Phishing Attacks: How to Recognize and Avoid Crypto Scams
With the global cryptocurrency market cap touching an all-time high of $3 trillion in 2021 at the height of the bull market, the interest in digital assets has risen high not only among retail and institutional investors but also among scammers. Crypto frauds in 2022 crossed $4 billion untill November 2022 — a 37% increase since 2021, as per data on PrivacyAffairs.
The crypto world has provided a lucrative opportunity to scammers, with phishing scams becoming quite common across different cryptocurrency exchanges. In this article, we discuss what phishing scams are, as well as the steps that you can take to prevent becoming a victim of such phishing attacks.
What Is a Phishing Attack?
A crypto phishing attack is a form of social engineering that aims to obtain sensitive account information about your accounts, such as private keys, usernames, passwords, and other details about your wallet. In the crypto industry, these attacks often occur via email, social media, and text messages. Hackers deceive investors to access their private keys, steal their crypto assets, or obtain other sensitive data.
CertiK's Web3 Security Report 2022 revealed that scammers had stolen millions in NFTs, targeted crypto investors with malware, and introduced a new phishing method called ice phishing. This new method tricks inexperienced web3 users into granting hackers access to their wallet holdings. In Q2 2023 alone, hackers drained $313 million from web3 platforms and users, including a $25 million loss due to the malicious validator scheme.
Different Types of Phishing Attacks
Users often fall victim to phishing attacks through a variety of methods employed by scammers, such as:
Email spoofing involves scammers creating a lookalike email resembling genuine crypto exchange emails and convincing users to click links.
For instance, a user might receive an email that appears to be from KuCoin. The email might contain a message about a security breach, urging the user to click a link to reset their password. However, the link leads to a fake website designed to steal the user's login credentials.
The following is an example of a spoofed email that tries to trick P2P users into releasing their funds:
A scammer might create a website that looks exactly like KuCoin or other popular trading platforms. The URL might be a slight misspelling of the actual site's URL, and an unsuspecting user might enter their private keys into the fake site, giving the scammer access to their wallet.
Fake Links in Messages
A user might receive a text message that appears to be from KuCoin, containing a link to a site where they're asked to confirm their account details. The site is fake, and the scammer will steal any information you enter.
Requests for Private Keys
A scammer might send a message claiming to be from a crypto wallet provider, asking the user to provide their private keys as part of a necessary security upgrade. In reality, legitimate services never ask for a user's private keys.
Social Media Scams
A scammer might create a fake Twitter account that looks like KuCoin’s account and post links to a fake website where you are asked to enter their account details. They can then steal these credentials and try to hack into your KuCoin account to steal your funds.
Fake Customer Support Scams
This scam involves chatting with a fake support team that asks you to share details of your wallet’s or account’s private keys. For instance, you may be contacted by someone claiming to be from the KuCoin support team, asking for your private keys to resolve a technical issue. This is a scam, as the real KuCoin customer support team would never ask for this information.
The following is an example of a user receiving a link to a fake KuCoin customer service account on Telegram:
WiFi Phishing Attacks
WiFi phishing attacks are designed to obtain information about your cryptocurrency wallet. In this scenario, you may connect to a public WiFi network that's actually controlled by a scammer. The scammer can intercept any information sent over the network, including login credentials for your crypto wallet or KuCoin account.
SIM-swap scams give scammers access to your phone’s SIM and entire data to compromise your account’s 2FA access. A scammer might trick a mobile phone provider into transferring a user's phone number to a new SIM card controlled by the scammer. Following a successful SIM swap, the scammer can bypass two-factor authentication on your crypto accounts.
Fake Investment Opportunities
Scammers advertise platforms where you can buy crypto cheaper than market rates, or they offer incredibly high returns or profits. For example, a user might see an advertisement for a new cryptocurrency that promises high returns. The ad convinces you to buy the cryptocurrency or invest in the scheme, but it turns out to be a scam, and you lose the amount you were tricked into investing.
Real-life Examples of Crypto Scams
The following are some real-life examples of scams the risk control team at KuCoin has received information on and helped resolve in recent months:
1. A student was contacted by "Lucy" from a fake recruitment agency via WhatsApp for a job opportunity. Lucy guided the student to register on a website and create a KuCoin crypto wallet. The student was instructed to deposit money daily for five days with a promise of £800 profit. However, the account balance remained negative, requiring more deposits.
2. Another individual was contacted by a different agency for a task. The person was asked to pay for tasks with the promise of higher rewards. However, when the user wanted to withdraw their earnings, they were told to pay £10k to release it, resulting in a total loss of £13,512.
3. A customer was offered a job on WhatsApp that involved placing orders for items with a promise of high commission. After making multiple payments and consulting with their son, the customer realized it was a scam.
4. A customer was scammed by a trusted financial adviser over nine months. The adviser asked the customer to download Anydesk and invest £10k to access $125k in their wallet. After transferring the money, the adviser disappeared.
5. A customer was told to deposit money into a KuCoin crypto account to optimize their account. They were promised a full refund after completing daily tasks. However, the money was transferred to an unknown crypto address.
6. A person was lured by a YouTube video promising high returns from a fraudulent investment website. They were guided to set up a KuCoin wallet and buy Bitcoin. However, they were tricked into a fabricated margin call situation, resulting in a loss of £14000.
How Does KuCoin Protect Its Users from Phishing Attacks?
Luckily, when you trade through the KuCoin cryptocurrency exchange, there are multiple ways to prevent phishing.
Official Media Verification
Whenever you get contacted by social media accounts or emails providing you with a link that you should use to login, you can click here to verify whether this actually belongs to KuCoin or is simply a scam link.
