Wherever there’s money to be made, you’ll always find people ready to do so using unscrupulous means. After crypto blew into the scene, scams, especially internet-based ones, have gotten even more lifeblood than ever before. And unsuspecting players continue to fall victim.
Phishing is a fraud technique that cyber thieves use to con people. Usually, it’s used to obtain information that an attacker can use later against their victim. In some circumstances, the criminal will trick or mislead a user to transfer their funds. Of course, it’s never that straightforward – there is a lot of planning and psychological manipulation involved.
This article will look at phishing in detail, how it features in cryptoverse and how you can protect yourself.
How Does Phishing Work?
It’s crazy to think that the most successful phishing attack is not technical at all. Phishing is one of the most prevalent and most successful cyberattacks, yet it does not often require any special technical know-how.
In a typical phishing scenario, the scammer will usually craft a convincing email to get you to reveal some information about yourself, your place of work, or any other targeted entity. What makes these attempts so successful is how an attacker can refer to you by your name and other personal details. At a glance, it might be hard to suspect anything unusual.
While phishing was originally done via email, advances in other forms of messaging such as short messaging service (SMS) and instant messaging services such as WhatsApp have led to attackers diversifying to these upcoming channels. Today, phishers will even attempt to trick you through voice calls.
Also, while phishing is traditionally referred to as email scams, the term is now used to refer to any form of tricks that seeks to swindle users. With that, let’s take a deep dive into phishing and what it’s all about. Importantly, we’ll explore ways in which to cushion yourself from one.
Types of Phishing
Here, the attacker duplicates a previous legit email but then inserts a malicious link. Such links typically lead you to a look-alike website, which the attacker will use to harvest your personal information. In the new email, they might then say something like, “please use the updated link.” This attack leverages your familiarity with the previous communication, which makes you less suspicious (hence more vulnerable).
Typosquatting is taking advantage of people who do not read domain names carefully. You’d be a victim if you saw ‘conbase.com’ and assumed that’s Coinbase.
An attacker can claim to be another (usually famous) person to make it easier for them to convince you to do something. For instance, they’ll claim to be an executive of a certain crypto exchange and that they have a flash sale – tokens going for discounted prices. If other attack variables such as timing, the storyline, and so on are logical, it becomes easy to lure unsuspecting people to the bait.
#4. Malicious/ fake apps
Malicious apps are used to track users, steal their private information, and even steal their money. Most of such apps pose as ‘utility apps’ that you can use to free up disk space, clear junk, lock files, and perform other maintenance activities on your digital devices. The reality, though, is that these apps don’t even do what they claim to do in the first place. Phone and software companies try to detect and block these apps, but scammers are always devising new ways to stay ahead.
#5. Spear phishing
This strategy targets a specific individual or organization. Unlike general phishing, spear-phishing attacks are very precise, and the attacker will usually have all the information about their victim. Due to this, these attacks can be persuasive.
Phishing and Cryptocurrencies Scams
Phishing attacks on crypto users are prevalent. A Google search on ‘phishing and cryptocurrencies’ will show you countless pages of results listing recent phishing scams. The following are some of the common phishing tactics attackers use against crypto users:
#1. Look-alike websites – Also known as typosquatting, this attack involves redirecting users to websites with mistyped URLs. For instance, a phisher’s website will read ‘bÏnance.com’, which can be easily mistaken for ‘binance.com.’
#2. Fake donations/ crowdfunding campaigns – Cryptocurrencies are increasingly being adopted to facilitate donations, especially where governments would otherwise restrict such donations. Crypto donations are also popular in global fund drives because they allow donors from anywhere to send their contributions. Scammers have abused the crowdfunding potential of cryptocurrency to fleece unsuspecting internet users. Around July, a hacker gained access to prominent persons’ Twitter accounts and started soliciting users to send Bitcoin. One tweet from Bill Gates’ account read “You send $1,000; I send you back $2,000.’
#3. Fake QR codes – When sending crypto, scanning a QR code is usually way more convenient than copy-pasting or manually typing in the address. Similarly, when sharing your address with a sender, it’s easier to send them a QR code than the alphanumeric address. Most crypto wallets have inbuilt QR code generators, but some don’t. The number of fake standalone QR code generators that have been developed supposedly to fill this gap is overwhelming. Cointelegraph reports that four out of five results for Google searches on ‘Bitcoin QR code generator’ return fake apps. If you generate a wallet address with a fake QR code generator, you’ll be playing right into the hands of a phisher.
How to Protect Yourself
Phishing is real, and it’s not going anywhere. As such, we can only do our best to protect ourselves. Understanding the various forms of attacks helps in spotting them. These guidelines will greatly help to protect you from phishing attacks.
#1. Exercise caution, always
Being wary is the best defense you can have. It’s hard to be alert all the time. However, if you were not expecting that email with that subject from that person, do a double check again to make sure you’re not being trapped.
#2. Access websites directly
This might be inconvenient, but it’s best that you type website addresses instead of clicking links. In some advanced forms of typosquatting, a malicious link can lead you to a website with the same domain name as its legitimate twin. The technique is called punycode, and it takes advantage of ASCII characters from different languages.
#3. Check links before clicking
If you just have to click that link, hover your mouse pointer over the link (long press if viewing on Android) to see the full link before proceeding.
#4. Don’t ignore suspicious items
If the email or website has a typo or something just feels off, don’t ignore it. Scammers seem to tend not to proofread their work – typos are quite common and can be an indicator of a phishing attack.
Phishing is one of the most common cyberattacks. It’s proven quite effective considering that it doesn’t require any special skills. We’ve established that there are several forms of the attack, including some specifically targeting cryptocurrency users. The best defense against phishing is to stay alert all the time. Also, double-checking web addresses, confirming links, and probing suspicious-looking emails comes in handy.