May 10, 2019
How Phishing Awareness Tests Are Putting Consumers At Risk đź’Ł
Ironically, I believe the recent Binance security breach where $40MM was stolen, may have started with Binance’s anti-phishing awareness test.
In this article I’m going to unbundle the Binance test, and explain how it provides crypto traders and investors (and their own employees) with a false sense of security and can lead to harm.
I found issues with the Google Phishing test that circulated the Web a few months ago too, but I didn’t have time to write a post to debunk some of their questions and more importantly, their answers/advice.
More recently Binance published a Phishing test to help educate crypto investors and traders about phishing. For the purpose of this article I’m going to assume you know what a Phishing scam is. If you have a minute to spare, please take the test and then come back to this post to see how you compared with my test results.
I love that Binance is doing this. ❤️
I love how they are taking some responsibility for the safety and wellbeing of their customers. While crypto exchanges aren’t accountable for customers who fall for phishing scams, they do have a moral obligation to do what they can to help keep them safe. And, it’s good for business. Binance is one of the very best at education — but there is room for improvement.
The fewer people who lose their crypto assets in a phishing scam, the more they have to trade on Binance and other exchanges. And it also means victims won’t give up on crypto generally, and then bad-mouth it to their friends and colleagues, encouraging them to stay away. So… good security practices benefits everyone in the ecosystem.
I recorded a video of me taking the test along with running commentary throughout.
NB. I talk a lot about not relying on the URL — what I mean is, do not only rely on looking at the URL. Looking at the URL is important, but must be done in conjunction with other safeguards.
Below are some URLs for MyEtherWallet. Of the 1,500+ responses I have received over the past few months, only four people have ever got this test right. And I have even printed this test on paper and handed to people.
Do you know which of the following is the real MEW website? Tweet your answer to MetaCert and I’ll give you a license code for our security integration for browsers —doesn’t matter if you get it wrong. Or you can email me paul@metacert.com.
1 myetherwallĂŞt.com
2 myetháşąrwallet.com
3 myethęrwallet.com
4 myethÄ—rwallÄ—t.com
5 myethērwallet.com
6 myethërwallët.com
7 myethërwallet.com
8 myethérwallét.com
9 myethérwallet.com
10 myetherwɑllet.com
11 myetherwället.com
12 myetherwállet.com
13 myetherwałlet.com
14 myetherwałlet.com
15 myetherwallęt.com
16 myetherwalleĹŁ.com
17 myetherwalleĹŁ.com
18 myetherwalłet.com
The world doesn’t need another cybersecurity company that tells you what’s dangerous. Clearly this methodology isn’t working;
- We read about a new breach every day of the week.
- 90% of breaches start with one person opening the wrong link (phishing)
- 93% of all new phishing URLs display a padlock.
- 71% of all new illegal websites display a padlock.
- 43% of all new malware websites display a padlock.
What people need, is to know which links are safe, and which websites they can trust. And that’s where MetaCert comes in. While it owns one of the world’s most advanced “threat intelligence systems” that can help block what’s dangerous, that’s not the utility. With MetaCert installed, you will always know when you’re safe — with simple to install security integrations for desktop browsers and mobile email apps. We are focused on the “known-good” rather than the known-threats because it’s technically impossible for any security company to detect every new threat. Do you know how I know? Read the stats above or setup a Google notification for anything related to cybersecurity.
