Categories
Crypto Daily Topic Cryptocurrencies

What’s Phishing and How Can You Protect Yourself?

Wherever there’s money to be made, you’ll always find people ready to do so using unscrupulous means. After crypto blew into the scene, scams, especially internet-based ones, have gotten even more lifeblood than ever before. And unsuspecting players continue to fall victim. 

Phishing is a fraud technique that cyber thieves use to con people. Usually, it’s used to obtain information that an attacker can use later against their victim. In some circumstances, the criminal will trick or mislead a user to transfer their funds. Of course, it’s never that straightforward – there is a lot of planning and psychological manipulation involved.

This article will look at phishing in detail, how it features in cryptoverse and how you can protect yourself. 

How Does Phishing Work?

It’s crazy to think that the most successful phishing attack is not technical at all. Phishing is one of the most prevalent and most successful cyberattacks, yet it does not often require any special technical know-how. 

In a typical phishing scenario, the scammer will usually craft a convincing email to get you to reveal some information about yourself, your place of work, or any other targeted entity. What makes these attempts so successful is how an attacker can refer to you by your name and other personal details. At a glance, it might be hard to suspect anything unusual.  

While phishing was originally done via email, advances in other forms of messaging such as short messaging service (SMS) and instant messaging services such as WhatsApp have led to attackers diversifying to these upcoming channels. Today, phishers will even attempt to trick you through voice calls.

Also, while phishing is traditionally referred to as email scams, the term is now used to refer to any form of tricks that seeks to swindle users. With that, let’s take a deep dive into phishing and what it’s all about. Importantly, we’ll explore ways in which to cushion yourself from one. 

Types of Phishing

#1. Cloning

Here, the attacker duplicates a previous legit email but then inserts a malicious link. Such links typically lead you to a look-alike website, which the attacker will use to harvest your personal information. In the new email, they might then say something like, “please use the updated link.” This attack leverages your familiarity with the previous communication, which makes you less suspicious (hence more vulnerable). 

#2. Typosquatting

Typosquatting is taking advantage of people who do not read domain names carefully. You’d be a victim if you saw ‘conbase.com’ and assumed that’s Coinbase. 

#3. Impersonation 

An attacker can claim to be another (usually famous) person to make it easier for them to convince you to do something. For instance, they’ll claim to be an executive of a certain crypto exchange and that they have a flash sale – tokens going for discounted prices. If other attack variables such as timing, the storyline, and so on are logical, it becomes easy to lure unsuspecting people to the bait.

#4. Malicious/ fake apps

Malicious apps are used to track users, steal their private information, and even steal their money. Most of such apps pose as ‘utility apps’ that you can use to free up disk space, clear junk, lock files, and perform other maintenance activities on your digital devices. The reality, though, is that these apps don’t even do what they claim to do in the first place. Phone and software companies try to detect and block these apps, but scammers are always devising new ways to stay ahead.

#5. Spear phishing

This strategy targets a specific individual or organization. Unlike general phishing, spear-phishing attacks are very precise, and the attacker will usually have all the information about their victim. Due to this, these attacks can be persuasive. 

Phishing and Cryptocurrencies Scams

Phishing attacks on crypto users are prevalent. A Google search on ‘phishing and cryptocurrencies’ will show you countless pages of results listing recent phishing scams. The following are some of the common phishing tactics attackers use against crypto users:

#1. Look-alike websites – Also known as typosquatting, this attack involves redirecting users to websites with mistyped URLs. For instance, a phisher’s website will read ‘bÏnance.com’, which can be easily mistaken for ‘binance.com.’ 

#2. Fake donations/ crowdfunding campaigns – Cryptocurrencies are increasingly being adopted to facilitate donations, especially where governments would otherwise restrict such donations. Crypto donations are also popular in global fund drives because they allow donors from anywhere to send their contributions. Scammers have abused the crowdfunding potential of cryptocurrency to fleece unsuspecting internet users. Around July, a hacker gained access to prominent persons’ Twitter accounts and started soliciting users to send Bitcoin. One tweet from Bill Gates’ account read “You send $1,000; I send you back $2,000.’

