Anyone who has paid attention to reports from the “cryptoverse” in recent years will know that hackers have found a veritable goldmine in Bitcoin and Co. Hundreds of millions of dollars are being drained from exchanges and DeFi protocols through exploits and other hacks. The advantage for the perpetrators: if they have their loot secured in their wallets, then no one can confiscate it. The largest hack in this context was the Ronin hack, which caused around $620 million in damages in 2022.
While these events receive a lot of media attention, they are generally not really relevant for the security of individual users or cryptocurrency investors. Certainly, it is bitter for those affected if they have invested in a hacked protocol, but the risks are much higher elsewhere.
In this article, we want to show you what pitfalls are lurking and how you can best protect yourself against them.
Phishing Works Particularly Well
Phishing is a method that gives criminals a particularly high hit rate and ensures that as many unsuspecting victims as possible fall into their net. The word phishing is made up of the words password and fishing. The hackers are fishing for passwords and the term therefore generally describes various methods that are suitable for gaining unauthorized access to sensitive data. Here are some examples of what is particularly interesting for the perpetrators:
Login data: These are login credentials of user accounts, i.e., usually passwords and e-mail addresses.
Credit card numbers: These numbers are heavily traded on darknet marketplaces. Therefore, they have a direct use and value for resale.
Private Keys and Seeds: This is where it gets interesting for the crypto investor because as you may already know holding this information means unrestricted access to your crypto assets. If you want to know more about the importance of seeds and how they work our article about seeds might be relevant to you.
Of course, there are other things that can be of interest to criminal hackers. However, in the end, it’s always about one and the same thing. They try to convince victims that it is a legitimate request, website or email.
To achieve this, they spoof websites and social media accounts or send spam emails. And that’s what makes phishing so much more dangerous to end users than the big hacks that end up in the newspaper. An email can be addressed to millions of recipients and a well-faked and cleverly placed website can be visited by thousands of victims.
In some cases, hackers try to target their victims specifically. Although this can also become a problem for crypto investors, most attempts they are exposed to are those that target the masses.
How Can I Protect Myself From Phishing?
To protect yourself from phishing you need to consider a number of things that are either universal or only apply to dealing with cryptocurrencies. Three areas can be narrowed down here:
Password and account security: You should read our dedicated guide on this topic first. Passwords, 2FA methods and backups fall into this area.
User behavior on the Internet: This relates to the handling of emails but also the usage behavior on websites, social media and chat or messenger services.
Wallet discipline: Password and account security play a role here but there are also things to consider that are exclusively relevant for crypto.
While you can find comprehensive information on the first point in our guides, we would like to give you general recommendations on what to do and how to best proceed regarding the other two points.
Control and Routine
Usage behavior is all about following certain rules. Here is a non-exhaustive list of things to keep in mind:
Check Google Search URLs. It is not uncommon for a well-faked website to appear in the top search results. So it stands to reason that the URL of the matching search result should be checked again.
It is best to save URLs of crypto exchanges or other important sites with a bookmark in the browser.
Always check the accuracy of URLs. The best way to do this is to check the certificate in the browser.
Do not respond to unsolicited contact in chat and messenger programs. It is best to block the option and if it is indispensable to chat directly with strangers, then spammers should be blocked quickly.
It doesn’t matter if it’s via chat or email: Even if a message seems genuine, then you should check whether it is actually a real message. It is not uncommon for criminals to fake an important event to which the recipient is supposed to react immediately by following a link or disclosing personal data.
Never open file attachments from unknown senders in e-mails. And even with known senders, keep your eyes open, because they can unknowingly become a distributor.
The points that fall under wallet discipline are about properties of apps that are relevant in the field of cryptocurrencies:
Never enter your seeds and private keys. This is the last red flag before it’s too late. No reputable provider or company will ask to enter this data.
When using Apps such as NFT marketplaces or decentralized exchanges, always keep a second wallet on hand. Never interact with the wallet that holds the biggest percentage of your crypto portfolio. There is a high risk involved when interacting with wallets, and splitting wallets for different purposes provides important protection.
Plugins and Apps usually ask for permission before every transaction or interaction. There is the possibility to allow these applications to perform actions without asking for further permission. You should avoid this and rather confirm each action individually.
Check each transaction carefully. If you do fall for a phishing site, you have the last chance to get out. However, many victims trust the sites across the board and click through the transaction confirmation at high speed. This is often an expensive mistake.
Do not respond to giveaways. It sounds far-fetched but many people still fall for it. A fake social media account of a prominent person invites you to visit a page. You will get 10 Bitcoin back for every Bitcoin you send. The rule here is that nobody gives anything away for free, and if it’s an airdrop, you don’t have to deposit anything beforehand.
First of all, you should contact the company your data has been phished from as soon as possible and tell them about the phishing attack. The company will block the access and/or change your login credentials. It may also be possible to reverse actions taken by the attacker. If there are no direct contact options you should try to change all access data yourself immediately.
If you suspect that you have been the victim of a phishing attack you should contact the company from which your data was possibly stolen. They can tell you whether you have been the victim of a phishing attack or not. Emails from reliable sources with a reference to a login from an unknown device or an unknown location can also indicate that your data has been stolen. In this case, it is mandatory to double-check the email address which informed you about the unauthorized access.
If your coins have been sent to an attacker’s wallet the chances of getting them back are very slim. Most of the time, the only option is to report it to the police but even here the chances of getting your coins back are slim to none
Robert first came into contact with cryptocurrencies in 2013 through mining.
In 2018, he founded Bitcoin-Kurier, where he has been reporting daily on topics from the crypto space. For Rewallet, he writes articles to help readers navigate within this space safely.