Despite all the hype and excitement, the crypto space has unfortunately become synonymous with hacks, scams and thefts.
Cryptoaware.org estimates that at least $2.3 billion USD has been lost to scams and hacks in crypto since 2011 (as of August 2018). The actual number is probably even higher due to the number of attacks that go unreported every year.
So why is this the case, what scams should you be aware of and how can you stop them?
Why are there so many crypto scams?
To understand why scamming is so rampant in the crypto community, we need to understand how the underlying blockchain technology works, and how it enables this to happen.
Blockchain is revolutionary, but it’s not without its drawbacks. A blockchain is a decentralised ledger that records and verifies all transactions that occur in a network.
Let’s use Bitcoin as an example: the Bitcoin community is constantly verifying transactions on the Bitcoin ledger, and in order to do this, these transactions need to be visible. Individual users are therefore made practically anonymous to maintain privacy. So if you send somebody some bitcoins, the value of the transaction as well as the sender and receiver’s wallet addresses are recorded and visible to the network. However, no personal information about the sender or receiver exists on the blockchain, so it’s incredibly difficult to actually determine who these parties are in the real world.
If something ever goes wrong…it’s almost impossible to tell who it was, you can’t take the transaction back, and there’s nobody you can call to try and fix it for you
Once a transaction is entered into the blockchain and is confirmed by the network, it is irreversible, and cannot be changed.
Further, because of the decentralised nature of blockchains, there is therefore no central authority that oversees transactions and mediates disputes.
So if something ever goes wrong; for example if somebody gets access to your wallet and transfers all your crypto out to a different address, it’s almost impossible to tell who it was, you can’t take the transaction back, and there’s nobody you can call to try and fix it for you.
It’s pretty easy to see now why scams are so successful in the crypto space: it’s almost completely anonymous, transactions are irreversible, and there’s no central authority who can go after wrongdoers. Add on top of this an almost complete lack of regulation, and you’ve got a perfect environment for scammers, fraudsters and hackers.
So with that sorted, let’s take a look at some of the ways people can get their cryptos stolen.
Hacking vs scamming
Hacking is a broad term with many definitions, but for the purpose of this article, we’ll refer to it as the act of using computer code to break into online systems for malicious purposes (i.e. to steal cryptos).
Hacking is a serious threat, and has been responsible for some of the biggest crypto thefts to date, such as the Mt. Gox hack of 2014, and the DAO attack of 2017. Serious hacking requires serious skill and commitment to carry out, so hackers will attack the places that hold the most money, like online exchanges and wallets.
For most individuals though, the bigger risk to our crypto safety is being sucked into a scam, and this is what we’ll focus on in this article.
Scamming is an attempt at defrauding a person or group after gaining their trust, and is, relative to hacking, much easier and less expensive to carry out, and more frequently affects individuals.
Through social engineering (using psychological manipulation to get people to divulge sensitive information), attackers can find out an alarming amount of information about you. Without writing a line of code, these attackers can gain access to crypto wallets and drain out all the funds before you even know it.
So with that happy thought in mind, let’s take a look at some of the more common ways people can be scammed out of their hard earned crypto online.
Phone porting is one of the most prevalent scams occurring on high-profile individuals in the crypto space. It involves an attacker calling up their target’s phone provider, and using social engineering to access their account. From there, they port the victim’s phone number to a SIM card they control, and then able to take control of the phone number.
Once an attacker has the phone number in their control, they can begin resetting passwords that rely on mobile two-factor authentication, such as their email and exchange accounts.
Combatting this attack once your number has already been ported is incredibly difficult, especially since it can all take place before you know it’s happened.
Another unfortunately common scam.
ICOs have exploded in the past 12 months, and along with it has been an incredible amount of hype. Scammers have ridden this hype train to great effect, by setting up fraudulent ICOs, complete with websites and white papers, in an attempt to run off with investors’ money.
Some have been incredibly successful, such as cases where individuals have made off with tens of millions of dollars, never to be seen again.
Others not so much, such as the ICO ‘Prodeum’, who allegedly raised a measly $3000 and made off with the spoils, but not before leaving a touching farewell message:
Stay classy, crypto
Phishing is a type of scam that attempts to trick you into willingly giving over your personal information that can then be used for malicious purposes.
