With macro looking bleak and regulators cracking down, it is important for user to worry about what they control. We can forecast and speculate until the cows come home about inflation, the economy, Gary Gensler, etc., but those are exogenous variables for a trader/investor/HODLer. Let’s optimize what we can control. Things like strategy, allocation, and security. This month, we’re focusing (yet again) on security. None of this means anything if you cannot secure your crypto. Last month we focused on wallets, this month, let’s discuss some common scams and how to identify them.
Scams are big business (first image below) and make up a significant portion of the total crypto lost over the years (second image below). However, there isn’t just one way to get scammed. Big business means scammers are becoming more sophisticated and use more than just one method.
Both images from Chainalysis’ most recent 2022 illicit crypto activity report.
Phishing
One common method of stealing user information in the cryptocurrency space is through credential phishing, which occurs when users enter their account information on a fake website, often designed to look like a legitimate one. To create these fake websites, hackers can use tools like the Social-Engineer Toolkit and Goclone to copy the front-end design of a website and host it on a similar domain. To prevent falling victim to these attacks, it's important to verify the authenticity of the website's URL and add frequently used websites to your bookmarks bar to avoid phishing sites.
In addition to fake websites, hackers can also use fake communication messages such as emails, social media messages, and phony customer service chats to obtain user information. To protect against these types of attacks, users should install anti-phishing plugins in their browsers and use password managers like Lastpass, NordPass, or Keeper Security to protect their passwords. It's also important to set complex passwords with a mix of uppercase and lowercase letters, numbers, and special symbols and to never use the same password for multiple accounts.
These types of attacks are often low-cost for hackers, but can result in high profits if just one or two people fall for the scam. To protect the security of the decentralized ecosystem, users are encouraged to report suspicious websites immediately.
Social Media/Telegram/Discord Scams
Scammers also use social media to con people. FTC reports indicate that hackers create bogus official accounts or use well-known accounts to post messages claiming to give away cryptocurrency. They lure readers into clicking fraudulent links or sending cryptocurrency to the scammer's address. To avoid social media giveaway scams, XREX recommends verifying information validity from multiple sources, ignoring free advertising, being cautious before sending coins, and being aware of pop-ups from wallet apps related to transfers or authorizations.
It is important to remember that transactions in decentralized finance cannot be reversed, and users should always be vigilant about scams and take appropriate measures to protect themselves.
Various Wallet/Seed Phrase Attacks
One of the biggest concerns in the world of cryptocurrency is the various scams that exist to trick people into giving up access to their digital assets. One such scam is seed phrase phishing, which involves tricking users into divulging their seed phrase, which is a master key to unlock access to all their crypto assets. These phrases are usually 12 to 24 word mnemonics that represent a user's private key, making it easier to remember and recover. If someone has access to a user's mnemonic, they can gain access to the user's encrypted assets, similar to a bank account username and password. Users should never leak their mnemonic phrase and should store it properly, and should report suspicious websites immediately to help keep the DeFi ecosystem safe.
Another type of scam involves malicious wallets and plugins that imitate the user interface of genuine wallets. These scams trick users into thinking they are using the official wallet, when in fact a backdoor has been set up in the backend, allowing scammers to steal the user's wallet mnemonic and assets. To avoid these fraudulent wallets and plugins, users should never use crypto assets on jailbroken or rooted devices, and should download mobile apps from official sources such as the Apple AppStore or Google Play Store. iOS users should also avoid installing or trusting profiles from unknown sources, which could inadvertently install malicious programs.
Approval scams are another type of scam that attempt to gain a user's right of transfer to certain addresses. These scams involve phishing, in which hackers trick users into granting approval permission to hackers, allowing them to transfer the victim's assets to their wallets through the transferFrom function of the ERC20 Token contract. Users can avoid approval scams by revoking authorization immediately if they accidentally authorize an unknown address, confirming the transaction content before executing the transaction, and regularly checking the authorization status of wallet addresses and revoking permissions for unknown addresses using tools such as Ethereum Token Approval, Revoke.cash, or Approved.zone. By being vigilant and following these recommendations, users can protect themselves and their digital assets from these common cryptocurrency scams.
Best Practices
Most of these below, as well as much, much more can be found
- Use 2FA (not SMS-based): 2-Factor Authentication (2FA) is used to ensure accounts are protected by more than a password but need an additional randomly generated code or device to grant access.
- How to Set Up Google Authenticator
- estore access to your accounts if you lose/destroy your device w/ Google Authenticator (2FA)
Whitelisting of addresses is often used by businesses to ensure funds can only be sent to previously approved addresses. This forces a hacker to gain access to both the wallet and the mechanism that manages this list.Bookmark your favorite/most frequented sitesUse a password managerUse burner wallets/addresses, especially when interacting with a new protocol for the first timeGeographical distribution of these keys and/or participants to protect against physical attacksCold storageA crypto vault has a built-in, predetermined delay when you try to move funds. This is also known as a timelock. It prevents cryptocurrency from being moved until a certain amount of time has passed.Yubi keys or other security hardwareWhat to do if you signed a scam transactionDon’t link a device to your home address
- Buy with cash if possible
Use separate emailHave “crypto computer”
- Use a VPN
- Use BRAVE or Firefox Browser
