Updated 1 April 2022. This post was originally published on 23 March 2018 by Loh Soon Bock, with information for some of the tell-tale signs of phishing emails contributed by Regina Koinova.
A long-time cryptocurrency investor lost US$120,000 after clicking on a malicious link that allowed a Trojan to take control of his browser and wiped his wallets in mere minutes. He reported the crime, but there was nothing the authorities could do as the cryptocurrency landscape remains largely unregulated.
He shared his story on Reddit, and found that he was not alone. In 2021, criminals got away with more than US$10 billion worth of cryptocurrency in DeFi scams and thefts. Among the most effective means are social engineering and phishing techniques.
Back in 2019, several Binance users were targeted by phishing attacks and had their accounts compromised by the attackers. Fortunately, Binance managed to prevent the attacker from stealing any funds by stopping all withdrawal requests.
With phishing attacks getting more sophisticated, it's time to look at how to protect yourself from falling victim to one. Here are eight tell-tale signs that you have probably received a phishing email. We've also included good practices you can adopt to detect cryptocurrency scams and phishing.
8 Tell-Tale Signs Of A Phishing Email
1. The Email Was Sent from a Public Domain
No company sends emails with a public domain - it just doesn't make sense. Companies will always send emails from their own domains.
2. The Email Is From A Suspicious-looking Email Address
The next obvious sign will be the email address, especially long ones. e.g. firstname.lastname@example.org.
What this looks like in practice can differ from case to case. For instance, you might see an address like email@example.com (did you notice the double "p"?). On the other hand, you might get an email from an address like firstname.lastname@example.org. In both cases, the email should not be trusted.
3. The Email Is Written Poorly
If the body of the email contains poor grammar, spelling, and punctuation, you should be extremely cautious with it. Moreover, if the email’s content makes no sense logically, then you should definitely ignore it.
4. The Email Wants You To Do Something Urgently
Phishing emails largely rely on urgency and immediacy to get you to take action without second thoughts. You will notice that the email wants you to do something quickly. It can be a seemingly innocent action that is specifically disguised to mislead. On the other hand, it could be something suspicious that you are meant to overlook because of the urgency of the said action.
Michaela Potter, an email marketing expert and writer at Writing Judge, explains, “Scammers know that putting pressure on people makes them commit irrational acts. This is why you should never do anything urgent that a suspicious email is asking you to do.”
5. The Email Sounds Too Good To Be True
If the proposition in the email sounds too good to be true, it most probably is.
Be extra careful and wary if you are asked to provide your login details or enter your personal information at a website in exchange for some valuable content or to make a quick buck.
6. The Email Contains Strange Links And Asks You To Enter Your Passwords Or Private Keys
A phishing email sometimes contains a single link or a few links that you are urged to click. Obviously, the best thing you can do is not click any of the links you see in the email.
It’s also advisable to view the email in a desktop browser where you can hover your cursor over the link to see where it leads to before you actually click on it.
Never ever give your passwords or private keys to anyone, not even your friends. That's basic security 101.
7. The Email Contains Suspicious Attachments
Phishing emails sometimes contain suspicious attachments. These can come in various formats, so you should be cautious even if it’s just a seemingly cute innocent image of a cat. Any file attached to the email could potentially be used to infect your device with malware and retrieve your personal data.
8. The Email Asks You To Send Cryptocurrency To A Wallet
Similar to passwords, never send any cryptocurrencies to unknown wallet addresses that are sent in emails, unless you are expecting one. In that case, you should definitely first verify that wallet address before sending it.
Bee Token ICO Phishing Email
Besides detecting phishing emails, phishing websites are also on the rise. It is important to ensure the URL points to the correct domain name and the browser’s green lock is present. The green lock tells you that the website you currently visiting is using a secure channel.
Secure Lock on Chrome Browser
Without the green lock, all sensitive information, such as your password, OTP and private keys, that you sending over may get intercepted by criminals, especially if you are using open Wifi at a cafe. Do take extra precautions when you are logging in to the crypto exchanges.
Good Practices To Help You Avoid Falling Victim To Cryptocurrency Scams
In addition to social engineering and phishing attempts, criminals also deploy sophisticated techniques to trick you into giving them your cryptocurrencies.
Binance Phishing, Bitconnect scam, and Loopx ICO scam are some examples of how far criminals will go to steal your money. It's therefore important that you learn how to do proper research on ICOs and be vigilant when investing in or trading cryptocurrencies. Here are some tips on how to protect yourself from scammers and criminals:
1. Invest In ICOs With Care
Do sufficient research on the company, team, products or services, and whitepaper. Beware of the hype and advertisements on the short-term gains. If an offer sounds too good to be true, it probably isn't.
2. Verify The Recipient’s Wallet Address And Ensure It Belongs To Them
Ethereum has a service called Ethereum Name Service. It resolves human-readable names to a wallet address. Most ICOs will register their name on this service so their investors can transfer their coins to the correct wallet. If they did not register such services, you can use EtherScan or ethplorer.io to look at the list of transactions or smart contracts for that particular wallet. Typically, the wallet will be tied to the token contract so you can ensure that you are investing in the right ICO token.
3. Do Not Give Your Account’s API Key To Any Third-Party Service
API keys are the combination of your username and password. These keys can access your account to perform transactions and withdrawals on your behalf. Never give these to anyone.
4. Never Send Cryptocurrency To A Wallet From An Email
No ICO or cryptocurrency exchange will email you to transfer cryptocurrency to their wallet. If they do, you should go to their official website to find their support email address and send an email to verify the wallet address again to confirm.
5. Scams In Emails, Telegram Or Slack chats
Scammers are also targeting you on official Telegram or Slack chats for any cryptocurrency by impersonating the admin of the chats and trying to scam you into sending cryptocurrencies to them. They may also private message or email you offering lucrative deals that come with a price.
For example, a well-known scam promises you a return of 1 BTC within 3 months if you invest 0.01 BTC in the scheme. These deals are usually empty promises - they vanish into thin air and become uncontactable once you send them your coins.
Keep Your Cryptocurrency Investment Safe With These Tips And Good Practices
Whether you are contemplating jumping onto the bandwagon, or are already investing in cryptocurrency, it's imperative that you learn to identify the risks and protect your time and monetary investments. Doing so not only protects you and your investments. It also helps create a safer global cryptocurrency community where investors like you can invest and trade safely.