A recent Interpol report shows that phishing is on the rise globally. Here, we show examples of how scammers commonly try to phish cryptocurrency users and how to protect yourself.
- Phishing is a ‘social engineering’ technique used by hackers and scammers to lure unsuspecting users into providing their credentials and/or sensitive information.
- Phishing can happen in several forms, including email phishing, SMS phishing, and voice-call phishing.
- Phishing can be recognised by several tell-tale signs, such as inaccuracies, a sense of urgency, lack of security features, as well as requests for personal information.
- Protecting yourself from phishing requires a healthy dose of scepticism and a careful inspection of all messages, emails, and links.
What Is Phishing?
Phishing is one of the avenues of attack that scammers use to target unwitting users to steal their sensitive information like personally identifiable information (PII), which includes date of birth, address, email username and password combinations, online banking info, and corporate accounts, and — ultimately — their funds.
Phishing is a form of ‘social engineering’ that relies more on tricking an unwitting user to voluntarily hand over their credentials and/or funds rather than attempting to breach their devices or accounts using hacking techniques.
In a typical phishing attack, a user is commonly made to believe they have been contacted by an organisation they usually deal with (for example, their bank, employer, or telecommunications provider) via sophisticated replicas of the organisation’s website, SMS notifications, emails, or phone calls. These attacks may lead the user to provide sensitive information, such as credentials, passwords, or recovery phrases.
Phishing attacks can be coordinated, such as against a specific organisation’s staff or members, or against users of a certain service. Typically, attackers will have acquired customer information after a data breach incident, which they then use to target the very same customers with a phishing attack. In other cases, attacks can be random and based on the targeting of blocks of phone numbers, automatically generated email addresses, or lists of email addresses obtained unlawfully from subscribers to mailing lists.
The objectives of phishing attacks can either be short-term or long-term. Short-term goals include deploying ransomware to victim devices and demanding a ransom to decrypt their data or stealing funds from victim accounts.
Long-term goals include gaining access to the victim’s organisation’s corporate network/systems, deploying malware to victim systems for long-term and ongoing gain, or for surveillance and extortion.
Types of Phishing
Phishing can happen over various channels, including:
- SMS (also known as ‘Smishing’)
- Social media and Instant Messaging
- Phone calls/voice calls (also known as ‘Vishing’)
1. Emails: “Click This Link to Avoid…”
In an email phishing attack, the attacker usually sends an email that looks like it is coming from a genuine source, with a ‘call to action’ requiring the prospective victim to click a link to avoid consequences.
For example, attackers may send out an email spoofing your bank and requiring you to log on and reactivate your account or risk account suspension and loss of access to funds. In other cases, attackers may send an overdue invoice from a service provider requiring immediate action, such as paying the invoice to avoid late fees and additional charges.
Phishers can use sophisticated designs, including the same logo, colour scheme, and font as the target organisation to make the message look as close to a legitimate one as possible.
Take a Close Look at the Sender
Additionally, phishers might use elaborate methods to make the message appear to be from a legitimate source, notably by padding the originating email address (e.g., [email protected]fakedomainname.com) and/or by manipulating the links the user is required to click through in a similar manner.
In some other cases, attackers may use another technique known as ‘homograph attacks’, where they use parallel domain names that have similar looking letters from languages other than those in the English alphabet. For example, the letters a, c, e, o, p, and x in the English and Cyrillic alphabets are similar. These are called homographs.
This makes it hard even for an experienced user to identify that the domain used for the link and/or originating address is fake because the similarities are slight (e.g., [email protected]ßitcoin.com; note the ‘B’ in ‘ßitcoin’).
2. SMS Messages Are Easy to Imitate
SMS phishing (or ‘Smishing’) is similar to email phishing, albeit requiring far less sophistication on the attackers’ side since SMS messages do not usually contain formatting or graphics.
In Smishing, an attacker targets the victims by sending them text messages that may resemble a legitimate text message from a service provider. These generally rely on either FUD or FOMO.
