How to Help Defeat the Phishers

These phishers will not stop until they stop getting money or get caught. We don't have the time or manpower to do it all. There are so many things to do and watch and document. We thank you for your help.

1. Educate when you see a message

• If you see a link to one of these sites or a fake token sale address, comment on it on Twitter or on Reddit or wherever. Warn people QUICKLY & LOUDLY.

"There are scammers that are DMing, posting links, posting comments, and trying to get you to navigate to fake URLs. DO NOT CLICK THEM!" (Yes. People still don't know this.)

Remind people: "If it sounds too good to be true, it probably is."

⚠ PSA! Do NOT click the link or listen to the scammer! That is a phishing site. Always check your URL and / or consider getting a Ledger or TREZOR hardware wallet.

2. Educate before you see a message

Help spread the word: Private keys are private. Use hardware wallets. Use cold storage. Go offline. Check URLs.

• Creating a wallet offline is good.
• Getting a Ledger or TREZOR Hardware Wallet is even better.
• You can sign transactions offline so your key never touches a phishing site!
• Install EtherAddressLookup to block malicious / phishing sites: https://chrome.google.com/webstore/detail/etheraddresslookup/pdknmigbbbhmllnmgdfalmedcmcefdfn.
• Install MetaMask to block malicious / phishing sites and interact with MyCrypto: https://chrome.google.com/webstore/detail/metamask/nkbihfbeogaeaoehlefnkodbefgpgknn.
• Never enter your private keys, passwords, or sensitive data on a website that you were sent via a message.
• ONLY unlock your wallet when you want to send a transaction. Check your balance via https://etherscan.io/ or https://ethplorer.io/.
• Do not trust messages, addresses, or URLs sent via private message. Always verify information with a secondary source.
• Check out our guide on How to Prevent Loss & Theft.
• Protips: How Not to Get Scammed.

3. Report malicious URLs

• Report: https://etherscamdb.info/.
• PR in malicious domains: https://github.com/409H/EtherAddressLookup/blob/master/blacklists/domains.json.
• PR in verified tweeters to automatically blacklist scam tweeters with very similar usernames: https://github.com/409H/EtherSecurityLookup/blob/master/lists/twitter.whitelist.json.
• Add malicious non-URLs here: https://github.com/ethereum-lists.
• Report to Google: https://safebrowsing.google.com/safebrowsing/report_phish/.
• Report to Microsoft: https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site.
• Report to NetCraft: http://toolbar.netcraft.com/report_url.
• Report to Norton: https://submit.symantec.com/antifraud/phish.cgi.
• Report to McAfee: https://www.trustedsource.org/en/feedback/url.
• Report to Webroot BrightCloud (PaloAlto firewalls): http://brightcloud.com/tools/change-request-url-categorization.php.
• Report to Kaspersky: https://virusdesk.kaspersky.com/.
• If you want to report an Apple Appstore app, send an email to reportphishing@apple.com.
• Report any Google Adwords Campaigns here: https://support.google.com/adsense/troubleshooter/1190500?hl=en & https://support.google.com/adwords/answer/176378?hl=en.
• Notify the host regarding a malicious website / DMCA / copyright violation / trademark violation.
• Notify the registrar regarding malicious website / DMCA / copyright violation / trademark violation.
• Notify the SSL Cert Issuer of misuse of cert / malicious / phishing website.
• Screenshot site / tweets / messages & website & code.
• Scan the site with urlscan.io.
• Add UA-ID to Spreadsheet & DuckDuckGo Google UA-ID for other sites.
• Google keywords and see if there are other sites and repeat the above steps.
• Great reporting template / idea of what reporting is like:

I am writing to you today to report a malicious website on your service: insert_domain_here. This website is posing as the legitimate site mycrypto.com. The operators of this malicious phishing website site ( insert_domain_here_again ) have added code that steals the private keys of unsuspecting users, and sends them insecurely to their own servers in order to steal the users' money. Please stop providing your service to ( insert_domain_here_again ) immediately to prevent further theft and protect users. Thank you.

To find their host, 'whois' their info and find the abuser's contact

• https://whois.icann.org/en
• https://www.whois.com/whois/mycrypto.com.ua
• https://whois.domaintools.com
• https://mxtoolbox.com/Whois.aspx

4. Make, share, warn with, and help educate

• Shamelessly steal from the pros:

  • https://www.google.com/safebrowsing/static/faq.html#q1
  • https://www.fdic.gov/consumers/consumer/news/cnwin16/phishing.html
  • https://www.stopbadware.org/badware
  • https://www.wired.com/2017/03/phishing-scams-fool-even-tech-nerds-heres-avoid/
  • http://www.phishing.org/10-ways-to-avoid-phishing-scams
  • http://www.which.co.uk/consumer-rights/advice/how-to-spot-a-scam
  • https://decentsecurity.com/#/malware-web-and-phishing-investigation/

• Other References:

  • https://support.mycrypto.com/staying-safe/phish-hacks-thefts-and-stolen-funds-due-to-phishing
  • https://chrome.google.com/webstore/detail/etheraddresslookup/pdknmigbbbhmllnmgdfalmedcmcefdfn (Anti-Phishing Chrome extension)
  • https://www.reddit.com/r/ethereum/comments/6o04b2/protipshownottogetscammedduringatoken_sale