As I have said on the cryptocurrency security page, cryptocurrency is becoming more and more valuable. You will hear many naysayers who laugh, scoff and call you crazy, but you are a well-read, insightful individual with a knack for picking up on an early global transition and disruption in the financial system. Cryptocurrencies and their underlying technology, protocols, networks and use cases are a huge reason why they have significant value. Because cryptocurrencies are native online currency many scammers have and will continue to hack individuals’, exchanges’ and institutions’ cryptocurrency. This post is a brief, but a good guide on how to protect against cryptocurrency phishing attacks.
If you need a review on phishing, check out my post on cryptocurrency phishing attempts.
While this may sound a little militant, you never know when someone might try to hack or phish you. I don’t mean to scare you into living a life of paranoia around your crypto, but I must advise you to exercise extreme caution with protecting your cryptocurrency. You worked for your hard earned money, you saved diligently and you made an investment in cryptocurrency. So why become lax now? Take some simple steps to protect your investments, and thus your future financial freedom.
How to protect against cryptocurrency phishing attempts, TL,DR:
- Always complete software updates, especially anti-virus ones
- Favourite your websites – to avoid phoney/phishing links/bait
- Carefully read an email – is it suspicious? Does it conflict with what you know? If the suspicious activity was not conducted by you, then double check the email and any links that they send you to. Never download anything from suspicious emails
- Phone Security
- Use 2FA (2-factor authentication), ideally physical security keys, second best an app random number generator like Google Authenticator.
- Shhhh. Never give away sensitive information (amount of cryptocurrency you possess, name, address, birthday, phone number, mother’s maiden name, etc)
- Proof-of-keys, keep your private keys on an encrypted cold wallet
1) Update Your Software To Protect Against Phishing!
An easy-to-do, generally well-accepted security technique is to complete software updates as soon as possible on all of your devices. That means backing up your laptop/desktop computer, syncing your phone/tablet to the cloud and then taking 10 minutes to complete any and all updates. There are a few main reasons to do this: software is made by humans, ergo, it can have errors. Especially in newer software or applications, errors sometimes do not become apparent during testing but are discovered after (or because of) mass use of the product. Developers will often send out software updates that include patches to coding or function errors and/or new features.
Moreover, unbeknownst to most of the public, the software world is one of constant evolution or an “arms race” between developers and hackers. Just like there is a constant development of military technology and strategy between enemy nations or evolution of biological features to enhance survival of the fitness in nature, software is also continually advanced to keep a few steps ahead of the hackers. This is one of the most important reasons to update your software. Updating allows you to have the most secure version of your computer/mobile device operating systems and applications. This is a basic way to protect yourself from phishing and scammers.
2) Favourite Your Websites To Protect Against Phishing!
As I described in my previous post about phishing attempts, hackers can change a single character in a website URL and it will lead you to a completely different domain, albeit, one designed to look similar to the intended target website. This can even happen when you search for sites on Google. Scammers can use SEO tricks or pay for the top few spots on Google, mimicking the site you intend to visit and pay for the ads with the profits from the scam. This may sound a little sketchy or unrealistic, or even a little conspiracy-like or fearmongering; however, it is known to happen. (This was one of the scams that attacked the MEW, MyEtherWallet, website).
An effective counter-strategy to this phishing technique is to diligently ensure that you have the correct website domain and then favourite the site, and only use your favourites link to navigate to the site from that moment onward.
This would be most important for sites such as cryptocurrency exchanges, hot wallet websites, legacy institutions (banks, sites for checking your credit score, online stock exchanges/platforms like eToro, Questrade etc), email sites, social media platforms that contain sensitive information. Really any website that you want to ensure is the true site and not some scammer trying to phish your information in order to hack and steal from you.
3) Carefully Read Your Emails To Trash/Flag Phishing
One common phishing technique that can take many different shapes and sizes is email phishing. As I described in my previous post on phishing, scammers will produce a convincingly realistic email that requires you to take action or reply with some sensitive information.
Protect yourself, your data, and your finances by carefully reading your emails before clicking any links, before opening any attachments or before replying.
If an email requires that you do any of the above (opening a link, attachment or sending a reply) take a moment to ask yourself:
- Do I know the sender?
- Am I expecting this email?
- Does it sound or seem suspicious? (trust your gut, and when in doubt assume it is)
- Does the email seem out of place or unexpected? (i.e. unpaid taxes, security issues with your account, verify your account or privacy information)
- Is there a “too good to miss” opportunity?
- Would the institution or supposed sender ask for sensitive information via email? (most crypto exchanges, hot/cold wallet companies, banks, tax agencies etc will not).
After you have thoroughly gone through the email with the above questions, double check the email of the sender. Is the email correct or does it seem off? Read it slowly, spell it out, write it out to see if you can spot any errors or omissions.
If you suspect a phishing attempt then mark the email as spam! Email providers do try to filter this garbage out to protect you, but no firewall is perfect (re- the arms race above). We must all play our part for security.