An example of FUD includes informing the target of unauthorised transactions on their credit card, and requiring them to click a link immediately to stop further transactions. For FOMO, an example may involve attackers informing the target of a very short time to opt into a special offer/discount. In both situations, the targets are encouraged to click the links supplied in the SMS messages.
In these examples, neither the unauthorised transactions nor the special offers/discounts are genuine. Instead, these false scenarios create a sense of urgency to tap into either FUD or FOMO in the attackers’ intended targets.
3. Phishing on Social Media
On social media and Instant Messaging platforms, an attacker may pose as a service provider (customer support staff of a service provider, employee of a company offering support, etc.) and try to trick the user into clicking a phishing link, similar to email and SMS phishing. Look for deceptive user names like ‘_crypto com official_’.
The main objective of these attacks is typically to get the user to click the link. In some cases, the link will deploy malware/spyware/ransomware to a victim’s device; in other cases, the link leads them to a realistically looking/copycat website where they enter their credentials, allowing hackers access to the user’s real account on the real website.
4. Watch Out for Unexpected Phone Calls
Voice phishing (or ‘Vishing’) is a slightly different variant of phishing, where attackers either call the victims or utilise technology to mass-call victims using pre-recorded messages. They will try to convince the victims they are calling from a legitimate organisation (for example, a government entity like the tax office, or a service provider like banks, telcos, etc.) in order to acquire private information of their unsuspecting victims to access their accounts, steal their identity, or acquire funds unlawfully.
In some cases, the victims can be coerced into providing payments in untraceable payment methods like gift and prepaid cards to avoid alleged consequences for the attackers (e.g., arrest, deportation, foreclosure on their home, etc.). Indeed, the tax office or the bank asking to be paid in prepaid gift cards should always raise a red flag.
Recognising Phishing and Protecting Yourself
The first line of defence against phishing is to always be sceptical of unexpected emails, messages, or phone calls with an urgent call to action.
In addition, there are a few tell-tale signs to look out for and consider during your own assessment of whether or not an incoming message is genuine:
- Does the originating email address come from the usual contact email for that organisation? Look into the full email address and domain — Is there anything after the usual domain name? For example, Crypto.com’s email domain is @crypto.com; however, if the email domain is padded (@crypto.com.somethingelse.com, for example), it is not the same domain.
- Does the organisation offer an anti-phishing code feature? Is it switched on for your account? If the answer to both questions is yes, does the correct code appear on the email?
Use Crypto.com’s anti-phishing code to protect yourself. Find out how to turn it on in the Crypto.com App, on the Exchange, and in the NFT Marketplace.
- Check the link you are required to click by hovering (and NOT clicking) over it. Does the link go to the organisation’s domain name? Is the domain in the link padded by any additions like the email domain padding mentioned above?
- Look for spelling and grammar mistakes. Attackers often make conspicuous mistakes, a tell-tale sign that it is not a legitimate email.
- Are you addressed by your name or a collective term (e.g., Dear [Your Name] vs Dear Customer)? Note that this is not always a reliable indicator, as attackers may have your name and email and may utilise mail merge software to address victims individually.
- Were you suddenly contacted on social media and/or an Instant Messaging platform by an alleged company representative? These especially occur after posting a complaint or a question about the company’s service. In most cases, representatives will not initiate contact unless you navigate to their verified account/page and initiate contact yourself.
- If it is too good to be true, it almost certainly is. Are you being offered investment opportunities or loans on terms that sound too good to be true? These are some of the common baits used in phishing.
- Are you being threatened with consequences if you do not act immediately? Do not panic. Remember, you can always hang up and call the organisation back on their publicly listed number or contact them via their legitimate and official customer service channels.
The golden rule is, if — after all that — you are still uncertain, you are better off NOT clicking any links or following any requests provided to you via email/SMS/IM/phone call. Instead, contact the organisation yourself by using their secure contact channels (customer support chat, calling their customer support line, or navigating to their website by entering the URL yourself in a browser and logging in to your account).
