Phishing Scams & Hacks

Phishing

Phishing is scamming via impersonation. Impersonating individuals, organizations, operations, websites, etc.

Phishing is also the most common type of scam/attack on your funds in any cryptocurrency ecosystem. This is due to the low cost of attack, and relatively high success rate.

This type of attack exploits people's inattentiveness when it comes to their security. Users generally prefer to have ease-of-use over security, so they're not used to having to validate that they're using the correct service/interacting with the correct person or organization.

There are tools that help to mitigate this, so ultimately, phishing is effective for attackers because users don't value security until after something happens to them that compromises their funds.

Phishing via Website

How is this done?

An attacker copies the code from one of their favorite interfaces/exchanges/organizations. Then, they create a website with a similar URL to the one they're trying to impersonate using the copied code.

After that, all they need to do is advertise their website for others to see and get tricked into using.

The correct URL

vs.

The phishing URL

How can I mitigate this?

In the example above, note the differences between the URLs. The phishing URL does not have the correct MyCrypto LLC. certificate specified.

Practice safety when migrating to your crypto-related websites in validating that they are the correct website. Check the URLs to make sure that they are identical. Be aware that phishing URLs can be similarly spelled with the only difference being special characters.

These special characters are added using something called Punycode.

Additionally, you can download the EtherAddressLookup Chrome extension which will block phishing websites for you.


Phishing via Twitter

How is this done?

An attacker uses a twitter account, and changes the display name to impersonate crypto-related people/organizations like Vitalik Buterin, MyCrypto.com and Shapeshift.io. Then, they proceed to create an offer for the impersonated account's followers, trying to claim that they're giving out handouts like so:

How can I mitigate this?

Follow the Common Scams Tips and do not attempt to get free money by sending money to others. It will not work.


Phishing via Mobile App

How is this done?

An attacker creates an app using logos and names of popular online tools like MyCrypto and MyEtherWallet. Then they publish this app to an app store like the Google Play Store. If anyone inputs their private keys into the app, then they're accessible to the attacker. The attacker can then siphon funds off whenever they want to.

Mobile phishing applications will appear in the mobile app store, appearing to be a mobile version of a popular web-based tool as pictured below.

How can I mitigate this?

Verify that any mobile application you want to download for your phone is a legitimate application by verifying with the broader community on public forums.


How can I help others to not fall for these types of scams?

Report scams like this to EtherScamdb.info. Furthermore, when you find these scams, post about them on social media sites like Reddit and Twitter so that users can learn about their existence. You can also share this article using the sharing links below the title of this article.


If you don't understand any of the terms in this article, please try referencing our Ethereum Glossary.





Need Help? Message Us