Be suspicious. The institution that I work for happened to send out a phishing email (as a test of its employees). Coincidentally that very week I had listened to a podcast on cybersecurity and some red flags in my head went off. The email notified me that suspicious activity was found on my account and that I was to follow the link to verify my username and change my password. However, my first thought was that I wasn’t doing any suspicious activity online, and I only logged in at work, not at home, and I never (not once) left my ID badge (that has a chip to tap login to the computer) out of my sight. So I was immediately suspicious of the email. I then checked the sender’s email and one single character was changed (from a “t” to an “l”). Bingo. I called my institution’s IT department to let them know I had a phishing email. They told me that it was a test email sent by them, the guy sounded a little disappointed he didn’t catch me in his trap LOL
Now, this is simple, basic good email practice. Ensure that you have a quality email provider such as Gmail or Protonmail. There are so many things and reasons that scammers can try to phish you for. Cryptocurrency is becoming a more and more popular target for phishers.
4) Phone Security To Protect Your Cryptocurrency From Phishing
Our smartphones/mobile devices are like an extension of ourselves. As the 21st century progresses our lives will be integrated with technology on deeper levels than ever before. I love my iPhone. I am almost never more than 5 ft from it. I even take it in the bathroom when I shower to listen to a podcast or YouTube (for real). It is my most used device and my most useful tool today. Yes, my laptop is more powerful and ultimately has more function.
Regarding realistic functionality, your smartphone serves as:
- A phone/voicemail, Skype, Google Duo, FaceTime
- Text and other messaging platforms: What’s App, iMessage, FB messenger, KIK, Email
- Finance: bank account access, stock trading, Apple/Android/Google Pay, budget apps… Cryptocurrency hot wallets!
- Social media: Instagram, Twitter, Facebook, Snapchat
- Productivity/organization: calculator, calendar, clock (alarm, timer, stopwatch), contacts directory, notes, voice memos, reminders, Google Drive/Docs/Sheets, Google translate
- Navigation with Google maps/Waze etc
- Travel: Cab hailing (Uber/Lyft), booking train, plane tickets/boarding passes, checking bus/train times, trip planning
- News Feed from News apps
- Entertainment: Youtube, Netflix, Amazon Prime, Games/fun apps
- Shopping (Amazon, Uber Eats, McD app, Starbucks app, buying movie tickets, etc)
- Health: all sorts of health monitoring apps for diets, workouts, step counters etc.
- Kindle reader
- Reference material (all sorts of apps out there for various industries/professions, I work in healthcare and there are hundreds of apps for medication dosing, assessment/diagnostic algorithms etc)
- Plain old web browsing too.
Anyway, now that we have this non-exhaustive list out of the way you can see my point that today our phones are so useful that its good to have a smartphone. Now with all of that information and utility on a little handheld pocket device, you should protect it like hell. Hacking someone’s smartphone is a goldmine for scammers/phishers, especially if you leave yourself logged into apps for ease/convenience.
Some smartphone anti-phishing security tips:
- Keep your phone on you at all times whenever feasible – physical security is half the battle.
- Ensure that your cellular/data provider will not change your SIM without you physically there with multiple pieces of ID for verification. This may sound cumbersome, but it is critical to prevent 2FA scams.
- Passwords, passwords, passwords. These are critical.
- Do not reuse the same password you have for other devices/accounts
- Do not use the default 4-number code.
- Do use an alphanumeric phrase with at least 6-8 characters (ideally has numbers, letters and special characters).
- Do potentially use biometrics to sign in such as fingerprint ID/FaceID – but believe it or not, these are ALSO hackable! Albeit takes a lot more work to hack.
- Do not stay logged into important apps such as bank accounts, cryptocurrency hot wallet apps, mobile wallet apps, social media apps etc this may be annoying and cause you to lose some convenience but it adds another layer of difficulty should someone steal and hack your phone, because they would then have to hack into your hot wallet, or bank account etc.
- Update your phone’s apps and OS regularly.
5) Use 2-Factor Authentication To Prevent Cryptocurrency Phishing
An added layer of protection for your cryptocurrency (and other accounts, such as bank and email) is to use 2-factor authentication (2FA). It basically means that in addition to your password there is a second piece of information needed to log in.
SMS text messages (good): When logging into a cryptocurrency exchange or desktop/laptop hot wallet you may activate 2FA and receive a text with a code to type in everytime you log in (it is a different code at every login). This code is also time-sensitive, usually only being valid for a few minutes. However, this method is susceptible to SIM card swapping hacks (where someone poses as you and has your phone number switched to their phone so that all texts and calls are directed to the scammer’s phone). Then they only need to get your password and bingo, access to your account(s). This is especially bad if you use the same password for multiple accounts.
Authentication Apps (better): Another method for 2FA is a random number generator app such as Google Authenticator, Authy or SAASPASS. These apps are stored directly on your phone and do not rely on your cellular provider. They only need an internet connection, so wifi will work if you are a victim of a SIM card swap hack. This is otherwise almost identical to SMS 2FA in that you simply enter the random number code after your password to log in. However, this is still susceptible to phishing – if you land on a phoney website (i.e. you did not use a verified favourite link or you clicked a link in an email), the scammer can still collect this information. Theoretically, the 2FA code from the random number generator will only be valid for a very short duration, then a new code would be required for any and all subsequent login attempts. So while it is still pretty good, it is not perfect and still has a weakness.
