How Not To Get Scammed (in Crypto)

Example of a mass phishing scam
Sad spam message, probably worked :(

I have seen too many people fall to scams on Twitter, Telegram, and read about countless others getting scammed via DNS (MyEtherWallet), clipboard malware (copy/pasting wallet address scam), and the list goes on.

My goal in writing this article is to address the overall goal of scammers and their psychology, as well as the counter-scammer psychology that you will need to save you thousands of dollars, and incalculable heartache.

This article will not teach you to be a guru. As a longtime technologist I have been following technology and scams, a large part of which consists of reading Brian Krebs of www.KrebsOnSecurity.com. He is one of the foremost cybercrime journalists in the world and reports from the front lines of the global cybercrime battlefield. I highly recommend visiting his blog and reading any posts that stick out (ps-some read like thrillers!).

My objective in this initial post is to get the reader thinking about what a threat is, how to understand it as it happens, and how to avoid danger. This is an introduction to my “How Not to Get Scammed (In Crypto)” series. The introduction is more basic and theoretical whereas the next article will include actual examples of scams that were, or still are, very common, and have earned many millions of dollars (as documented via articles on CoinDesk which contain reputable academic or private forensic organizations analysis of blockchain to determine criminals earnings).

Now, on to the heart of the post.

Common Sense — They say it ain’t so common

After someone makes a mistake in crypto, such as sending their ETH-based tokens to the contract wallet, rather than their own wallet, they feel like an idiot, and everybody in the Telegram chat tells them they should have paid better attention or done their homework before sending a significant amount of money. For the average reader out there, the scenario just described is not an example of a scam, it’s an example of one of the intricacies of current UX (user experience) with most crypto. Outside of leaving your money (aka risking it all) on a crypto exchange, which is extremely recommended, you must have a basic knowledge of crypto. So again, the above scenario is not even a scam, it’s an example of common sense, paying attention, and doing your homework. This is my introduction for not getting scammed. There are people who send their money into a void, by sending it to the Ethereum contract of the specific token they are interacting with, rather than their intended destination, their own private wallet. If this happens commonly, then what happens when scammers target these same people?

This is real life — treat is as such!

Don’t share your private information with anybody! Somehow people get into crypto without learning the most basic rule. “This is real life, treat it as such!” You would not share your credit card or your personal pin with anybody, nor any personally identifiable information (address, SSN, license number). In crypto, your wallet address is an identifier, your wallet address shows the current status, as well as history, of that wallet and all it’s transactions. This could allow a malicious actor (scammer) to gather info, phish you for information, or attempt to hack your wallet.

While this article is focused on scams, I also want to help the reader think about the larger picture of crypto and information. A scammer is not the only person that may want your information and your transaction history. Law enforcement wants to gather all of this information for tracking taxes, dark web, money laundering, and sanctions evasions. These are all things we don’t think about when we share our information online and think casually “what can someone really do with this information?” Well, a whole lot!

Protect yourself at all times!

In combat sports, the referee always tells the fighters, “protect yourselves at all times!” Due to human emotions and natural errors that happen, this rule is applied to every fighter. Protect yourself even after the bell goes off because:

  1. If you take your eye off your opponent, they may not go light because there is only 10 seconds left (there is a loud clap sound signifying 10 seconds remaining). It is the responsibility of the fighter to be aware and safe at all times.
  2. If you put your hands down after you hear the bell, there could be malicious or accidental punishment coming milliseconds after you let your guard down.

Thankfully this is not prize fighting, but the stakes may be just as high. It’s so important to know all the rules, parameters, functions, chat programs, email programs, social engineering (phishing, avatars/impersonators), antivirus software, etc. Every element of technology is as useful for us as consumers as it is for criminals as tools of thievery. Each tool, or piece of technology, that we use is exploitable. For example, if you get an e-mail from your bank that says you are past due on a loan, you may indeed be past due, panic, and think to yourself, “This official looking e-mail offering to get out of my debt sounds like a great deal, let me call the number from the email!” This could be a bad move because an e-mail can easily be spoofed to make it look like it’s from a legitimate source when it’s indeed not. Cybercriminals can spoof the “From:” section to whatever they want, and they can also copy all the graphics and fonts, no feat is too big or small. Criminals have an insane amount of tools and resources. There is a whole infrastructure in the cybercrime underground for graphics, translations, phone services (if you are from a foreign country you may not want to attempt to call your target and speak with your poor accent), and the list goes on. A thief can spoof cell phone numbers as easily as e-mail addresses. Just because a number is listed on your caller ID does not mean its authentic. This is unfortunate, but knowledge is power and can help protect you from potential threats.

An element of this narrative I want to point out to is that if the target does not have a bank loan or any debt, then the e-mail falls into the void. I make this point to you the reader, because for the spammer/attacker, this is only a minor inconvenience. It’s nothing worse than getting cut off while driving, it’s annoying in the moment but an hour later you forgot about it. Therefore, in the last two decades of technology really exploding and becoming the fabric of our lives, the criminals have gotten smarter and more bold. Thus we need to always understand how they think and operate, and from that fundamental perspective, it will be very difficult for them to harm us. Knowledge is power, and it’s hard for many people to learn technology, let alone think of technology as a tool for crime. My goal from this article is to help people be more aware of their interaction with technology and other people online.

To be continued…