Cryptocurrencies have been gaining in popularity in recent years, and with their rise has come an increase in phishing attempts targeting crypto holders. In the world of cryptocurrencies, scammers use phishing attacks to steal login credentials or private keys to cryptocurrency wallets. In this article, we’ll explore the different types of phishing attacks in the world of cryptocurrencies and provide some tips for avoiding them.
Table of Contents
Cryptos – what are they and why steal them?
If we define a currency as a tool for communicating value and encryption, the act of converting information into an alternative representation, hence, a crypto-currency is a tool to communicate value in an encrypted manner.
Traditionally, citizens had no choice but to trust the issuer of a currency to guarantee its value. Repeatedly throughout history, however, this trust was misplaced. In the latest iteration, central banks, rating agencies, regulators, and even governments were implicit in the great banking crisis of 2008. Investment banks issued worthless instruments; rating agencies provided false evaluations; and governments bailed them all out at the taxpayers’ expense.
Partly in response, a new formula was deemed necessary, and, almost concurrently, a still-unidentified programmer named Satoshi Nakamoto published a white paper in which he delineated a new form of currency. Named Bitcoin, this new currency would not exist in the form of notes or coins but as information contained in a shared online ledger called the Blockchain.
Banks and governments were replaced by an online community of miners, and users, issued with crypto wallets in the form of keys, using which they then registered transactions upon the ledger. Each transaction must be verified by the entire network before it is recorded in a series of impregnable blocks of transactions data. Then each block is encrypted and stored in a chain of interconnected blocks. Rather than accumulating wealth, a user’s value is computed ad hoc, based on a history of related transactions before his/her next transaction can be approved.
Since then, new forms of cryptocurrencies have been created; blockchains have been adopted by enterprises other than financial; and even an industry of ICOs (initial coin offerings), smart contracts (administered electronically rather than through lawyers and judges), NFTs (non-fungible tokens, likes work of art), and more thrives.
The blockchain is supposed to be impregnable and cryptocurrencies, completely safe. Unfortunately, it has one weak link: the human user.
Headlines were made last November when Sam Bankman Fried’s FTX scam unfolded. FTX enabled customers to exchange different forms of cryptos and store these in their crypto wallets. They even issued their own token—the FTT. When the Bitcoin surge ended in 2021, FTX continued to grow, but this was thanks to a Hong Kong-based company—also owned by Fried—Alameda’s. It was only when another company, Binance, offered to buy FTX, then withdrew its offer, that the fraud was uncovered. Customers, including sophisticated venture capital funds, had lost billions when their crypto-wealth was diverted to Alameda Research trading firm.
Forbes estimates that there are currently about 22,932 cryptocurrencies worth over a trillion US dollars in total. With that much in circulation, the temptation to create a fake currency, a fake wallet, or even a fake exchange is immense. Luckily, these scams are relatively easy to spot: a legitimate coin offering will provide excessive information about its blockchain, protocols, valuation, a detailed white paper, the purpose of the ICO, and more. These will be well-written by informed professionals seeking the attention of high-value investors. Furthermore, owing to the relatively volatile valuations of cryptos over the past years, many newcomers will shy away from publicity and the speculators that follow it. It simply won’t be advertised or promoted. If it’s being pushed on Tinder, it’s probably fake.
In its 2021 report, the FBI estimated about $1.6 billion in losses due to crypto fraud – a 7-fold increase on the year before. These included fake crypto ATMs, exchange impersonations, and romance scams leading to fake investments. In fact, the FTC last year reported a $139 million loss to romance scams.
Most simple scams involve either a phishing site into which the victim enters his/her credit information and more, or a wallet that suddenly stops giving you back your money. But the most popular way of scamming users out of their money is by hijacking a legitimate wallet’s private key—akin to your bank card’s PIN code, but smarter. Blockchain News last month reported a host of fraudulent login sites accessed through Google Ads seeking to steal wallet keys, that imitate decentralized finance protocols and brands.
But, the simplest method employs phishing emails sent to a crypto holder from a purportedly reputable cryptocurrency exchange or wallet provider. Once again, these contain a link to a fake website, designed to dupe the victim into entering login credentials or private keys. As with classic phishing, they often use urgency or fear tactics, such as claiming that the victim’s account has been compromised or that the victim needs to act quickly to avoid losing their cryptocurrency.
Contracting phish - Airdrops, NFTs, & smart contracts
New terms spring up each day to describe new uses of this new technology. Airdrops (not the Apple variety), for example, are a crypto marketing tool that usually advertise an event or project by distributing tokens. In one such fake campaign, the Uniswap crypto exchange was attacked through a free UNI tokens offer. What victims got instead was a smart contract that provided the hacker with access to their wallets.
Smart contracts are code that is written into the blockchain that automatically execute the predefined terms of a contract based on fulfilled requirements. Because the crypto environment so tightly depends on smart contracts to survive, the spectrum of possibilities for scams is quite wide. From scammers using functions not entirely understood by the victim (such as the SelfApprovalForAll function that enables transferring tokens) to engineered websites cleverly disguising one function with another, only the truly informed should be delving into these.
