Phishing: How to Avoid Getting Phooled
— Co-written and edited by Emily Bogen.
From fake tech support to a purporting Nigerian prince, we have all happened upon a suspicious exchange. Unfortunate as it may be, scamming is an age-old phenomena and the Internet’s invention has done nothing but accelerate the issue. Rather than making improvements, the Internet has provided increased opportunity for fraudulent behavior to take place — often made possible by the anonymity of online interaction — alongside decreased retribution rates.
Among these illegal activities, one is particularly common: phishing. For those who have been so lucky as to avoid it in the past, phishing is the business of sending emails that claim to come from reputable sources in order to induce individuals to reveal personal information such as passwords, credit card details, and social security numbers. Phishing is a frequent exercise mainly based on its ease of use. The process requires minimal time or know-how, as perpetrators need only copy and past an email template, then redirect users to an imitation website where they will attempt to enter login information (i.e. the personal details phishers are after). The two-step process is available even to non-developers, as malicious code is readily available on the World Wide Web—another copy and paste process will top-off the technical side without a hitch.
Crypto-Specific Attacks and Phinding Solutions
While legal authorities have done their best to find solutions to the phishing problem, holding perpetrators accountable is difficult based—online anonymity makes them hard to find. Phishing runs particularly rampant in crypto communities, as wrongdoers know that lost funds (i.e. those sent to the wrong wallet address) are almost impossible to recover. Consider CryptoShuffler, a malware strain that replaces Bitcoin wallet strings with attackers’ addresses. Users copy and pasted public addresses in order to send funds, while the CryptoShuffler trojan substituted its address for the intended recipient’s. Many users may have thought they were buying a beer with Bitcoin, but were instead sending €4.50 to a cryptocriminal and would be beerless for the foreseeable future.
Even those companies whose business have been based on an attempt to handle illegal activity have struggled. MetaMask, a wallet extension capable of running dApps, warned users both when they landed on a scamming page and when exchanges had been hacked. Unfortunately, the extension itself was recently compromised—a simple window mimicking its interface tricked many MetaMask users with ease.
For the time being, there exists no perfect solution. For corporations, there are ways to mitigate risk, including simulation of phishing attacks to train employees. On an individual level, the best way to handle fraud is to be proactive—educate yourself about what’s out there and hesitate before providing any personal information online.
Tangible Next Steps
In order to make things more concrete, below is a list of steps that should help you steer clear of phishers:
1) Be sure to always verify email links before following them. This can be done by hovering over the link with your mouse, then reading the address that appears in the lower left corner of your browser. Be particularly cautious with shortened URLs. If the previewed link does not match the official one, steer clear. Keep in mind that generic greeting—especially those that don’t use your name—are red flags for fraud.
2) Ensure that the website to which you’re logging in is the official one. Be prudent in reading the URL and confirming that the website is secure. This can be verified via a fastened lock beside the URL. Bookmarking sensitive websites is also an effective way to reduce risks. Additionally, you can take advantage of tools like Cryptonite, which help you easily recognize illegitimate sites.
3) Don’t react too hastily: this is the kind of behavior scammers are hoping for. In reality, a government official or corporate employee would not ask that you react to requests in the blink of an eye. Take the time to ask yourself if the message makes sense. If not, ignore it and contact support via the official website or phone number.
4) Learn to detect new types of scams. Referred to as “spear phishing,” one method consists of sending fewer emails that are highly customized, often deployed from already-compromised account of a high-level employee. These instances are more difficult to pinpoint, as scammers usually have a grasp of the hierarchy at hand, as well as established internal processes, and will try to acquire an authentic invoice to use as a template for the requested payment. More recent types of phishing scams include macro commands in Word documents (so-called “maldocs”). These macros will typically execute a payload—the part of a virus responsible for the malicious activity—when opened.
For those active in the crypto sphere, here is a good resource to access phishing updates related to the Ethereum network. The Phishtank Project, operated by OpenDNS, is doing its best to tackle the issue on a larger scale. The site lists phishing links Internet users encounter online and provides a free API for developers to integrate anti-phishing data into their applications.
At this point, not all phishing sites are listed, and this will likely never be the case. We stand by the advice listed above—proactivity and hesitation in providing personal information that could compromise your financial (or general) security.
Hey: Striving for a Solution
As previously stated, there is no infallible approach to avoiding scams. Fortunately, the solution Hey is developing—one that will be fully integrated within our add-on—aims at making detection of fraudulent sites far easier. Concretely, the tool will notify users any time they end up on a website that has been flagged as suspicious; any user can report a fraudulent page at any time. If the report is deemed credible, either based on a high number of reports or a smaller number of reports coming from users with strong reputations—a warning will be displayed to visitors who have installed our add-on.
Users can notify Hey when a specific website is down or has moved to a new address, as well as report phishing pages they’re currently on and provide a link to the authenticated website. Once this has been done, users landing on phishing URL will be warned and provided the opportunity to click a “get back to safety” button, which will redirect them to a secure site.
With these functionalities in place, the team at Hey is doing its best to make the Internet a safer, friendlier place.
