Crypto Phishing

What is Crypto Phishing?

Crypto phishing involves an attempt to trick people into revealing the recovery phrase or private key to their crypto wallet. Much like the phishing we know from the non-crypto world, scammers often pretend to be someone else, such as a representative from a trusted app or crypto exchange

Advertisements

If they’re successful in the ruse, your crypto could be gone forever.

Kaspersky, a leading security software provider, prevented more than 5 million crypto phishing attacks in 2022, up 40% from the previous year. That’s just one provider – in only one year. Cryptocurrency scammers are busier than ever, but what are crypto phishing scams, how do they work, and how can you protect yourself? 

Because crypto transactions are irreversible, prevention is the only cure.

How Does Crypto Phishing Work?

One of the most common types of phishing in cryptocurrency uses fake apps that look and act like the real thing. 

For example, MetaMask provides its popular crypto wallet as a browser extension. You can get the download link from the metamask.io website, but phishers may attempt to get users to download a compromised version through an email link, web link, or social media post. 

Using the fake wallet app likely reveals your private keys to whoever built the imposter application. The private keys control your crypto assets on the blockchain. So, if two people have the keys, either one can transfer the crypto to another wallet.

MetaMask provides a support page to help users identify the real MetaMask app and avoid imposters that use a similar download URL or other trickery.

Similar phishing scams exist for exchanges as well, wherein a scammer might try to gain access to your trading account on Coinbase or another exchange, often using official-looking emails.

Once a scammer has access to your trading account, they can transfer the crypto in your exchange account off the platform. If you’ve linked a payment method, they may be able to buy more crypto for themselves as well.

5 Common Crypto Phishing Attacks

Crypto scams range from fake tokens to rug pulls in which the developers disappear into the digital ether. Crypto phishing scams focus on pretending to be someone else or duplicating a trusted app or site.

5 Common Сrypto Phishing Attacks

  1. Fake Software: Many software apps like crypto wallets provide their source code online. While this makes the code available for review by users worldwide, it also creates a security risk: the software is easy to clone. Fake crypto wallets are simple to spin up for crypto phishing scams.
  2. Fake dApps: Similar to wallets, many popular decentralized applications (dApps) offer open-source code. This helps new projects get started with a tested base they can modify but also provides a ready-made copy for scammers to use.
  3. Imposter Exchanges: For exchanges, it isn’t necessary for a scammer to recreate the entire site. Instead, they can just make an official-looking login page. Logins to the page won’t work, of course, but the scammer is collecting login information to use on the real site.
  4. Imposter Emails: Similar domain names offer a sneaky way for scammers to make fake domains look legitimate. For example, a real email from uniswap likely uses uniswap.org rather than user-support-uniswap.org or other similar variations. Also, ask yourself whether an email address is part of how you use that app at all. Most dApps like Uniswap connect via a crypto wallet and don’t collect email addresses.
  5. Fake Support Reps: Many decentralized platforms use Discord or Telegram for community support. These channels can be a hotbed for scammers who pretend to be official team members offering to “help” users with questions or problems.

5 Ways to Recognize a Crypto Phishing Attack

Recognition Method Description
Misspellings or inaccuracies Scammers may not speak your language natively, so spelling errors, peculiar phrasing, and grammatical errors often become potential clues of a scam.
Pressure to act quickly Be wary of messages that insist you must act immediately to download a new version or log in to update your information. If you want to check to see if an update or request is real, navigate directly to the site by typing the correct URL in your browser.
Missing encryption or browser warnings Scam sites and look-alikes often take shortcuts, such as not providing an SSL certificate. Look for the lock in your browser. Also, known scammer sites may be blocked by browsers or ad blockers. Heed the warning.
Requests for personal information Be leery of any requests for personal information, including passwords, security codes, or anything else that could help a scammer put together the puzzle pieces to complete an attack.
Offers to “reset” your wallet Particularly common on Discord support channels, scammers often impersonate support staff. To resolve issues, a common ruse is to “reset” your wallet by asking for your private key or recovery phrase. Another common tactic is to ask you to connect to a malicious smart contract that can then drain your wallet.

How to Avoid a Crypto Phishing Attack

Wondering how to avoid crypto phishing attacks? Crypto safety relies on two words: be vigilant. 

Crypto enables financial sovereignty but comes without many of the safeguards we find in traditional finance. Treat every transaction, link, or message with appropriate suspicion.

Use Discernment

One common scam, sometimes called the 2x Bitcoin scam, offers to send back double your crypto. As in the analog world, if it seems too good to be true, it’s probably not true.

Find the Official Source

Don’t trust links sent to you by email or provided on outside websites. Instead of following a link for Coinbase, for example, avoid the link offered and visit Coinbase directly by typing coinbase.com in your browser or searching Google for the correct link.

Enable Two-Factor Authentication Whenever Possible

Text-based or email authentication is a start, but authenticator apps like Google Authenticator offer a safer solution if it’s supported. 

Use a Hardware Wallet in Conjunction With Software Wallets

A hardware wallet is a separate offline device that protects the private keys to your crypto wallet. If an app wants to move funds or requests a signed transaction, you’ll need to approve the transaction on your hardware wallet.

Don’t Reuse or Share Passwords

Using the same passwords for exchanges and crypto applications that you use elsewhere could give someone else access. A phishing attack for Facebook, for example, might also reveal your logins for crypto apps if you reuse your password.

FAQs:

Can a crypto scammer be traced?

Can you get crypto back from a scammer?

Can you go to jail for crypto scamming?

Advertisements

Related Questions

Related Terms

Eric Huffman

Eric Huffman has a diverse background ranging from business management to insurance and personal finance. In recent years, Eric's interest in finance topics and in making personal finance accessible led to a focus on cryptocurrency topics. Eric specializes in crypto, blockchain, and finance guides that make these important topics easier to understand. Publications include Milk Road, Benzinga, CryptoNews.com, Motor Trend, CoverWallet, and others. Always learning, Eric holds several certifications related to crypto and finance, including certificates from the Blockchain Council, Duke University, and SUNY. When he's not writing, you might find Eric teaching karate or exploring the woods.