Security Keys (best): With respect to 2FA security, physical security keys are the gold standard. It is a physical USB device that usually requires you to press/tap a button to confirm it is you logging in. Since your account is digitally paired with your specific security key a hacker must not only have your login information but must physically steal your security key too, which is much more cumbersome, difficult and less probable.
Obviously having multiple security keys will provide higher grade security; however, that can become quite inconvenient. Fortunately, they are relatively inexpensive with a popular one called Yubikey selling for ~$20. Google has also developed a security key called Google Titan, which I believe has a USB and a Bluetooth version, both requiring that you physically tab the device, however with the Bluetooth you do not require a USB which would enable it to function with mobile devices more easily.
While security keys are the highest grade/most secure 2FA, they are not yet widely used. This means they are not compatible with all software yet; although, I do anticipate within the next 2-5 years that they will be significantly more widespread.
6) Shhh! Never Give Away Sensitive Information To Protect Against Phishing
What is the best way to avoid a phishing attack? Don’t be a target. If you’re bragging to your friends, family or on social media about how you bought 100 Bitcoin at $10 each and now Bitcoin is almost $4000 USD, everyone knows that you are a $400,000 target. You get the idea. You don’t hear people proclaiming the net worth at Thanksgiving dinner, or while on vacation with friends or talk about how they just sold $1,000,000 USD of stocks and are now millionaires… well some people do, but they are generally seen as show-offs and people tend to not like them.
Keep your personal wealth information private, nobody needs to know how much you’re worth. You may not specifically be targeted for a phishing scam, but it does not guarantee you won’t be phished since most phishing scams are sent out en mass.
Moreover, you have many other sensitive pieces of information that can be used against you! Things such as your birthday, address, Social Security Number/Social Insurance Number, parents, kids, first pet, childhood memories, first car, hobbies, career, etc are all valuable pieces of information that hackers/scammers can gather in an attempt to guess your passwords and bypass security around your accounts. Security verification questions often involve verifying your personal info (birthday, phone number, address and/or email) as well as a “security question” like “what is your mother’s maiden name?” or “what was the name of your first pet?”, “what was your first car?”, “who was your childhood best friend?”, “what was the name of the street you grew up on?” etc. If you broadcast this information or mindlessly volunteer it on social media you are making yourself susceptible to phishing hacks.
The biggest takeaway point from this subsection is: don’t broadcast your personal info or your cryptocurrency holdings. That will make you a target.
7) Proof-of-Keys, To Protect Your Cryptocurrency From Exchange Phishing
Many of you may have heard of the recent event called “proof-of-keys”. It took place 3 January 2019, on the anniversary of the Bitcoin genesis block. The proof-of-keys movement was a day for everyone who ‘owns’ cryptocurrency on an exchange to take it off the exchange onto your own personal wallet (ideally cold wallet).
The rationale for this is two-fold:
(i) not your keys, not your Bitcoin (or crypto)
(ii) keeping the exchanges honest
There is an expression, “not your keys, not your crypto” which means that if you do not hold the private keys to your cryptocurrency then you do not own your cryptocurrency. It’s not that there is anything wrong with holding your cryptocurrency on an exchange, especially if you plan on using it to buy/sell/trade on a regular to semi-regular basis. However, if there is a hack or a security breach or the exchange is phished, or your account information for the exchange is phished then you can easily lose your cryptocurrency on that exchange.
Furthermore, banks of the traditional monetary system operate on a concept called “fractional reserve” where they are legally allowed to loan out your money 9 to 1. Yes. For every dollar that you own, the bank can loan out nine times that amount! Not $0.90 per dollar, but $9 per dollar in your account. And then they make money on the interest and principal that is paid back on this made up credit money, further leading to inflation. So theoretically if everyone were to go to their bank and withdraw all of their money the bank would literally be unable to comply.
The proof-of-keys day, 3 January, is a way to test that the exchanges are not operating on a fractional reserve and that they do indeed hold all of your cryptocurrency. Unfortunately, there were a couple of exchanges who did not measure up to this public test. I won’t get into the details of that in this particular post.
I want to stress that the main point here is to hold your own private keys. The best way is to use a reputable cold wallet. The next best way is to use a reputable hot wallet.
I hope that you enjoyed the post, it was a long one! But very valuable information within it. I will have more posts on cryptocurrency security in the near future, with more detailed information, especially on passwords, 2FA and cold wallets. Part of the cryptocurrency movement is about taking back control over the monetary system, or at least to allow citizens to have full control of their money for greater freedom. It also holds countries and central banks more accountable to not devalue their currencies when there are better cryptocurrencies for people to flee into.
That being said, having your own cryptocurrency is highly important and requires judicious preparation and security. It is not difficult, in fact it is quite simple, but it is critical that you do it correctly and properly protect your cryptocurrency from phishing attacks or else its only a matter of time before someone phishes your cryptocurrency.