Crypto Phishing Scams And How To Avoid Them

Let’s face it – phishing is an ever-present threat in our society nowadays. We hear about it on the news all the time. Especially a hot commodity like cryptocurrencies makes for an enticing target.

While that may sound overwhelming, there are simple ways to protect your cryptocurrencies against these malicious practices. So how does the scam work exactly? Let’s explore.

What Does Phishing in The Crypto Scene Look Like?

You may see a Facebook post or YouTube video by Ledger advertising an airdrop of $100k worth of free crypto. Why not trust a brand you already know and use? But, that’s how the scammer gets you.  A bad actor will impersonate a brand you know and respect. The aim is to gain your trust, and then abuse it to gain access to your crypto.

While the example might have been easy to spot, other phishing attempts may be more subtle. This is why even crypto veterans can end up getting scammed.

For instance, say you’re an avid NFT trader using the NFT marketplace Opensea daily. Someone posts an Opensea link to an NFT you like on Twitter. You follow the link and make the purchase. Only afterward, do you notice that the marketplace you decided to buy it from was not Opensea.io (the official site) but Opensea.it or Opensea.yougotpunked. Unfortunately signing approvals on phishing sites could lead to losing multiple assets. In some cases, your wallet may be drained entirely. 

What Do Crypto Phishing Scammers Want?

Typically, phishing scammers are aiming to do one of three things: hack your web2 device, reveal your private information, or convince you to sign malicious transactions or approvals. Let’s see how each phishing scam works.

Malware and Spyware on Your Web2 Device

Phishing can be a great tool to convince you to download malicious software on your laptop or smartphone. For example, a phishing site may pose as Ledger and convince you to download a virus disguised as Ledger Live. From there the hacker may be able to control your web2 device.

Your Login Details or Secret Recovery Phrase

Most often, phishing sites pose as familiar sites to gain your trust and steal your information. It’s as simple as asking you to log in to your account, recording the email and password you input, and then using those credentials to log in to the official platform and steal your assets. 

Sometimes, a phishing site may go a step further, creating pop-ups that pose as a wallet provider. In these cases, the phishing site will impersonate a wallet provider, and use scare tactics to goad you into handing over your secret recovery phrase. It might say “The terms and conditions have changed, enter your SRP in 4 hours or lose access to your crypto!”. This is a scam! You should never enter your SRP into any platform that asks.

Malicious Smart Contract Approvals

Finally, phishing scams might be leading you to sign malicious approvals or transactions instead. Once you connect an account with valuable assets to the phishing platform, it will prompt a malicious approval. Signing that approval could result in a scammer draining your account in an instant. And revoking approvals costs gas fees too, something that can pose a challenge if your account is compromised.

How to Mitigate Risks Involving Crypto Phishing Scams

Phishing comes in all shapes and sizes and thus staying vigilant of all possible scams is the best option. But how can we avoid phishing exactly? 

Don’t Click Any Links

The first thing you can do is treat links suspiciously. If someone sends you a link, don’t just trust it blindly. On social media platforms and in emails, it’s incredibly easy to disguise a link. Unfortunately, this means it’s easy to fool you into thinking you’re accessing a trusted site when you’re not. Accessing a malicious website could be the start of a scam to convince you to hand over the keys to your crypto, or it could download malware on your computer or smartphone. Thus, don’t click any links you’re not 100% sure you can trust.

Use a Hardware Wallet

The next thing you can do to mitigate some of the risks of phishing is to use a hardware wallet. It protects you from malware and spyware you may have on your computer after being phished on your web2 device. To explain, using a software wallet, you could reveal your private keys to hackers on your smartphone or computer. A hardware wallet helps you mitigate this risk, but that’s not to say they are immune to phishing attacks. 

In some cases, phishing sites will aim to get you to sign approvals on your hardware wallet. In these cases, signing the approval hands a blank cheque over to the scammer. Once they have your signature on an approval to move your assets, they can and they will steal from you. 

Segregate Your Assets

If you’re going to sign approvals to use experimental and potentially untrustworthy platforms, it’s good practice to segregate your assets. This means keeping your valuable assets in a separate account from the one that connects to apps and services. 

Using a hardware wallet, it’s easy to set up multiple accounts managed by the same device. And luckily, each account operates separately from one another. This means you can sign potentially untrustworthy transactions with one account without affecting any others. 

A great model to segregate assets involves three accounts. The first account is for storing your most valuable assets. Also called a cold wallet, it is banned from interacting with any apps or services. The second account is for accessing trusted platforms; allowing you to buy and sell digital assets from places you are familiar with. The final account is a “minting” account; which is reserved for interacting with potentially dangerous apps and platforms. This account should never contain more crypto than is necessary, meaning if you do get scammed, you don’t lose anything of value. Some users even take these sorts of accounts a step further, setting up a burner wallet for a single dangerous transaction.

Don’t Trust, Verify

The final barrier is you. Thus, the most important thing you can do is verify each transaction thoroughly. Don’t set approvals to new sites without doing your research, and make sure the site you’re accessing is the official one. Always check the official URL of any website you want to visit and cross-check it with the one you’re accessing. Remember: a discrepancy probably means you’re on a phishing site. 

Beyond that, you’re the only one that can sign your assets away. Verify the contract address of any blockchain app you sign approvals for. And try not to sign approvals without understanding what they do!

Learning about smart contracts and their functions will help you dissect each approval before you sign. But if that’s too technical for you, it’s also better to stay away from blind signing.  If you explore web3 from within the Ledger ecosystem, you can rest assured that any transaction or approval you sign will be presented to you in human-readable language. This is thanks to Ledger Live’s clear signing plugin. 

Ledger’s Official Links

To help you find the official Ledger accounts amongst all of the impersonators, save this list for later!

Ledger Twitter (X) account

Ledger Customer Support Twitter (X) account

Official Ledger Discord Server

Ledger’s official homepage

Ledger’s official shop

Official Ledger Live download page