Phishing Attempts on Crypto Users
So what does this look like in practice? Here are five examples of hypothetical phishing attacks. You’ll soon see what the red flags are.
1. Companies Don’t Initiate DM Conversations — and the Two Exceptions
In this sample, a phisher contacts a prospective victim to initiate a conversation with them, although service providers generally do not direct message (DM) users first. In other words, you usually have to initiate a DM. Exceptions are contacting contest winners for prize fulfilment and asking for permission to utilise user-generated content. For the latter, you should have a clear memory of entering the contest and look for all other signs of a legitimate account, like a verified profile. Attempts to send you to shortened links are a red flag.
2. Legitimate Companies Don’t Offer Get-Rich-Quick Opportunities
In this type of scenario, a fake account impersonating a staff member, such as a regional community manager, messages a potential victim on social media, offering investment opportunities.
3. Companies Don’t Add Users to Community Channels
In this example, a phisher duplicates a community channel by creating a replica Telegram Group and adding potential victims. The scammers may pose as genuine staff, trying to get victims to reveal their login credentials.
Regarding policy, service providers generally do not add users to a community group or channel. Instead, users should find the links to official community groups and channels.
4. Only Use Official Websites
Here, a hypothetical example of a copycat website tries to resemble the Cronos blockchain website by using similar colour schemes and logos. The scammers try to get the users to provide their crypto wallet seed phrases, which would, in turn, give the scammers irrevocable access to the user’s non-custodial wallets and allow them to drain all assets.
Users should pay attention and be wary of the very basic site structure, the missing logo that is replaced by a simple hexagon, and call to action.
Conversely, the legitimate Cronos website below has several unique features distinguishing it from the copycat website above.
5. Check if Social Media Accounts Are Verified
In another example, a phisher may create a real-life-looking Twitter account that resembles, for instance, the official Loaded Lions account to attempt to steal funds by using a fake airdrop as bait.
Make sure that the accounts you follow are verified as official, and be suspicious of big-name accounts that follow you first. You can see below a screenshot of both the fake and the genuine Twitter profiles.
6. Check URLs Carefully
Phishers can create a fake page for a real project and pay for a Google ad to make it appear first. For example, a careful eye can see the URL in the ad has a typo (tcetonic.finance), while the legitimate website of Tectonic (tectonic.finance), a decentralised non-custodial algorithmic money market protocol built on Cronos Chain, appears below the ad as the first search result.
7. Be Cautious of Third-Party Promo Codes
In this final example, a user might search for a promo code and be directed to scam websites for fake promo codes that may contain malicious links.
Only use promo codes directly from official sites and verified channels.
Conclusion — How to Protect Yourself From Phishers
As hackers and scammers are in an ever-increasing drive for victims and funds, phishing attacks are expected to increase. Whether due to data breaches or targeting at random, phishing attacks are a risk to anyone’s privacy and finances. Staying vigilant, knowing what phishing looks like, and a healthy dose of scepticism are some necessary tools to shield yourself from phishing attempts.
Due Diligence and Do Your Own Research
All examples listed in this article are for informational purposes only. You should not construe any such information or other material as legal, tax, investment, financial, cyber-security, or other advice. Nothing contained herein shall constitute a solicitation, recommendation, endorsement, or offer by Crypto.com to invest, buy, or sell any coins, tokens, or other crypto assets. Returns on the buying and selling of crypto assets may be subject to tax, including capital gains tax, in your jurisdiction. Any descriptions of Crypto.com products or features are merely for illustrative purposes and do not constitute an endorsement, invitation, or solicitation.
Past performance is not a guarantee or predictor of future performance. The value of crypto assets can increase or decrease, and you could lose all or a substantial amount of your purchase price. When assessing a crypto asset, it’s essential for you to do your research and due diligence to make the best possible judgement, as any purchases shall be your sole responsibility.