What is phishing and how do we protect ourselves from it?
Phishing scams are schemes designed to trick users into giving up their private data, allowing cybercriminals to access their online platforms and accounts more easily. As blockchain technology is incredibly difficult to hack, most cybercriminals resort instead to phishing methods to target users instead. As such, it i s still crucial for users to be vigilant and to employ the best practices to protect oneself online.
What is phishing?
Phishing is a method used by cybercriminals to obtain sensitive information such as passwords, PIN numbers or private keys from their victims. Often associated with hacking, phishing is technically more of “social engineering” than a hack since it targets the users themselves instead of the database or network code.
Once they gain access to a user’s accounts, criminals can then proceed to engineer fraudulent transactions in the name of the account owner. In cryptocurrency, phishing scams mostly revolve around gaining access to the seed phrases or private keys of digital wallets.
According to a report published by CNBC, more than 46,000 people have lost over $1 billion in crypto assets in 2021. Much of these were the result of fake investment opportunities, romance scams, and phishing scams.
Why are crypto users usually targeted by phishing scams?
When it comes to super-secure systems, cybercriminals often resort to phishing methods which are far easier to deploy than trying to hack the network itself. In particular, crypto users often become targets for phishing scams since blockchains are known to be incredibly difficult to hack.
This is because a blockchain is a decentralized network powered by independent nodes and computer terminals located all around the world. Being decentralized, this means that the network has no single point of failure and there is no single terminal or server that would grant access or control over the entire blockchain.
On the off chance that a hacker manages to get control of a single node in the system, there are far too many other independent nodes that can override the compromised node. This is because a blockchain relies on a consensus mechanism for maintaining its public ledger. To add any new information to the ledger, the blockchain needs a majority consensus, or a majority approval, from all its network nodes.
To put it simply, the only way for a hacker to get control of a blockchain, is to control the majority of the nodes–or at the very least–51% of the entire network. In hacker terminology, this is called a “51% attack”.
In theory, mounting a 51% attack may be conceivable on small blockchains, but trying to get control of larger networks like Bitcoin and Ethereum is a practical impossibility given the hundreds of thousands of nodes that maintain them–requiring an astronomical amount of effort and computing power.
So since gaining control of a blockchain is largely out of the question, cybercriminals will opt to attack individual users instead as they are far easier targets. One of the most common ways is through phishing.
How does phishing work?
In phishing, criminals will often present themselves as legitimate connections like coworkers, banks or government offices in order to trick users to share sensitive information. For crypto in particular, scammers will pretend to represent the wallet providers, cryptocurrency exchanges, or decentralized application (dApp) websites.
There are many ways scammers go about to phish sensitive data and information from users, so it pays to watch out for some tell-tale signs that should put you on the alert:
Spear phishing is a targeted and concentrated attack on a single individual or organization to obtain sensitive information like login credentials, bank details, and other private data. They will often use information that they have acquired from public platforms like your social media accounts to pretend that they already know you and gain your trust.
Upon gaining a user’s confidence, these criminals might request for credit card numbers or passwords on the pretext of “updating records” or “availing discounts and promos”. If the scammers are pretending to be friends or family members, they may even fabricate a situation or emergency to create a sense of urgency.
Fake emails and websites
If spear phishing is more focused on a target in its approach, fake emails and websites cast a wider net in terms of acquiring private data and information. Usually, scammers will send bulk emails to hundreds or thousands of email addresses to increase their chances of fooling someone.
Often, these phishing scams employ get-rich-quick offers or may even pretend to offer jobs or traveling opportunities. They often redirect to fake websites that prompt users to input their private data themselves.
Fake browser extensions
Sometimes, scammers will imitate popular crypto wallets and set up a malicious link for installing the wallet browser extension. But instead of downloading a legitimate installer, you end up downloading a malware program that scans your key log entries on your computer to get at your passwords and seed phrases.
An “airdrop” refers to rewards in the form of free cryptocurrencies or NFTs that are often given to investors or early adopters of crypto projects. Sometimes, scammers will dupe users into thinking that they may have participated in a token whitelist event previously and are now being rewarded retroactively with the sudden appearance of random tokens in one’s wallet.
