Security tips

Phishing attacks and how to stay safe

Don’t get baited by phishing attacks, learn how to avoid potential scams and keep your recovery seed secure.

SatoshiLabs
Trezor Blog
Published in
9 min readOct 27, 2021

--

Phishing attacks are among the most common and effective scams to take place on the internet. The rise of cryptocurrency has allowed phishing to become more efficient, by leveraging a combination of the technology — irreversible transactions that settle in minutes — and people’s unfamiliarity with it.

The problem with phishing is that it takes many forms, usually pretending to be a legitimate service that you already interact with, making it hard to immediately recognize when you’re being baited.

The ultimate goal of a phishing attack is to convince users to reveal information that can be used to take over their accounts. In crypto, that’s usually your recovery seed. The good news is that they can be avoided by being disciplined about the information you share, online and off.

This article explores some of the ways that phishing attacks manifest in the real world, and down some guidelines to help you avoid falling for such scams in future. If you’ve been a victim of a phishing scam and would like to contribute your insight to this piece, please reach out through the comment section.

Contents

Phishing scams are everywhere

Phishing is a booming industry. It ranges from complex networks of attackers and specially-created tools, to individuals operating alone with little prior planning or resources. The cost to carry out attacks is often very low or effectively free, so it can be attempted repeatedly on victim after victim.

Even well-informed users who know how to take care of their seed can fall for these scams, either due to a lapse of judgement, or because of clever social engineering. Whether watching an advert on Youtube, reading a post on a forum, typing a URL, or checking emails, you could be targeted by a phishing scam. As long as you are on the internet, there is a chance that you will come across a phishing site or be sent a message from a scammer.

Reported losses to phishing in traditional markets are in the tens of millions of dollars, but these numbers do not include cryptocurrency losses. The effectiveness of phishing scams within the crypto space is estimated to be many times higher. Over $400 million were stolen in just the first four months of 2021. If you want to hold on to your investment, get familiar with the threats.

As much as the community reinforces the message that your seed should only be used when your Trezor tells you to, scammers invent exceptional scenarios where — just that once — the user has to enter their seed because of a lie about a malfunction or risk of coin loss. Playing these tricks on users is especially effective because the scammers build additional pressure on them to act fast or risk losing their assets.

Why phishing is so effective

Phishing scams are popular because they work. They are in many ways the bottom-feeders of scams, putting in minimal effort to simply trip up their victims in a brief lapse of judgement. Generally speaking, there are three factors that make phishing :

  1. Reach. Information travels fast. A single message containing a link to a phishing site has the potential reach tens of thousands of people in a single click, at practically no cost to the sender. Even just one victim from those thousands may be enough to yield profit. To be more effective, professional scammers also invest in stolen or leaked data and take advantage of a fear, motivation or other confidential data that the pool of targets are most likely to respond to.
  2. Simplicity. Phishing requires only basic technical proficiency. A google form with a field titled “Recovery Seed” sent unsolicited from various throwaway Twitter accounts is a tried-and-tested method. A real-world analog here would be a burglar approaching you in the street and asking for your house keys, so they can check that you turned off the oven. It sounds absurd, but it works, and scammers can then invest more time and money into making the scheme more convincing to increase their hit rates.
  3. Inexperience. Cryptocurrency is growing faster than most other industries, with a very large addressable market. With such a large percentage of new users, there will always be someone who has not yet learned the fundamentals and will share their recovery seed openly. Phishing is especially harmful for adoption for that reason. Raising awareness by openly sharing information like this article is one of the best ways to help reduce the number of successful thefts.

Common tactics used by phishing scams

Although they may each be wrapped in different packaging, phishing attacks are usually little more sophisticated than a clone of a familiar website, with a section asking the target to give up information they shouldn’t.

A bit of dramatic effect, like saying that the target will lose access to their coins if they don’t act immediately, is sometimes enough to make the victim forget the first rule of security: only use your seed if your Trezor tells you to. Let’s go into a bit more depth as to how these scams can be presented.

Using the right bait for the prey

By focusing on a certain group of targets, scammers stand to increase their chances of success, but need to dedicate more time and money to preparing the bait. They do so by making the direct messages and emails they send look like they come from a service you know, in an effort to get you to give up your confidential data.

Information that connects the targets, such as an interest in trading bitcoin, increases their chances of a profitable phishing campaign. Breached data lets scammers pick and choose which product or service database to target, so they can direct users to a malicious dummy copy of the product’s website. Cloning the website’s design without the functionality makes this scam simple and cheap. And, if the target is not aware these dangers exist, they likely won’t notice they’d been robbed until long after the fact.

