4 Common Crypto Phishing Attacks & How to Avoid Them
Read the latest articles in the new NGRAVE Blog.
Phishing scams predate the cryptocurrency industry, with the first documented attack believed to have been carried out in the mid 90s. Though the overarching goal of phishing is simply to defraud unsuspecting victims of money, the fact that such ploys are executed by tech-literate hackers means they’re increasingly used to steal digital assets. Not least because cryptocurrencies confer greater privacy protections than fiat, meaning hackers can vanish into the night with their ill-gotten gains.
Here are four of the most common phishing attacks, plus useful tips for protecting yourself from cybercriminals.
1. Spear phishing
A recent report by data protection firm Barracuda Networks highlighted the growing prevalence of spear phishing attacks, whereupon attackers target specific individuals with customized messaging — typically a phoney email purporting to be from a trusted sender.
Oftentimes the aim of the attacker will be to compel recipients to reveal sensitive information, or induce them to visit a malware-ridden website. According to Barracuda’s report, the average organization is targeted by over 700 such social engineering attacks every single year.
As far as crypto is concerned, phishing emails and text messages purporting to be from hardware wallet providers such as Trezor — or even cryptocurrency exchange platforms — attempt to induce the recipient to ‘update’ their seed phrase or change their password, after which the thief can steal log-in credentials and drain the wallet in question. Another tactic is to entice users with plausible promotions, as was the case with the attack on Celsius users earlier this year.
So, how can you immunize yourself from spear phishing? At a company level, there are myriad solutions: staff training to increase employee awareness and reporting; machine learning utilization to analyze communication patterns; AI tools to ensure account-takeover protections. Individuals, meanwhile, should take steps to verify the legitimacy of senders, carefully vet links and sender email addresses, avoid open Wi-Fi networks, and have 2-Factor Authentication in place. Above all, be extremely wary about any email from which you are asked to enter a log-in and password.
2. DNS hijacking
Some phishing schemes are more sophisticated than others. Take DNS spoofing attacks, for example. With this decades-old scam, cybercriminals hijack legitimate websites and replace them with a malicious interface, before phishing users into entering their private keys on the fraudulent domain. Earlier this year, two major defi projects built on Binance Smart Chain — namely PancakeSwap and Cream Finance — fell victim to such an attack, although it was unclear how many users had been duped.
One of the most effective ways of protecting yourself from a DNS attack is to use a VPN, since it bypasses your router’s settings by sending traffic via an encrypted tunnel. You should also be diligent about checking the URL in your browser to ensure the website certificate is trusted, and heed any warnings that indicate your connection to a site is insecure. Of course, storing your crypto offline in a tamper-proof hardware wallet like NGRAVE, rather than interacting with funds online, is also good practice.
3. Phishing bots
Five years ago, we were told that an army of ‘bots’ influenced both the Brexit referendum and the U.S. Presidential election. Whether these claims had merit is beyond the scope of this article, as we’re interested in a different kind of villain: the sort created to steal our precious seed phrases.
![The phishing request comes from an account that looks ‘normal’ (but few followers), helpfully suggests filling out a support form on a major site like Google sheets (hard to block), [and] asks for your secret recovery phrase. Metamask.](https://miro.medium.com/v2/resize:fit:1400/format:webp/1*A2wC_IT7J-mHemsSebpy3Q.png)
Back in May, Ethereum-based crypto wallet MetaMask drew users’ attention to a phishing attack perpetrated by phrase-stealing bots on Twitter. “The phishing request comes from an account that looks ‘normal’ (but few followers), helpfully suggests filling out a support form on a major site like Google sheets (hard to block), [and] asks for your secret recovery phrase,” explained MetaMask, before dispensing some sage advice on how to protect oneself: “ONLY seek support from WITHIN the app you want help on.”
While it might seem like a good idea to verify that correspondence has come from an official account, this strategy isn’t full-proof: social media accounts can be hacked like any other, as evidenced by the great Twitter hack of 2020 that earned cybercriminals $121,000 worth of bitcoin.
4. Fake browser extensions
In the cryptosphere, we’re accustomed to using all sorts of browser extensions with the aforementioned MetaMask proving especially popular. Unfortunately, cybercriminals are turning this predilection to their advantage by creating fake extensions and stealing funds from users. Last year, a malicious Chrome extension called Ledger Live was downloaded over 120 times before being booted out of the Chrome Web Store. Troublingly, attackers were able to leverage Google Ads to promote the product and attain an air of legitimacy.
The take-home? Don’t rely on web stores to properly vet the extensions they make available. If downloading a crypto extension, check its profile page to ensure it has plenty of reviews and comes from a trusted developer. Scrutinize the permissions the extension asks for (Chrome Settings>Extensions>Details) to check that they accord with its features. Oh, and you might want to download an extension directly from a link on the company’s website.
5. Conclusion
There are other general rules you should consider following to protect yourself from phishing scams. For example, it’s smart to bookmark verified sites where you typically input sensitive information. Ditto saving contact email addresses from crypto companies with whom you interact. Countless people have also fallen victim to phishing emails or malicious websites that feature a subtle misspelling of a legitimate address. It may seem like a chore, but double-checking URLs is a good habit to get into.
Knowing how phishing scams work is the first and most important step to protecting your crypto wealth. Follow the tips outlined above and the only thing you’ll have to worry about… is the market.
Read the latest articles in the new NGRAVE Blog.
Protect your funds with The Coldest Wallet
Hot wallets are convenient tools for real-time transactions but are highly vulnerable to phishing attacks and far from being a secure storage option. Ideally, users should use them for trading small funds, while most of their coins are safely stored in cold wallets. To that end, NGRAVE ZERO is of great help: an easy to use hardware wallet featuring the highest security in the world: EAL7. Get your own ZERO here.
How secure are your crypto? Take the test!
The NGRAVE team created a test where you finally face yourself: how secure do you think you are versus how secure you really are. Not only versus yourself, but also in comparison with your peers and much more.
You can take the test here, all information is treated confidential and with respect to data privacy regulation.
Interested in reading more? Here are the top 10 biggest heists that shocked the entire crypto industry:
ABOUT NGRAVE
NGRAVE is a digital asset security company and creator of the world’s most secure cryptocurrency wallet, NGRAVE ZERO. ZERO boasts — as the only financial product in the world — the highest security certification: EAL7. It was developed in collaboration with a world-renowned team of cryptography and security experts. Please visit www.ngrave.io to learn more.
