Introduction

Cryptocurrency is a new and exciting space full of technological innovation and brilliant ideas, and is referred to by some as the ‘gold rush of the 21st century’. Unfortunately with great opportunity also comes great risk - and some of the biggest risks facing cryptocurrency participants today are scams. In part one of this guide, we covered a few of the most prominent scams in cryptocurrency and outlined several methods of identifying and avoiding them. In today’s segment of this guide we will be covering some lesser known scams, and the steps that can be taken to protect yourself against them.

Spear Phishing

One of many ways that scammers rob people of their hard earned funds in crypto, is by reaching out to the victim directly. This is done under the guise of being support personnel or someone offering assistance, oftentimes occurring directly after the victim asks a question on social media channels such as Twitter, Telegram or Discord. This can often seem legitimate because scammers will usually copy a real mod or team member’s profile in an effort to gain the victims trust.

Due to the direct and targeted nature of this scam, it is commonly called “spear phishing”, and is most successful against new entrants to the crypto market that are unfamiliar with common security practices used by seasoned crypto veterans.

While impersonating support personnel, the scammer will offer to help the victim resolve their issue, and tell them that they will need a few pieces of information. Scammers can try to make this seem urgent by using complex language to confuse the victim into thinking that resolving the issue is time sensitive and urgent. Typically, scammers will ask for the victim’s 12 word mnemonic key to their crypto wallet or ‘seed phrase’. If the victim divulges their seed phrase to the scammer, the wallet is drained in a short amount of time and contact is cut between the scammer and the victim. Unlike with credit or debit cards, there is no way to reverse transactions in cryptocurrency. Once funds are gone, they are gone forever.

In a recent phishing attack, scammers were able to trick users into believing that they were transacting on Uniswap, a popular ethereum based decentralized exchange. Fortunately for Uniswap, a security team at Binance was able to identify the ongoing threat and notify Uniswap staff before the phishing attack got out of hand.

Connected with the @uniswap team. The protocol is safe.

The attack looks like from a phishing attack. Both teams responded quickly. All good. Sorry for the alarm.

Learn to protect yourself from phishing. Don't click on links. 🙏 pic.twitter.com/FIXebz3iBC

— CZ 🔶 Binance (@cz_binance) July 11, 2022

This was unfortunately too late for some users, who lost a collective total of over 4,295 ETH or $4,466,198 USD at the time of writing this blog. Uniswap staff identified the vector of attack as Web2 based phishing, which highlights the importance of taking steps to protect yourself against this all too common variety of scam.

How to Avoid Spear Phishing

Spear phishing is fortunately one of the easiest scams in crypto to avoid, by utilizing a few simple rules of thumb. These are as follows:

1. Team members, moderators, administrators, or support personnel will NEVER direct message (DM) you first. Any contact made with these personnel should be initiated by the person who requires assistance. If you get a random DM, there is a 99% chance that it is a scam.

2. No one legitimate will ever ask you for your seed phrase. Your seed phrase or 12 word mnemonic passphrase should never be given to any other person. Project personnel will never under any circumstances need your seed phrase for any purpose - If someone asks for this information, they are trying to steal your funds. This also applies to any website visited that asks you to ‘verify’ your wallet. There is no such thing as verifying a wallet in cryptocurrency, as all wallet data is immutable and stored on the blockchain.

3. Your seed phrase should not be stored digitally on your phone or computer. Some advanced hacks and scams can identify your seed phrase from cloud storage or servers. Your seed phrase should only be stored on a physical piece of paper or metal, and kept in a secure and private location. While this piece of advice doesn’t necessarily relate to spear phishing, it is an integral part of cryptocurrency security and should be mentioned regardless.

4. Decentralized (DEX) and centralized exchanges (CEX) will never require your seed phrase to allow you to transact on their platforms. If a DEX or CEX is asking for this information, you are in the process of being scammed and should leave the website that you are on immediately.

By simply ignoring random DM’s and never giving out your seed phrase, most — if not all spear phishing attacks can be avoided entirely. Once again, these scams target new entrants to the space which is why it is so important that every cryptocurrency participant familiarizes themselves with common security practices.