Domain squatting traps

This approach to phishing can be effective without any need to directly target users, making it harder to detect and shut down. By cloning the look and feel of a popular website and hosting it on a similar domain, victims simply stumble onto the site and fall into the trap.

Due to these sites being hard to monitor for and often impossible to tell apart from the real thing, knowing about domain squatting helps avoid being scammed. Always closely verify the URL of any site that you enter confidential data into. Assume that your computer is compromised and take extra precautions like using an authenticator with FIDO2 support that can verify connections.

Malicious extensions and fake apps

Relying on a browser extension alone to secure your cryptocurrency is reckless, and regularly leads to high-value losses. Browser extensions are notoriously vulnerable to exploits and should only be used if the seed to the account is generated and stored offline in a hardware wallet. As long as your seed is kept offline, browser extensions can enhance your experience without adding unnecessary risk.

Fake apps are also infamous for getting away with millions of dollars of stolen crypto each year. The problem is not only the existence of phishing apps, but that app marketplace curators allow the apps to be listed without checking that the app does what it claims to. Read more about fake apps in our recent blog article:

Signs you’re being phished

Identifying that you’re being phished can be tricky, but there are some red flags to look out for.

  • Any website, app or person that asks you to enter your seed without you initiating recovery of your Trezor and confirming it using the device is a scam and should be reported.
  • Messages persistently ask to follow a link or download a file.
  • The sender address or account is different from the company’s official domain.
  • Links don’t lead where you expect them to when hovering your cursor over them.
  • Attachments, links or odd questions in messages you weren’t expecting.
  • The tone makes you feel under pressure or worried.

How to protect yourself from phishing

Avoiding scams depends on a combination of knowing what warning signs to look out for, and protecting your private information as a matter of routine. Here, we’ll cover some specific actions you can take that will protect you from phishing as well as how to stay vigilant in general.

Prevent phishing:

  • Don’t give away personal information. The more information you share on the internet, the more convincing these attacks will be. Use pseudonyms and aliases, have deliveries sent to public collection points, and do not share photos or information about yourself publicly.
  • Never give your recovery seed to anyone and be wary of speaking to anyone who asks for it, including Trezor Support. There’s no reason why anyone would need your recovery seed except to steal from you. Trezor Support will never ask for your seed.
  • Isolate sensitive information. Use a Trezor to store and use your Bitcoin private keys offline.
  • Trust your device. Use your Trezor to verify any sensitive action. Your Trezor is consistent; under no situation will it ‘skip’ a confirmation or ask for your seed without you initiating it. There’s a reason we call it a Trusted Display.
  • Double check URLs of sites you visit are exactly as they should be, without typos or similar-looking characters. Bookmark sites you visit frequently and use desktop apps for better isolation from internet threats. Trezor Suite is available as a desktop app or through your browser at https://suite.trezor.io.

Build resilience to scams:

  • Phishing is most likely to work if the victim is distracted or rushed. Keep a calm head and do your research before sharing data or agreeing to things.
  • Use two-factor authentication on your accounts, ideally with FIDO2 to verify who you’re connecting to.
  • Over email, most phishing attacks should be caught by your spam filter. If the number of emails is increasing, it may mean that a company leaked your data. Keep track of data breaches by adding the company name to your email address when you sign up. Just add a plus (+) sign and the name of the service to your email before the @. For example, name@satoshilabs.com becomes name+service@satoshilabs.com.
  • Avoid clicking on links in an email or on social media unless you are absolutely sure of where it leads. Hover your cursor over links and images to preview the URL before clicking it to verify that you’re visiting an official webpage. All shortened links should be considered potentially malicious, especially on social media.
  • Avoid sites missing the HTTPS certificate padlock symbol next to a URL. Note that this symbol does not guarantee a website’s authenticity.
  • Use up-to-date software on your computer and keep your Trezor firmware updated with any security patches.
  • Be vigilant. Research first before deciding to trust any service with your sensitive information, such as your extended public keys (XPUB).

What to do if you are a victim of a phishing attack

If you have been targeted by a phishing attack or stumbled onto a phishing domain and entered your seed words, it is likely to already be too late to try and recover them. Once you enter your recover seed somewhere, it is automatically harvested and used to regenerate the wallet. The funds are then sent by the attacker to an address they have sole control over.

To prevent the spread of these attacks, it is recommended to publicly report the scam as well as filing a police report in your jurisdiction. If you use a Trezor, the only way for someone to access your accounts is to have a copy of your recovery seed or your unlocked wallet. Follow proper precautions as listed above, don’t share your seed and you should avoid falling victim to scammers.

--

--

Innovating since we founded the industry in 2013 with production of the first crypto hardware wallet, the Trezor One. Open-source, secure, community-driven.