Phishing Scams In The Cryptocurrency Market

Phishing is used for referring to those online attacks, executed with the hopes of stealing one's identity, or critical information such as login data. Phishing attacks are mostly facilitated through malicious links that once clicked on will start the process of either stealing user identities, login information, or the installation of malware on their devices.

Links sent as part of the process of phishing attacks are sent through different channels; they might be sent as an e-mail, a telegram, or WhatsApp message, or direct messages on various social platforms, and the attack would start at the instant of opening those links. So, technically, you are safe if you do not open, or click on those links, after all, why would you even open messages or emails from strangers?

That's a very good question, but you are underestimating the hackers behind these attacks; as it is predictable that users would not open messages sent to them from strangers, they would approach you as trusted officials; think about government authorities or the support staff from a website where you are a member.

here’s an email from Binance with the below content:

What to do? 10,000 ETH is too much money, you couldn't possibly lose this opportunity. But, wait a moment, why has Binance not promoted such a huge giveaway on their Twitter? That's because there is not such a giveaway arranged by Binance, and if you click on the link you will probably lose all your login information, and therefore all the assets stored on your Binance Wallet, let alone winning 10,000 ETH.

So, how to tell a phishing attack from a legit giveaway? You wouldn't want to lose generous opportunities to add one or two coins to your portfolio, and so wouldn't we. Take a closer look at the fake email above, it is sent from the address "[email protected]" which you can tell by inspection is not the official Binance support address. Why? Because Binance's official website address is www.binance.com, and not www.binance.co. 

Let's assume you noticed nothing strange upon first glance and clicked on the Enter Giveaway button. The link will direct you to a page with the domain www.binance.co, asking you to log in to your Binance account. Once you fall for the trap, there's no going back; your username, password, along with your crypto assets would be under the control of complete strangers who would probably transfer them to an unknown wallet at the first opportunity they get.

Spear Phishing

Phishing attacks do not always target random internet users; there's a whole different branch of phishing attacks aimed at enterprises called spear phishing. A spear-phishing attack would start with an in-depth search about enterprise employees; think about different departments, including the human resources, marketing, and research and development departments.

All of those departments need to somehow communicate with each other, and instating those communications is mostly made possible through emails. Now, remember what we said about the most popular tool used for phishing attempts? Yep, you're right! Emails. Emails in this case provide a way for stealing employee login information.

The fake email would be a replica of the official inter-departmental emails used in that firm, so no one would question its authenticity. Let's say the email is addressed to the marketing department sent from a fake email address pretty similar to the human resources department's official email address, but as it is not the original address, it would have one or two different letters, or characters.

The link in the email would direct the marketing department employee to a duplicate of the firm's official website, and then ask the user to enter login information to view the file uploaded by the HR department. As soon as the user enters login information, attackers gain critical access to the firm's databases and could use that to hurt the firm's reputation or its customers. 

Spear phishing, or something very similar to it, once attacked the giant hardware wallet firm; Ledger.

Case Story: The Ledger Database Leak

The hardware wallet giant, Ledger was the target of a cyber-attack back in 2020. Although details of how the attack was conducted are unknown, the company initially claimed malicious software installed on one of its servers to be responsible for the data breach. The stolen customer information, which was then put up for sale, included confidential information such as email addresses, phone numbers, and customer names.

The attack was apparently made possible through a vulnerability in Ledger's official website and is said to target the marketing department, which naturally contains much-needed customer information for conducting marketing campaigns. After the incident, many Ledger customers reported receiving emails from unknown senders containing suspicious links. Regarded as one of the most reputed hardware wallet manufacturers, Ledger naturally received a big blow from the attack with customer loyalty seriously shattered.

 But, is there no way to keep safe from these attacks? Apparently, there are many, and some of them are actually not as complicated as you might have thought.

How to Keep Safe from Phishing Attacks

Use Common Sense 

Using common-sense makes wonders in many cases; detecting phishing scams seems to be just one of those. In the above example, a supposed 10,000 ETH is to be given away as part of a promotion campaign, although it's too beautiful a thought to believe otherwise, given Ethereum's current price, it is too unlikely that anybody would give 10.000 × $2564 in exchange for likes, subscription, or social engagement.

Ignore Emails, and Messages from Unknown Senders

Always be cautious about emails sent from unknown addresses. Also, double-check email addresses if an email asking to confirm email, verify information, or that sort of action which requires entering login information lands in your inbox.

Be Selective with The Links You Click on

Not all links sent to you will lead to a reliable page, and not all pages are worth trusting with your login information. Avoid clicking on suspicious-looking links, and if you made the mistake of clicking on them, do not enter your login information even if the page looks like a duplicate of the official website.

Carefully Study The Manufacturer's Privacy Policy 

No matter how much you would be picky with opening emails, and entering giveaways, once your personal information is stolen due to weaknesses, and bugs in the Manufacturer's website, the harm cannot be undone. 

Last Words

However scary phishing attacks might sound like, they are not to be feared if one only does not forget to be cautious. Double-check every link you click on and check website domains before entering login information. Fight the temptation of taking part in suspicious give-aways however big the price might be, and most importantly, transfer your crypto to a safe offline wallet ASAP.