Phishing scams existed even before the cryptocurrency industry, with the first documented attack believed to have been carried out in the mid-90s. Although the main objective of phishing is simply to steal money from unsuspecting victims, the fact that such stratagems are executed by tech-savvy hackers means they are increasingly being used to steal digital assets. Not least because cryptocurrencies offer greater privacy protections compared to legal tender currencies, which means hackers can disappear without a trace with their loot.
Here are five of the most common phishing attacks, along with some useful tips to protect yourself from cybercriminals.
1 – Spear Phishing
A recent report has highlighted the growing spread of spear phishing attacks, in which attackers target specific individuals with personalized messages, typically a fake email that appears to come from a trusted sender. Often, the attacker’s goal will be to force recipients to reveal sensitive information or induce them to visit a website infected with malware.
Regarding cryptocurrencies, phishing emails and text messages that impersonate hardware wallet providers like Trezor and Ledger or even cryptocurrency exchanges try to induce the recipient to ‘update’ their recovery seed or change their password, after which the thief can steal the login credentials and empty the wallet in question. Another tactic is to attract users with plausible promotions.
So, how can you immunize yourself against spear phishing? At the corporate level, there are multiple solutions: staff training to increase awareness and employee reporting; using machine learning to analyze communication patterns; AI tools to ensure protections against account takeovers.
Individuals, meanwhile, should take steps to verify the authenticity of senders, carefully check links and sender email addresses, avoid open Wi-Fi networks, and have Two-Factor Authentication active. Above all, be extremely cautious about any email that asks you to enter a login and password.
2 – DNS Hijacking
Some phishing schemes are more sophisticated than others. Take for example DNS spoofing attacks. In this decades-old scam, cybercriminals hijack legitimate websites and replace them with a malicious interface, before inducing users to enter their private keys on the fake domain.
One of the most effective ways to protect yourself from a DNS attack is to use a VPN, as it bypasses router settings by sending traffic through an encrypted tunnel. You should also be diligent in checking the URL in the browser to ensure that the website certificate is trustworthy, and pay attention to any warnings indicating that the connection to a site is not secure.
Naturally, storing your cryptocurrencies offline in a tamper-proof hardware wallet, rather than interacting with cryptocurrencies online, is also a good practice.
3 – Phishing Bots
Five years ago, an army of ‘bots’ influenced both the Brexit referendum and the US presidential elections. For example, there is a type of attack created to steal our valuable Recovery Seeds.
In May 2021, the Ethereum-based wallet, MetaMask drew users’ attention to a phishing attack perpetrated by bots stealing Recovery Seeds via Twitter. “The phishing request comes from an account that looks ‘normal’ (but with few followers), suggests filling out a support form on a verified site like Google Sheets (difficult to block).
MetaMask suggests using only official support through the app, but although it may seem like a good idea to verify that the message comes from an official account, this strategy is not foolproof: social media accounts can be hacked like any other, as demonstrated by the great Twitter hack of 2020 that provided cybercriminals with $121,000 in bitcoin.
4 – Fake Browser Extensions
In the world of cryptography, we are accustomed to using a variety of browser extensions, such as MetaMask, which is particularly popular. Unfortunately, cybercriminals are exploiting this predilection to their advantage by creating fake extensions and stealing funds from users.
Last year, a dangerous Chrome extension called Ledger Live was downloaded more than 120 times before being banned from the Chrome Web Store. It’s disturbing that the attackers managed to exploit Google Ads to promote the product and obtain an air of legitimacy.
The lesson to learn? Don’t rely solely on app stores to adequately control the extensions they make available. If you’re downloading a cryptographic browser extension, check its profile page to make sure it has many reviews and comes from a trusted developer. Examine the permissions that the extension requires (Chrome Settings>Extensions>Details) to verify that they are in line with its functionalities. Finally, you could download an extension directly from a link on the company’s website, without going through a search in the app store.
5 – Ice Phishing
In this form of phishing, the attacker will send the victim a fake transaction that appears to come from a legitimate source. The transaction will require the victim to sign it with their private key. In other words, the victim is induced to sign a transaction that transfers authority over their tokens to the scammer. If the victim proceeds, they will have unknowingly transferred ownership of their tokens to the attacker.
Conclusion
There are other general rules that you should consider following to protect yourself from phishing scams. For example, it’s smart to bookmark verified sites where you usually enter sensitive information. The same goes for saving the contact email addresses of cryptocurrency companies you interact with.
Countless people have fallen victim to phishing emails or malicious websites that present good copywriting and a legitimate web address. It may seem like a boring task, but double-checking URLs is a good habit to acquire.
Knowing about phishing scams is the first and most important step to protect your cryptographic assets in an increasingly digital world. Follow the advice mentioned above and the only thing you’ll have to worry about… is buying a good hardware wallet and starting to use it consciously, avoiding disclosing your Recovery Seed even to your wife…
Tags: hacker, Hardware wallet, phishing
