4 Common Crypto Phishing Attacks & How to Avoid Them

26 Sept 2021

1-4-common-crypto-phishing-attacks-and-how-to-avoid-them-ngrave-hardware-wallet-cold-security
logo-ngrave-perfect-key-hardware-wallet-cold-security2
NGRAVE The first end-to-end security solution to manage your crypto.

4 Common Crypto Phishing Attacks & How to Avoid Them

Empower yourself, don't be next in line.

  • Article Quick Links:
  • 1. Spear phishing
  • 2. DNS hijacking
  • 3. Phishing bots
  • 4. Fake browser extensions
  • Conclusion

Phishing scams predate the cryptocurrency industry, with the first documented attack believed to have been carried out in the mid 90s.

Though the overarching goal of phishing is simply to defraud unsuspecting victims of money, the fact that such ploys are executed by tech-literate hackers means they’re increasingly used to steal digital assets. Not least because cryptocurrencies confer greater privacy protections than fiat, meaning hackers can vanish into the night with their ill-gotten gains.

Here are four of the most common phishing attacks, plus useful tips for protecting yourself from cybercriminals.

1. Spear phishing

Arecent report by data protection firm Barracuda Networks highlighted the growing prevalence of spear phishing attacks, whereupon attackers target specific individuals with customized messaging — typically a phoney email purporting to be from a trusted sender.

Oftentimes the aim of the attacker will be to compel recipients to reveal sensitive information, or induce them to visit a malware-ridden website. According to Barracuda’s report, the average organization is targeted by over 700 such social engineering attacks every single year.

As far as crypto is concerned, phishing emails and text messages purporting to be from hardware wallet providers such as Trezor — or even cryptocurrency exchange platforms — attempt to induce the recipient to ‘update’ their seed phrase or change their password, after which the thief can steal log-in credentials and drain the wallet in question. Another tactic is to entice users with plausible promotions, as was the case with the attack on Celsius users earlier this year.

So, how can you immunize yourself from spear phishing? At a company level, there are myriad solutions: staff training to increase employee awareness and reporting; machine learning utilization to analyze communication patterns; AI tools to ensure account-takeover protections. Individuals, meanwhile, should take steps to verify the legitimacy of senders, carefully vet links and sender email addresses, avoid open Wi-Fi networks, and have 2-Factor Authentication in place. Above all, be extremely wary about any email from which you are asked to enter a log-in and password.

2. DNS hijacking

Some phishing schemes are more sophisticated than others. Take DNS spoofing attacks, for example. With this decades-old scam, cybercriminals hijack legitimate websites and replace them with a malicious interface, before phishing users into entering their private keys on the fraudulent domain. Earlier this year, two major defi projects built on Binance Smart Chain — namely PancakeSwap and Cream Finance — fell victim to such an attack, although it was unclear how many users had been duped.

One of the most effective ways of protecting yourself from a DNS attack is to use a VPN, since it bypasses your router’s settings by sending traffic via an encrypted tunnel. You should also be diligent about checking the URL in your browser to ensure the website certificate is trusted, and heed any warnings that indicate your connection to a site is insecure. Of course, storing your crypto offline in a tamper-proof hardware wallet like NGRAVE, rather than interacting with funds online, is also good practice.

3. Phishing bots

Five years ago, we were told that an army of ‘bots’ influenced both the Brexit referendum and the U.S. Presidential election. Whether these claims had merit is beyond the scope of this article, as we’re interested in a different kind of villain: the sort created to steal our precious seed phrases.

Back in May, Ethereum-based crypto wallet MetaMask drew users’ attention to a phishing attack perpetrated by phrase-stealing bots on Twitter. “The phishing request comes from an account that looks ‘normal’ (but few followers), helpfully suggests filling out a support form on a major site like Google sheets (hard to block), [and] asks for your secret recovery phrase,” explained MetaMask, before dispensing some sage advice on how to protect oneself: “ONLY seek support from WITHIN the app you want help on.”

While it might seem like a good idea to verify that correspondence has come from an official account, this strategy isn’t full-proof: social media accounts can be hacked like any other, as evidenced by the great Twitter hack of 2020 that earned cybercriminals $121,000 worth of bitcoin.

4. Fake browser extensions

In the cryptosphere, we’re accustomed to using all sorts of browser extensions with the aforementioned MetaMask proving especially popular. Unfortunately, cybercriminals are turning this predilection to their advantage by creating fake extensions and stealing funds from users. Last year, a malicious Chrome extension called Ledger Live was downloaded over 120 times before being booted out of the Chrome Web Store. Troublingly, attackers were able to leverage Google Ads to promote the product and attain an air of legitimacy.

The take-home? Don’t rely on web stores to properly vet the extensions they make available. If downloading a crypto extension, check its profile page to ensure it has plenty of reviews and comes from a trusted developer. Scrutinize the permissions the extension asks for (Chrome Settings>Extensions>Details) to check that they accord with its features. Oh, and you might want to download an extension directly from a link on the company’s website.

Conclusion

There are other general rules you should consider following to protect yourself from phishing scams. For example, it’s smart to bookmark verified sites where you typically input sensitive information. Ditto saving contact email addresses from crypto companies with whom you interact. Countless people have also fallen victim to phishing emails or malicious websites that feature a subtle misspelling of a legitimate address. It may seem like a chore, but double-checking URLs is a good habit to get into.

Knowing how phishing scams work is the first and most important step to protecting your crypto wealth. Follow the tips outlined above and the only thing you’ll have to worry about… is the market.

logo-ngrave-perfect-key-hardware-wallet-cold-security2
The first end-to-end security solution to manage your crypto.
NGRAVE

NGRAVE is a digital asset security company and the creator of the world’s most secure cryptocurrency wallet, NGRAVE ZERO. NGRAVE ZERO was developed in collaboration with a world-renowned team of cryptography and security experts.