#3. Fake QR codes – When sending crypto, scanning a QR code is usually way more convenient than copy-pasting or manually typing in the address. Similarly, when sharing your address with a sender, it’s easier to send them a QR code than the alphanumeric address. Most crypto wallets have inbuilt QR code generators, but some don’t. The number of fake standalone QR code generators that have been developed supposedly to fill this gap is overwhelming. Cointelegraph reports that four out of five results for Google searches on ‘Bitcoin QR code generator’ return fake apps. If you generate a wallet address with a fake QR code generator, you’ll be playing right into the hands of a phisher.

How to Protect Yourself

Phishing is real, and it’s not going anywhere. As such, we can only do our best to protect ourselves. Understanding the various forms of attacks helps in spotting them. These guidelines will greatly help to protect you from phishing attacks. 

#1. Exercise caution, always

Being wary is the best defense you can have. It’s hard to be alert all the time. However, if you were not expecting that email with that subject from that person, do a double check again to make sure you’re not being trapped.

#2. Access websites directly

This might be inconvenient, but it’s best that you type website addresses instead of clicking links. In some advanced forms of typosquatting, a malicious link can lead you to a website with the same domain name as its legitimate twin. The technique is called punycode, and it takes advantage of ASCII characters from different languages. 

#3. Check links before clicking 

If you just have to click that link, hover your mouse pointer over the link (long press if viewing on Android) to see the full link before proceeding. 

#4. Don’t ignore suspicious items

If the email or website has a typo or something just feels off, don’t ignore it. Scammers seem to tend not to proofread their work – typos are quite common and can be an indicator of a phishing attack.

Final Thoughts

Phishing is one of the most common cyberattacks. It’s proven quite effective considering that it doesn’t require any special skills. We’ve established that there are several forms of the attack, including some specifically targeting cryptocurrency users. The best defense against phishing is to stay alert all the time. Also, double-checking web addresses, confirming links, and probing suspicious-looking emails comes in handy. 

Categories
Cryptocurrencies

Social Engineering and Cryptocurrencies

Where there is money, there will be swindlers attempting to obtain it through crooked means. And fraudsters now seem to be inevitably part and parcel of the crypto ecosystem – much to the chagrin of the community. These scammers lure or coerce users into sending funds to some setup wallets.

And mark you – it’s not just crypto newcomers that are vulnerable. Crypto experts and newbies alike have lost money to these scheming individuals. The tactics applied vary, but the common ones are known and will be the subject of this article. Read on to know how to spot them and avoid falling victim.

What is Social Engineering?

Social engineering can best be described as the hacking of the human mind. It is a technique mostly used by hackers to get information about computer users. But with the alluring nature of crypto, it was only a matter of time before the scam found its way in the industry. 

In a typical social engineering attack, the scammer will entice you to provide information that they can then use against you. Less experienced attackers can be easily spotted and stopped right in their tracks. But there is a breed of social engineers who can fool even the most sophisticated user. But make no mistake, both breeds are dangerous, and it’s worth learning how to identify them.

Common Tactics

Tactics used by social engineers are numerous, and they keep evolving as new crypto capabilities are developed. Some will directly target your wallet. Others will entice you to send them funds. Let’s take a look at how some of these scenarios play out.

#1. Phishing 

Phishing is a method of luring people to divulge information that should otherwise be secret. Phishing experts usually send a convincing email or instant message asking for this or that. The level of personalization of these messages will hardly raise an eyebrow. The scammers will address you by your full name, home address, and even tell you about a purchase you made recently. How they obtain all this information is beyond the scope of this article, but it involves the prior harvesting of your information either on social media or through hacking. 