But often, users will find that the tokens can only be “traded” on specific sites and require the users to set up accounts and connect their wallets, which would then prompt users to type in their seed phrases. More sophisticated airdrops even use smart contracts to instruct your wallet to transfer all your assets to the scammer’s wallet should you try to sell the malicious tokens. When you encounter tokens that you can’t trust, the best thing to do would be to ignore them (you can remove a token address from your wallet so they won’t be displayed) or to send them to a burn wallet usually provided for by major blockchain networks.
Best practices to avoid falling for phishing scams
As phishing scams become more creative and convincing, it’s important that you always employ some measures to protect yourself at all times:
Always protect your passwords and pin numbers - Always keep your login codes in a secure log that only you have access to. Make it a habit as well to regularly change your password and to not use the same password for all your accounts. Under no circumstance will a bank, exchange, wallet provider, or website ever ask for any of this information, including PDAX. Should you encounter any such requests or any suspicious notifications, please report it immediately through our customer support or Messenger account.
Never share your seed phrase or private keys - Remember that “whoever owns your keys–owns your crypto” so make sure not to lose it or share it with anyone unless with a spouse or inheritor. Unlike a password, a seed phrase cannot be changed, so a compromised crypto wallet should never be used again.
Secure your emails - Always have a separate email that you use only for your crypto wallet and for trading accounts in exchanges. Having an email address that only you know about is the easiest way to ensure that scammers won’t be aware that you have any crypto at all. By using a separate email, you won’t be unsuspectingly leaving your address behind for others to pick up when you visit websites.
Keep two-factor authentication on - As an added measure, linking your account with two-factor authentication (2FA) apps such as Google Authenticator or Authy will make it even more difficult for anyone to access your email accounts as they would need to have physical access to your device even if they should somehow be able to obtain your passwords.
Keep your social media accounts private - Never post or divulge private information online and keep your contact details like phone numbers and email addresses limited to your trusted connections. Better yet, always make sure your account’s settings are kept private to prevent scammers from compiling information that may be used to deceive you or other people connected to you.
Be wary of “urgent” messages - “Urgent” messages from people you don't know may often be scammers trying to trick you. This may range from emails that claim that your computer might be infected with a virus, urging you to download and install a program, or to con artists claiming to know of an emergency involving your coworkers or family members. Always keep calm and confirm the situation first, and never act on emotion.
Only download software and applications from trusted sources and platforms - Before downloading or installing any software, make sure you are getting them from legitimate links. Always be suspicious of links that have added prefixes or suffixes in the URL extension, or which website addresses that may be spelled slightly differently. Also check attachments to see that they are in the expected file format. Be wary of sites that look unprofessionally done or which may have plenty of grammatical errors.
Keep your software updated - We often put off system and application updates, thinking that they are more of a hassle and a waste of time. The reality is that software developers and hackers are constantly in an arms race to outdo each other, and sometimes certain updates or patches might just be what keeps a bug or coding error from being exploited by cyber criminals.
Don’t invest in cryptocurrency projects without doing prior research - Before interacting with cryptocurrency platforms, make sure to do a background check to ensure its legitimacy. Generally, stay away from projects that have poorly written or non-existent whitepapers, or which advertise promises that sound too good to be true. Keep in mind that cryptocurrency isn’t a get-rich-quick scheme, but rather involves patience and sound investing strategies.
Though the blockchain in itself along with its many technological applications is by far, our most sophisticated means for keeping data safe and secure, it doesn’t mean that we can be careless about its use. Even if the technology itself is secure, human factors can lead to errors or mistakes that can still make blockchains open to cyber attacks.
Ready to start with crypto?
Start your trading journey with PDAX.
DISCLAIMER: The statements in this article do not constitute financial advice. PDAX does not guarantee the technical and financial integrity of the digital asset and its ecosystem. Any and all trading involving the digital asset is subject to the user’s risk and discretion and must be done after adequate and in-depth research and analysis.
PDAX is a BSP-licensed exchange where you can trade Bitcoin, Ethereum, and other cryptocurrencies directly using PHP!