Non-Fungible Tokens (NFTs) are tokens through which one can register ownership of a creative work (music, art…) in the blockchain. Once again—the registration may be foolproof—not so the human owner who may unwittingly transfer ownership to a thief. Last year’s NFT theft that closed down a Seth Green production illustrated the ease with which even seasoned pros can be scammed. Clearly, those of us who invested in Bitcoin at 61K should be even more cautious when playing with unknown fires.
Crying over spilled phish - The many faces of crypto scams
When the stakes are high, scammers will take their time to investigate their ‘mark’. The more money is involved, the more leisurely their trust-gaining tactics will be. Spear-phishing attacks, for example, target a specific individual or group of individuals, often using information gleaned from social media or other online sources to create a highly personalized message. These messages may contain information that is highly relevant to the victim, such as details about a recent cryptocurrency transaction, in order to increase the chances that the victim will click on a link or divulge sensitive information.
The Washington Post this past February told the story of a Memphis-based logistics manager who invested $200,000 in cryptos through a Linkedin ‘friend’ who turned out to be a pig butcher—someone who scams victims who seek quick and high gains on investment. The article estimates a half trillion dollar loss in 2022 alone through one single blockchain.
Pump and Dump schemes also employ fake social media accounts (sometimes spoofing those of celebrities) to promote fake coin offerings. Sometimes these will be aimed at legitimate offerings, with the aim of inflating prices before the scammer sells at a premium, bringing the blimp crash down.
Kaspersky also describes instances of cloud mining scams. Since the cost of mining goes up proportionately to the number of coins already minted, today this is an investment-rich industry. But there are scammers offering a share of revenue in return for fake mining hardware rental.
But the latest scam reported by Forbes is the SIM-swap scam, in which a scammer obtains a copy of a SIM card, infiltrating a mobile-held electronic wallet without the victim being aware.
Blocking the scam
Because cryptos ensure anonymity, because they’re online and global, tracing the criminals is next to impossible. Moreover, the relative size of the crypto-scamming market is insufficient for cross-national authorities to join forces in pursuing the complaints.
The SEC (US Securities & Exchange Commission) only began to think about crypto regulation and enforcement following the FTX scam—the industry’s closest facsimile to the 2008 banking crisis; the EU’s Markets in Crypto Assets regulation is still a year away; and this past February, the UK Treasury department initiated a regulatory framework for crypto-assets. But Darren Parkin at CITY-AM doubts that the FCA (the UK’s Financial Conduct Authority) will have the means to implement its regulations. NCR claims that British courts have had some success in recovering stolen crypto assets.
The Washington Post describes a growing movement of “self-trained amateur detectives and local law enforcement officials” creating a posse of sorts. One is the 40-member Global Anti-Scam Organization (GASO) comprised mainly of former victims. Some of these are even developing novel tracing tools to seize stolen cryptos—often studying scammer activities to deduce and extrapolate future patterns.
But, scammers are growing more sophisticated by the day, and with AI to assist them, it’s a losing game of catchup.
Den Cooper offers a few signs that can indicate a fake Bitcoin transaction:
- Unusually high transaction fees: Bitcoin transaction fees are typically a small percentage of the total transaction amount.
- Invalid transaction ID or one that doesn’t match the usual format of a typical transaction ID.
- Suspicious sender or recipient address that contains random letters and numbers or unusual characters, for example.
- Low transaction volume, which could indicate a fraudulent transaction. And, of course,
- Phishing attacks aimed at accessing your wallet or keys.
Cooper suggests contacting the support team of your wallet or exchange in case of suspect activity.
Other than these, the usual tips apply:
- Beware of guaranteed high returns on any investment, and always suspect exaggerated marketing of any kind (if it’s too often repeated on too many channels, for one thing)
- Be suspicious of unsolicited emails, cold calls, and social media ads and messages. Don’t click on any links or provide any sensitive information if you’re not 100% sure to whom you’re providing the information.
- Don’t let yourself be pressured into ever taking action: not as an investment, not as an appeal. Think before you click.
- Always double-check the URL of a website before entering sensitive information. Make sure you’re on the right website before entering any sensitive information.
- Use two-factor authentication whenever possible. Multi-factor authentication requires you to enter a code sent to your phone or email in addition to your password.
- Keep your software up-to-date. Software updates often contain security patches that can help protect against known vulnerabilities that attackers may exploit.
- Use a hardware wallet, such as a USB device, to store your cryptocurrency. Hardware wallets are physical devices that store your private keys offline, making it much more difficult for attackers to steal your cryptocurrency. Always be wary of a new wallet, and transfer to it the bare minimum. Suspicious behavior is a tell.
- Be cautious of giving out personal information online. Attackers can use information from social media or other online sources to create highly personalized phishing messages. Think before you share personal information online.
- Educate yourself on the latest phishing tactics. Phishing tactics are constantly evolving, so it’s important to stay up-to-date on the latest threats and how to protect against them. It’s your money—do your research. Certainly before investing it.
- And finally, because most people execute crypto transactions using mobile devices, it is IMPERATIVE you install novoShield NOW to guard against phishing attempts. Guard your money!
In conclusion, phishing attacks are a serious threat in the world of cryptocurrencies. By being aware of the different types of phishing attacks and following the tips outlined above, you can help protect yourself against these types of cybercrimes. Remember, it’s always better to err on the side of caution.