What is phishing?
Phishing is a method of tricking people into giving up personal and valuable information, most often for financial benefit.
Although phishing is not “hacking” in the most traditional sense—where a malicious actor uses computer program exploits or flaws to gain access to an individual’s data—it can have the same result. Phishing is a social engineering scam because it involves manipulating people through psychological approaches. However, it is also lumped in with other hacking techniques because it often involves a technology interface.
Phishing got its name in the early days of the Internet. Most attribute its original use to hackers that stole login information from users of AOL in the mid-1990s. They threw lines into the waiting sea of “fish” and hoped for a bite. The “ph” is a callback to the word “phreaking,” which is a historical term used for reverse engineering and experiment with analog phone signals.
Nowadays, the most common types of phishing use e-mail and messaging systems (including SMS and apps like WhatsApp). However, these social engineering scams can also involve hijacking of web pages, QR codes, and a variety of other media.
Crypto phishing attacks
Protecting your cryptocurrency means understanding what type of attacks are possible. Although many types of phishing attacks are used by hackers targeting users’ crypto wallets, some are more common within the crypto space, including:
Spear phishing
Hackers target individuals and contact them using background information they already have. For instance, if a user is known to have interacted with a certain website, the hacker may pose as that website and send an e-mail with a malicious link or ask for the user’s private data (like login credentials) outright. Scammers may also contact users through SMS messages or apps like WhatsApp and Telegram.
Browser extensions
Scammers can code fake versions of browser-based wallet software (most commonly MetaMask). These apps might look just like the original ones, but when users put in their information—like seed phrases—they unknowingly hand their funds over to another party.
Ice phishing
Hackers trick users into signing transaction requests that grant a malicious party approval to spend their assets. In the traditional finance world, this is akin to keeping your bank account number hidden, but unknowingly converting your individual account to a joint one—where someone else can make withdrawals.
Airdrop phishing
Like ice phishing, airdrop phishing relies on tricking users into signing transactions and interacting with a malicious smart contract. However, this scam is based on a promise to users that signing the transaction will allow them to collect a bounty of tokens in the form of an airdrop.
Typosquatting
Scammers may use website or protocol names that are similar to—but not exactly—real ones. By changing an “I” to a “1” or making other small changes, they may fool users into believing they are interacting with a legitimate source. This makes users more likely to share their private data.
DNS spoofing
Whereas typosquatting a website requires a slightly different domain name, DNS spoofing is slightly more sophisticated. Hackers hijack the back-end of a website so when users go to a specific site they are unwittingly redirected to a scammer’s site. There, they may be comfortable submitting their login information or other sensitive data, but it is stolen by the hackers in the background. One of the most notable crypto DNS spoofing attacks was used against PancakeSwap and Cream Finance in 2021.
Preventing crypto scams: cryptocurrency security tips
Phishing is not the only type of crypto security threat, but it is one of the more common ones. In general, a good rule of thumb is “only interact with individuals and protocols you trust.” However, this can be complex, especially as scammers get more sophisticated. Regardless, some helpful facts and tips follow.
- Always check the sender of an e-mail, text, or message in an app. Look to see if they are writing from a known address/number, that there are no typos in the name or body of the message, and that you’d expect the individual, protocol, or company to reach out to you. Don’t open any links or attachments from a suspicious sender.
- You should never submit your crypto private keys to a service via e-mail, text, app message, or even on a website. Also protect your username/password on relevant platforms like centralized exchanges.
- Be careful about the apps you download and use. This includes browser extensions (especially crypto wallets) and web-based decentralized apps (dapps). Ensure you are using the official and most up-to-date versions.
- When interacting with smart contracts, ensure you trust the developer and you are using the protocol you think you are.
- Research airdrops before participating.
- If you are concerned about the veracity of a communication or protocol, search for other users asking the same question. Trust your instincts and do your due diligence.