and banks do not demand payment via gift cards. That is a well-known scam red flag.
The first safeguard is a healthy scepticism toward unexpected messages that urge quick action. Use this checklist:
Below are hypothetical scenarios illustrating common red flags.
A phisher reaches out first, posing as support. Most reputable teams don’t DM you unsolicited.
Two limited exceptions: contest fulfilment and permission for user-generated content.
Even then, verify the handle and context. Avoid shortened or unfamiliar links.
Impersonation accounts may offer ‘exclusive investments’ or ‘guaranteed returns’. Treat these as high-risk signals and avoid engaging.
When in doubt, report the account on-platform.
Scammers clone community groups (commonly on Telegram) and add users en masse, then request logins or seed phrases.
Real teams publish official links and expect you to join them, not the other way around.
Copycat sites may use similar colours or logos and ask for seed phrases or private keys, which should never be shared.
Watch for basic site structures, missing or low-quality branding, and pushy calls to action. Some campaigns even place look-alike ads to rank above genuine results; this tactic has been observed in the wild.
Phishers can create convincing profiles of well-known projects (e.g., NFT collections) and promote fake airdrops.
Look for verification badges, cross-check with the project’s official website, and treat unsolicited follow-backs with caution.
Can you identify the phishing account from the below two images?
Look for typos, extra characters, or look-alike letters (homographs) in URLs and ad results. For example, a single character from another alphabet can make a malicious domain appear legitimate at first glance.
Search results for ‘promo codes’ are frequently abused. Stick to official websites and verified channels only.
Phishing evolves constantly, but most campaigns still rely on the same fundamentals: urgency, impersonation, and convincing-looking links.
Stay alert to subtle inconsistencies, verify through official channels, and enable features like anti-phishing codes where offered. If something feels off, pause — then validate independently and thoroughly.
All examples in this article are for informational purposes only. You should not construe any such information or other material as legal, tax, investment, financial, cyber-security, or other advice. Nothing contained herein shall constitute a solicitation, recommendation, endorsement, or offer by Crypto.com to invest, buy, or sell any coins, tokens, or other crypto assets. Returns on the buying and selling of crypto assets may be subject to tax, including capital gains tax, in your jurisdiction. Any descriptions of Crypto.com products or features are merely for illustrative purposes and do not constitute an endorsement, invitation, or solicitation.
Past performance is not a guarantee or predictor of future performance. The value of crypto assets can increase or decrease, and you could lose all or a substantial amount of your purchase price. When assessing a crypto asset, it’s essential for you to do your research and due diligence to make the best possible judgement, as any purchases shall be your sole responsibility.
