Crypto Phishing Scams: A Guide and Security Solutions
July 6, 2022
Advanced Phishing Protection: Get a phishing page blocked for your protection
Interlock has released a browser extension that blocks phishing scams, ThreatSlayer. You can download the extension by clicking this link.
Crypto phishing scams
Have you ever received an email from someone pretending to be representing a company? Or perhaps a phone call too? This is what we call phishing, and it is one of the most successful ways scammers and fraudsters earn their money. This is especially true in the budding cryptocurrency, blockchain, and Web3 world.
In this article, we will discuss some of the most common indicators of a phishing attempt. We will also provide you with some tips on how to protect yourself from these scams.
For example, they may send you a message that looks like it's from a genuine crypto project or your bank. The email will look identical to the real deal, but the link will actually lead to a fake website. Once you enter your login information on the fake website, the cyber criminal will have access to your account. The general end goal is to obtain some form of funds, whether traditional Fiat or cryptocurrencies.
Furthermore, cryptocurrency is among the top 10 industries which are most mimicked, with a recent study showing that it accounts for 7.5% of impersonations. This could very well get much higher as more data is collected throughout time and knowing that cryptocurrency is becoming increasingly popular.
From receiving malicious emails with phishing messages from questionable email addresses to ending up with stolen login credentials, ransomware, and any type of malware, phishing is something which should not be taken lightly.
Common signs of a phishing attempt
There are several things that you can look for to spot a phishing email or message:
The sender's address does not match a real company's address: This includes both the physical address and web address. For example, if you receive a message saying that it is a Discord offer, the domain name wouldn’t even spell Discord properly (example: “discocrd.gift” or “discocrd-app.info”). The scammer is waiting to pounce on someone who simply just skims the link and clicks on it. They could also take you to another social media or messaging app to lure you in (another red flag).
The message contains grammar or spelling errors: Usually, this is one of the things you notice when they are not from official providers. Grammatical mistakes are usually not well tolerated by companies. If you have any doubts, just contact the company directly.
The message is urgent or threatening: This is one of the age-old ways that phishers tend to lure you: creating a sense of urgency. Phishers tend to create time-bound stress and anxiety to stimulate you to act quickly through an email, message, or call. Sometimes it's okay to be the tortoise and not the hare, and check the information they provide you with meticulously.
Questionable sender: Did you receive an email from “email@example.com”? Received a message from “jsklaflj243322” who just created an account a few hours or days ago on Discord? Or a call from an unknown or unrecognizable number? Or perhaps, for a slightly more proactive phisher, the name tries to mimic the name of a known company, bank, crypto project, and so forth (with perhaps just one letter difference)? Don’t trust them.
Promises of free gifts: Free things from an online stranger? Yeah... right. This is quite an obvious red flag. It is more common in messaging platforms such as Discord. Cryptocurrency scams, NFT scams, free nitro scams, and much more are becoming highly popular forms of scams. Recently, Discord Nitro scams were pervading the messaging platform. These hackers relied on the hype built around Epic Games providing free Discord Nitro for one month.
There are more indicators you should be aware of, but these are generally the roots of all other indicators that should start sounding the alarm bells (if you don’t give them any valuable information, you shouldn’t really worry). If you take note of all these indicators, it should minimize the risk of phishing by a large margin.
Types of phishing attempts
Phishing attacks come in all shapes and sizes, but they all have one thing in common: they're designed to trick you into giving up your personal information. Although email is usually the king of phishing attempts, there has also been an increase in other types of platforms, showing that pishers are getting creative. These include workforce messaging platforms such as Slack and Microsoft Teams, video conferencing platforms, and cloud-based file-sharing platforms.
Here are some of the most common types of phishing attacks:
Deceptive phishing: This is the most common type of phishing attack. It involves sending an email or message that looks legitimate but is actually from a malicious source. These messages often contain fake offers or links to malware-infected websites.
Spear phishing: This type of phishing targets specific individuals or organizations. The attacker will usually impersonate someone from the target's organization, such as a boss or coworker, in order to trick them into handing over sensitive information.
Clone phishing: This type of attack involves copying an existing email or message and substituting the original recipient's address with the address of the person being targeted. This can be especially effective if the original message was from a trusted source.
Whaling attack: This is a form of spear phishing that targets high-profile individuals, such as CEOs or other executives. The attacker will usually pose as someone from a trusted organization, such as a government agency or financial institution, in order to steal any private information from a potentially high-yielding individual.
Longlining: This is when scammers send out mass emails in the hopes that someone will bite. The emails usually look legit, but if you take a closer look, you'll see that they're full of typos and other red flags.
Angler phishing: This is when scammers pose as customer service representatives from a trusted company in order to get your personal information. They might do this by calling or messaging you pretending to be from your bank or another organization.
Smishing: This is when scammers send text messages that look like they're from a legitimate source. The message might say that there's a problem with your account or that you need to click on a link to update your information.
Vishing: Vishing is a type of fraud that occurs when someone uses the phone to try to steal your personal information. The caller will often pose as a representative from a bank or other organization, and they may even spoof the caller ID to make it look like they are calling from a legitimate number. If you receive a suspicious call, do not provide any personal information. Hang up and call the organization at a known, legitimate number to verify that the call is real.
It’s important to note that social engineering is highly prevalent and it is one of the scammers' main methods to attack. There are more types of phishing attempts that one could consider (such as phishing with a romantic twist, ie. catphishing), but these are the main ones that have been disturbing businesses and individuals alike. However, one cannot write off new methods to phish from blossoming in this fast-morphing world we live in.
What to do if you click on a phishing link
So, you took the bait. You clicked on a phishing email, and now you're wondering what happens next. Here's a step-by-step guide to dealing with the fallout:
Conduct a Malware Scan: If you clicked on a malicious link, scan your computer to see if any malicious software was installed when you clicked on the link. Malware downloads are something you should keep an eye out for and prevent any harm before it's too late.
Report to authorities: This is crucial. If you think you may have revealed sensitive personal information (like your Social Security number or credit card number), report it to the Federal Trade Commission (FTC) – or the commission that handles fraud and scams in your country – and to the police.
Change passwords: You should change passwords that you may have revealed when clicking on the phishing link. And make sure to use strong, unique passwords for each account going forward.
Contact the impersonated company: You should also contact the impersonated individual or company that the email claimed to be from and let them know what happened. This should help minimise the chances of anyone else from being scammed by telling them to let their followers know.
Be suspicious of any messages, emails, or links that you receive, even if they look legitimate. You might think that some random, kind stranger will come and bear you a free gift. If it doesn't sound right, it most probably isn't. If you're not sure, contact the company or project directly to confirm. And if you think that you may have clicked on a phishing link, take action immediately to protect your accounts and personal information.