ACADEMY
  • /
  • SECURITY
Security

Scams and phishing attacks

Overview

Whenever crypto enters a bull market, this brings with it adoption and widespread awareness about the opportunities to be found in this new and exciting market. But with plenty of new people entering the scene, often unaware of the risks (as they differ substantially from the risks in traditional finance), this creates the perfect environment for scammers. This is why the amount of funds stolen through various types of scams tends to spike together with the market cap of crypto – wherever there are legitimate opportunities for huge profit, there will be even more ways for criminals to defraud unsuspecting investors.

There are two main areas that we’ll cover here: scams posing as investment opportunities and phishing attacks. Both of these range from the downright obvious ones to scams that are so elaborate that one can’t help but thing that the scammers could have made an honest living from crypto based on their level of knowledge. But, regardless of how sophisticated the scams can get, there are some simple steps that you can take to avoid falling prey to them, and we’ll outline these below.

Before we get to fraudulent ICOs, there’s one simple but surprisingly common scam that we need to mention here, namely doubling scams and offers from “professional traders” and “investment funds” to trade your crypto for you. There’s just one simple rule you need to keep in mind here: if someone contacts you and offers to trade your crypto for you, or offers a risk-free investment that will bring profits quickly, you can be absolutely certain that it’s a scam. That sort of thing simply never happens in a legitimate way, and it’s easy to see that it wouldn’t make any sense.

If someone were really that profitable, they would just trade their own money, or even take out a loan which they would have no problem repaying given their alleged success. If instead they want to trade the funds of someone else – and crypto at that, which is extremely hard to trace – then the only reason they would do so would be that they’re intending to simply steal the money.

Fraudulent investments and ICOs

This type of scam is something that typically targets people who already have at least some entry-level knowledge in crypto, i.e. enough to know about the amazing returns that ICOs (Initial Coin Offerings) can bring.

ICOs and other token generation events such as IEOs (Initial Exchange Offerings) and IDOs (Initial DEX Offerings) offer investors an opportunity to buy a new crypto token before it starts trading on the open market. This can bring very attractive returns, with some tokens bringing upwards of 10x the ICO price in the first days after the listing. However, getting an allocation in an ICO can be very difficult, and with demand far higher than supply, this creates an ideal opportunity for scammers.

The scam is simple – the criminals create an ICO, with a token and a website that promises a lot in terms of development, but they have no intention of ever actually delivering on their promises. Instead, they take the money from unsuspecting ICO investors, and either disappear immediately or take advantage of the subsequent listing to keep the scam going and sell even more of their tokens. This is where fundamental analysis comes in.

When assessing whether to invest in an ICO, always do your due diligence and check whether the project looks legitimate. Doing this in detail requires extensive knowledge of the field, but there are some steps that anyone can take in order to reduce their chances of falling prey to scams.

Firstly, it’s a good idea to research the actual project, and especially the team behind it. While there are many excellent projects in crypto (and especially in DeFi) that have been founded by anonymous teams, it’s generally a safer bet to invest in a project with a public team. Simply put, it’s much harder for scammers to get away with the money if their identity is public, as they would likely face prosecution, which is why they typically choose to stay anonymous.

Another important thing to check out is the token supply and distribution. If this data isn’t available, then that is the most obvious red flag, but if it is, you need to find how much of the token supply will be sold in the ICO and how much will be allocated to the team behind the project. Ideally, the implied initial market cap (which you get by multiplying the ICO price with the circulating supply at the start of trading) shouldn’t be too optimistic, and the team funds should have a long vesting period (i.e. their tokens should be locked for a specific length of time and then released gradually, preventing them from dumping their supply).

If the token distribution looks legitimate, then the next step is to check whether the solutions and use cases proposed by the project make sense, but this depends on the exact area that they’re active in, so it can’t be covered in general. Overall, it’s important to treat ICOs as extremely high-risk investments, and never invest more than you could afford to lose.

Phishing attacks

Phishing attacks can be easier to set up than fraudulent ICOs, and they often target newcomers to crypto, but some of them can be surprisingly complex.

One way to divide them would be to talk about general and targeted attacks. General phishing attacks don’t rely on any previously known information about the users they target, meaning that they’re aimed at all the users of a particular service. Usually, these attacks work by getting users to click on a link that looks like the website of an exchange or other crypto service, but is actually a fake website designed to steal the users’ data.

When someone attempts to log in to the fake website by entering their email and password, the hackers then use this data to log into their real account and drain all their funds. These fake websites can look identical to the real ones, and the links are often very similar (for example substituting “rn” for “m,” which can be hard to spot).

One way to protect yourself from these scams is to always check the URL you’re visiting (and ideally to bookmark it so you’ve always got it ready), and to avoid clicking on any links unless you’re completely certain that they’re from the exchange itself.

Targeted phishing attacks are more sophisticated, and they require the scammers to obtain some information on the potential victims. This can happen when there are data breaches: for example, when the Ledger customer database was breached in 2020, the contact info of their customers was stolen and used for numerous phishing attacks. The victims received emails that claimed to be from Ledger, asking them to input their seed phrase in order to secure their wallets. Of course, anyone that did that would have their wallets emptied by the scammers, while some users even received targeted phone calls with threats and extortion attempts.

Sometimes, attacks can be even more directly targeted, such as when scammers gain access to someone’s email account. They can then see the previous emails and write targeted phishing emails to the breached user’s contacts, before they even realize the breach.

In any case, the steps to take are similar across all the different levels of sophistication: never click on links unless you’re absolutely certain that they’re legitimate, and if you’ve already fallen victim to a phishing attack, immediately change your login credentials on all websites that you use. If the funds have already been stolen, then contact an agency like CipherBlade, which can help track down the lost tokens and report the issue to the authorities.