Regardless of how they address you, the underlying message is usually something like, “please share your username/ account number/ password so that we can address an issue with your wallet.” In this kind of attack, the scammer usually targets to get full access to your wallet. It’s one of the most dangerous attacks. 

Another common phishing scenario involves asking you to send funds to the scammer’s wallet. A convincing personal message will be drafted, asking you to complete a purchase or make a payment for one of your subscriptions. Again, it might be difficult to tell that there’s something suspicious with the request because the message will be very personal. This attack is not catastrophic, but you can still lose substantial amounts. 

Some scammers have learned that fear is valuable merchandise, and they will wield it over their victims without scruples. You may get a message telling you that your private photos are in their hands and are about to go public. Usually, they’ll tell you the only way to prevent this is to send a certain amount of crypto to their wallet. 

Whether they would actually be having the said photos may not matter at that time. The fact remains it is one of the most powerful social engineering tactics that can be used against you.

#2. SIM Swapping

SIM swaps have become notoriously common in the recent past. Users have lost access to their phone numbers, online accounts linked to their phones, and of course, crypto wallets too. All this thanks to SIM swaps. 

Without delving deep into the mechanics of a SIM swap, scammers request your SIM provider to replace your line by faking your identity. Combined with phishing, a successful SIM swap can give a scammer full access to your crypto wallet. This is particularly true for wallets that use your phone number for multi-factor authentication. What happens after the scammer gets full access to your wallet is a fearful sequence of events. You could potentially all your funds, and the scammer might decide to use that info to manipulate you in the future. 

#3. Crowdfunding Scams

Cryptocurrencies have made crowdfunding easier than ever before. If you have a noble cause, say, raising funds to stop climate change, you can easily get people from around the world to contribute to your cause. All you need to do is create a convincing online campaign, set up a crypto collection account, and wait for the donations to trickle in. Such was the case for the young Maejor Page, who lured sympathizers of the Black Lives Matter movement and then squandered their donations.

This kind of social engineering is not particularly dangerous. But still, the thought that you might have been scammed into contributing to someone’s personal expenses can be disturbing. 

#4. Fake Investment Schemes

Ponzi and pyramid schemes have existed for not less than a century. Nevertheless, people still fall for these tricks a hundred years after their invention. While the ventures traditionally ran on fiat money, scammers have quickly adapted them for cryptocurrencies. 

An Initial Coin Offering (ICO) is one of the fake crypto investments you might find yourself entangled in. An ICO is a strategy used by startups to raise funds by creating their brand of tokens and selling them to prospective investors. 

It’s not to say that ICOs are fraudulent, but some are simply not going nowhere. But still, the startups behind them will continue to market their idea to potential victims. In the end, the startup collapses, and investors are left with useless tokens that they can’t redeem anywhere. 

How to Protect Yourself

Don’t be greedy – Greed can usually undermine reason, making people think they can earn easy money. When you come across a crypto investment that you find interesting, do your due diligence before committing your money.

  • Be alert – Being alert is arguably the most effective defense against social engineering. Being alert makes it substantially difficult for scammers to entice or coerce you with offers or scare tactics.
  • If planning to invest in an ICO, evaluate whether the startup’s business idea is sensible/feasible. This doesn’t mean a sound business idea cannot be used to bait victims, but it’s just that it is less likely to be used for such purposes.
  • Follow the security guidelines provided by the developers of your crypto wallet. Also, ensure you check out your SIM provider’s swapping procedures, especially if you’re using multi-factor authentication for your wallet.

Closing Thoughts

The adoption of cryptocurrencies has created a new playground for social engineers. While fraudulent schemes traditionally depended on fiat money, new social engineering ventures are now targeting even crypto users. The most common tactics involve threatening users to send funds, enticing them to divulge wallet credentials or even the more sophisticated SIM swaps. Regardless of the sheer scamming tactics out there, you can avoid falling victim by doing your due diligence when approaching investments, staying alert, and following security guidelines for your wallet(s).