Dusting Attacks

Another very common scam in cryptocurrency is the ‘dusting attack’. This scam utilizes smart contract technology, which is covered more in depth in part one of this blog. Dusting is the act of sending out a worthless token to many thousands of wallet addresses, in the hopes that a few of those people will interact with or try to sell the token. These tokens are cleverly propped up in order to appear valuable — some dusting attacks might even appear to be worth thousands of dollars. In actuality, these tokens are completely worthless and are only inflated in value to entice the victim into attempting to sell.

By interacting with or trying to sell the token, the victim allows the token’s smart contract complete and unfettered access to their crypto wallet. Once access has been granted, the smart contract behind the scam token can then remove all other funds from the victim’s wallet. Once again if funds have been drained from a wallet, they are unrecoverable.

Dusting can also be used in an effort to de-anonymize certain individuals with valuable wallets. This method is more complex and relies on piecing together identifiable information about an individual such as wallet address, name, or location. If hackers are able to piece together enough information about an individual, that person can then be targeted personally and extorted into sending their funds to the scammers. This method of dusting is extremely rare and much more complicated than the method previously mentioned, and should not be on top of the list of worries for most crypto holders.

How to Avoid Dusting Attacks

The easiest way to completely avoid dusting attacks is to never interact with tokens in your wallet that you did not explicitly purchase. There aren’t people giving out free money in crypto — and if it’s too good to be true, it is.

If you feel as though you have interacted with a token that you did not purchase, there is still a chance for you to secure your wallet. Token approval revoking tools such as EverRevoke are able to identify which tokens have access to your wallet, and allow you to revoke their permissions for a minimal blockchain gas fee. Once a token has had its permissions revoked, it is impossible for it to transact within your wallet without you explicitly giving it permission again. Token permissions are signed for in a pop-up window in wallets, and are hard to miss. You wouldn’t be able to grant a token permissions to your wallet without knowing about it.

Fake Websites

Another common and deceiving trick used by scammers is the fake website. These websites are designed to closely resemble legitimate websites that users may even be familiar with, such as popular decentralized exchanges. These sites can be stumbled across on accident while searching for a real site, but are most commonly sent via DM by scammers to their victims.

These webpages will then prompt the user to connect their DeFi wallet in order to ‘validate’ funds or transact with what they are led to believe is a legitimate service. Once the user has connected and signed approval for the web-page, the funds in their wallet are quickly drained and sent to the scammer’s wallet. Once again in instances such as this, there is no recourse for the person who has been scammed. If funds have been stolen, they are gone forever. This is why due diligence and being safety conscious is so important in the world of cryptocurrency.

How to Avoid Fake Websites

The best way to avoid fake websites is to never click on links from strangers, and to always double check the URL or web address of any webpage that you are visiting. Some scam URLs can closely resemble legitimate URLs, which is why it is important to double check that you are on the correct webpage.

If a user was attempting to visit Binance.com, scam URLs might look like the following:

• Blnance.com

• Binonce.com

• ßinance.com

As you can see, these URLs are designed to closely resemble the legitimate one, and trick the user into believing that they are on a secure and trustworthy site.

Another way to avoid fake websites is to use a search engine such as Google to search for DeFi or crypto webpages. Google has inherent security built into its engine with how it ranks and indexes sites — if a site has high traffic, usefulness to the end-user, and authority on a subject, it will rank higher than a site set up to scam a few unlucky victims. Google’s algorithm for ranking sites analyzes over 200 unique factors to ensure that you see the most relevant and popular content. What this means is that if you search for Binance.com, Google will ensure that the first results on its search engine are legitimate and safe.

Key Takeaways

While cryptocurrency can be confusing and unfamiliar for new users, following the safety practices outlined in this blog is an excellent starting point for ensuring your continued safety in this exciting and innovative space. If you haven’t already read part one of this guide I wholeheartedly recommend that you do so, as it contains many other helpful tips and tricks on keeping you and your funds safe.