Some common phishing tactics include:
Impersonating a website or service
One of the easiest scams to fall for is clicking on a link that you think will take you to a website (like an online wallet or exchange), but instead takes you to a clone of that site that looks indistinguishable from the real thing (often with an incredibly similar URL).
The fake site will then ask you for your login credentials, or some other personal information, and will then be able to sign in to your account on the real site, potentially stealing any available cryptos.
Sending fake emails to obtain information
Similar to the previous example, and to the classic email from the prince of Nigeria who really needs your help in making an urgent bank transfer, many crypto scammers will send fake emails trying to get your personal details.
They will often craft emails to look like they are coming from an official source, and ask for you to ‘confirm’ your details. And of course once this happens, they have full access to whatever is in that account.
Using social media to obtain information
Some scammers will try the same scams as above on social media, sending links to what look like reputable sites on messaging groups like Slack and Telegram.
Social media scams
Impersonating well known people/companies
Spend 5 minutes on Twitter looking at crypto-related tweets and you’re bound to see comments like this:
That is, tweets or replies to tweets from prominent people or companies giving away cryptos.
Hopefully most people would recognise this pretty quickly as something that’s too good to be true, but you can’t put that much faith in humanity unfortunately.
These scammers will use bots to like and comment on these posts in order to get them ranking higher in Twitter’s algorithm, and suck more people in.
Even people outside the cryptosphere like Elon Musk are being targeted.
Probably my favourite kind of crypto scam (to write about at least); a ponzi scheme is a business model that relies on members earning money based on the investment of new members rather than selling any actual products or services, which becomes more unsustainable the more that it grows.
Bitconnect was a classic example of this, with a depressing amount of people pouring their life savings into the company after being guaranteed incredible daily and weekly returns for their crypto investments.
But sure enough, the company ceased trading because, you know, pyramid schemes are illegal and all, and the price of the coin took an almighty dive along with it.
Promoting ponzi schemes, malware or ico scams
Join almost any facebook group related to crypto, and your timeline gets flooded with posts promising to guarantee that you’ll make money with whatever scheme they’re peddling.
Sometimes they’ll try get you to sign up to a ponzi scheme, other times they’ll try infect your computer with malware. Some will be promoting a fraudulent ICO, and others will just try and convince you to straight out send them money.
How to protect yourself
This has sounded very intimidating so far, but there are actually a number of pretty simple things you can do to make yourself a less attractive target to would-be attackers (more on crypto security here if you’re interested):
- The first rule of crypto club should be: you don’t talk about your crypto gains online. End of story. The fewer people who know that you’re invested in crypto, the less likely it is that somebody will come after you.
- Don’t display any personal information (phone number, email address, birthdate, home city etc.) online, as scammers can and will use this information to socially engineer their way into your accounts. Knowing your full name, mobile number and date of birth can get an attacker entry to pretty much any of the accounts you access over the phone.
- Set up separate emails associated with all your crypto related accounts and don’t hand this email address out to anybody. Doing this alone should greatly reduce your chance of falling victim to email related scams and hacks.
- Use a password manager like LastPass or 1Password, and always use long, secure passwords for all your accounts.
- Use app two-factor authentication wherever you’re able to. Phone 2FA is better than nothing, but an app such as Google Authenticator or Authy is far superior to that.
- Call your phone provider and set up a PIN or passphrase for your account. It might sound like overkill, but an attacker gaining access to your phone account would be disastrous.
- Set up passwords on your computer and phone, so in the event that you lose one, or leave it open in a public space, somebody can’t just waltz into your pre-logged in accounts and transfer all your money out.
- Make sure you’re 100% sure that you’re navigating to legitimate sites, and not fakes. Taking a good look at URLs to make sure the site is spelled correctly, and there are no extra characters is extremely important. It also helps to bookmark the websites that you frequently visit to avoid getting caught out.
- Don’t click on links in emails from anybody you don’t trust. This applies outside of crypto as well, as email in general is rife with scams. Also double check the sender’s email address to make sure the email is actually coming from who it says it’s from. Everything that comes after the @ symbol should be spelled exactly how it’s spelled in the website URL.
The crypto world can be pretty scary if you’re not accustomed to it. There are some pretty bad people out there who have sophisticated ways of hacking or scamming you out of your money. However, with not a whole lot of effort you can secure your online identity, and be confident that your crypto will always be yours.
Stay safe out there, and always crypto responsibly.