Bookmark the KuCoin Official Site
Every time you log into your account, we recommend double-checking that you are visiting the correct KuCoin website - https://www.kucoin.com. You should bookmark it right away. Check the URL address. It should start with "https://."
You can also check the Site Certificate to see whether a website is safe to visit. If you are using Google Chrome, you can click on the security status in the left part of the web address (a lock indicates that the website is secure) as below. If you are using a different browser, please look at how to view the Site Certificate in your browser’s settings.
In addition, KuCoin offers a security service of Anti-Phishing Code - a customizable safety phrase you can set and use to verify if the communication is authentic. In order to avoid phishing emails and phishing websites, it's highly advisable to set a security anti-phishing safety phrase (such as a motto, etc.) on your KuCoin account.
That way, when you log into the website or receive an email, this Anti-Phishing Code will display in the email from KuCoin or the login window. If the safety phrase is not shown or incorrect, it means that you are on a phishing site or have received a phishing email, then please do not proceed any further.
You can configure such Anti-Phishing Codes from the Account Security section after logging into your KuCoin account. Set up Anti-Phishing codes for email, login, and withdrawal, to protect your KuCoin account and funds stored on it from phishing attacks.
These tools can only help with some cases. We recommend that you do your due diligence to protect yourself from attacks.
Other Tips to Avoid a Phishing Attack
With attackers becoming smarter and more advanced with how they carry out such attacks, it is important for you to know exactly how you can prevent yourself from becoming a target. Some tips and advice that you must definitely follow while accessing your cryptocurrency online have been discussed below.
Tip #1: Identify and Avoid Fake Ads in Search Engines
When typing ‘KuCoin’ into a search engine (i.e., Google) or heading to any link sent to you from an external source or website, make sure to double-check if the URL is legitimate. Exercise extreme caution when clicking on Google Ads, and make sure that you check the URL is legitimate as phishing sites have been known to place fake advertisements.
Tip #2: Create Strong Passwords
One of the most important ways in which you can keep your wallet safe from malicious hackers is to create and use strong passwords for all your crypto-related accounts and wallets. This will prevent hackers from using brute force attacks to try and guess your password so that they can steal your money. According to the Microsoft Digital Defence Report 2022, the volume of password attacks is up by 74% in one year, to 921 attacks per second.
Whenever you create an account on a cryptocurrency exchange (or a wallet of any kind) in order to trade, make sure that your password and code are not something that can be easily guessed.
Bitwarden’s 2022 password management survey reveals that 32% of global respondents reused their passwords across 5-10 websites. Such a practice makes it easier for scammers to gain access to your details, and subsequently your wallet.
A strong and secure password or code usually has over 10 characters, with a combination of letters, numbers, and special symbols. Most password generators on the Internet can easily provide you with such passwords that will keep your data secure and ensure a high level of security on your wallet address.
Tip #3: Use a Password Manager
When you decide to use a variety of complex private keys and passwords to keep your cryptocurrency accounts secure, it might not be easy to remember them all. This is where software such as password managers come into play.
By using a password manager, you can ensure that you never have to remember the credentials for your wallet, while still maintaining a high level of security. This will prevent malicious scammers from being able to steal your cryptocurrencies.
Bonus tip: Install good antivirus software on your device to ensure that you can easily detect any email which contains malware or leads to sites that could put your PC at risk by introducing malware.
Tip #4: Use Autofill to Prevent Phishing
An additional advantage is that since most password managers have Autofill options to enter your credentials whenever you wish to sign in, they can help you spot fake websites with a page that may have been designed to look like your crypto exchange.
Therefore, since your manager will not Autofill your credentials on such sites, you could spot such schemes and be safe.
Tip #5: Enable Two-Factor Authentication
At the same time, another important measure that you should take is to enable two-factor authentication on your account, so as to add another layer of security to protect your data and your digital assets.
This will ensure that no one can access your account or withdraw funds from your crypto wallet without entering a code sent to your phone or any other device of your choosing.
Doing this will require the phishing hackers to have access to your phone even if they somehow gain access to your key and other data.
Tip #6: Question Everything
Lastly, an important way to ensure that you do not fall victim to such scams is to simply question everything. Here's what you can pay attention to:
As an example, if you get an email telling you that your account has been locked, make sure that it is from the official email address of your crypto exchange.
Similarly, before clicking on any links to a page that you might receive via the site or through social media, make sure that they are legitimate.
Don't Provide Your Code and Login Details
The same also applies to providing your login details on any website. Usually, people who fall victim to phishing do not check to see if the website to which they provide their data is legitimate or not, which leads to them losing money.
Additionally, make sure to use a secure and trustworthy email service provider, and if you use a self-built email server, be sure to enable DKIM, DMARC and SPF.
Do not send any cryptocurrencies to users you do not recognize. No exchange will ever contact you to say that your account has been blocked and can be fixed in exchange for money. If you get an email like this, it is probably sent by malicious attackers who wish to steal your funds by accessing your wallets.
Can Phishing Be Completely Stopped?
Phishing attacks cannot be eradicated, but users can prevent them. Despite extensive research, making a site or crypto wallet entirely immune to phishing is challenging due to the ever-evolving nature of attack methods.
For instance, as email providers enhance spam blockers, attackers refine their emails to bypass these filters. While crypto exchanges can strengthen their security to protect user data, phishing primarily targets users, who are more likely to fall for scams.
You should educate yourself to prevent falling for any such traps. If you think it’s too good to be true, it’s most likely a high alert to pay extra attention to. Thus, you must ensure your crypto wallets' security and protect yourself from crypto phishing scams.