Crypto Phishing Scams and How to Avoid Them

March 6, 2020 | Updated February 5, 2024

Let’s face it – phishing is a perpetual threat in our society these days. We hear about it all the time on the news. In particular, a hot commodity like cryptocurrencies makes a tempting target.

Although it may sound overwhelming, there are simple ways to protect your cryptocurrencies from these malicious practices. So how exactly does the scam work? Let’s explore.

What does phishing look like in the crypto scene?

You might see a Facebook post or YouTube video by Ledger advertising a $100,000 free crypto. Why not trust a brand you already know and use? But, this is how the scammer gets you. A bad actor will impersonate a brand you know and respect. The goal is to gain your trust, and then abuse it to gain access to your crypto.

While the example was easy to spot, other phishing attempts can be more subtle. This is why even crypto veterans can be scammed.

For example, say you are an avid NFT trader who uses the NFT market Opensea daily. Someone posts an Opensea link to an NFT you like on Twitter. You follow the link and make the purchase. Only after that you notice that the market where you decided to buy it was not Opensea.io (the official website), but Opensea.it or Opensea.yougotpunked. Unfortunately, signing approvals on phishing sites can result in losing several assets. In some cases, your wallet may be completely empty.

What do Crypto Phishing Scammers Want?

Typically, phishing scammers attempt to do one of three things: hack your web2 device, reveal your private information, or convince you to sign malicious transactions or approvals. Let’s see how each phishing scam works.

Malware and spyware on your Web2 device

Phishing can be a great tool to convince you to download malicious software onto your laptop or smartphone. For example, a phishing site may pose as Ledger and convince you to download a virus disguised as Ledger Live. From there, the hacker may be able to control your web2 device.

Your login details or secret recovery phrase

Phishing sites mostly pretend to be well-known sites to gain your trust and steal your information. It’s as simple as asking you to log into your account, recording the email address and password you enter, and then using those credentials to log into the official platform and steal your assets.

Sometimes a phishing site can go a step further and create pop-ups posing as a wallet provider. In these cases, the phishing site will impersonate a wallet provider and use scare tactics to get you to hand over your secret recovery phrase. It might say “The terms and conditions have changed, enter your SRP within 4 hours or lose access to your crypto!”. This is a scam! You should never enter your SRP on any platform that asks.

Malicious smart contract approvals

Finally, phishing scams can trick you into signing malicious approvals or transactions instead. Once you connect an account with valuable assets to the phishing platform, it will ask for a malicious approval. Signing that approval can result in a scammer draining your account in an instant. And revoking approvals also costs gas fees, something that can pose a challenge if your account is compromised.

How to reduce risks involving crypto-phishing scams

Phishing comes in all shapes and sizes and so it is your best bet to stay alert for all possible scams. But how exactly can we avoid phishing?

Do not click on any links

The first thing you can do is treat links suspiciously. If someone sends you a link, don’t just trust it blindly. On social media platforms and in emails, it’s incredibly easy to obfuscate a link. Unfortunately, this means that it’s easy to trick you into thinking you’re accessing a trusted website when you’re not. Accessing a malicious website could be the start of a scam to convince you to hand over the keys to your crypto, or it could download malware onto your computer or smartphone. So don’t click any links you aren’t 100% sure you can trust.

Use a hardware wallet

The next thing you can do to reduce some of the risks of phishing is to use a hardware wallet. This protects you from malware and spyware that you may have on your computer after being fished out on your web2 device. To explain, using a software wallet, you can reveal your private keys to hackers on your smartphone or computer. A hardware wallet helps you reduce this risk, but that’s not to say they’re immune to phishing attacks.

In some cases, phishing sites will attempt to get you to sign approvals on your hardware wallet. In these cases, signing the approval gives the scammer a blank check. Once they have your signature on an approval to move your assets, they can and will steal from you.

Separate your assets

If you’re going to sign approvals to use experimental and potentially unreliable platforms, it’s good practice to segregate your assets. This means that you keep your valuable assets in a separate account from the one that connects to apps and services.

Using a hardware wallet makes it easy to set up multiple accounts managed by the same device. And luckily, each account works separately from each other. This means you can sign potentially untrusted transactions with one account without affecting any others.

A good model for separating assets involves three accounts. The first account is for storing your most valuable assets. Also called a cold wallet, it is prohibited from interacting with any applications or services. The second account is for accessing trusted platforms; allowing you to buy and sell digital assets from places you are familiar with. The final account is a “minting” account; which is reserved for interacting with potentially dangerous applications and platforms. This account should never contain more crypto than necessary, meaning that if you do get scammed, you don’t lose anything of value. Some users even take these types of accounts a step further and set up a burner wallet for a single risky transaction.

Don’t trust, verify

The last obstacle is you. So the most important thing you can do is to thoroughly verify each transaction. Don’t set approvals for new sites without doing your research, and make sure the site you’re accessing is the official one. Always check the official URL of any website you want to visit and cross-check it with the one you have access to. Remember: a discrepancy probably means you’re on a phishing site.

Furthermore, you are the only one who can sign away your assets. Verify the contract address of any blockchain application you sign approvals for. And try not to sign approvals without understanding what they do!

Learning about smart contracts and their functions will help you dissect each approval before you sign. But if it’s too technical for you, it’s also better to stay away from blind signing. If you explore web3 from within the Ledger ecosystem, you can rest assured that any transaction or approval you sign will be presented to you in human-readable language. This is thanks to Ledger Live’s clear signing plugin.

Grootbook’s official links

Save this list for later to help you find the official Ledger accounts among all the copycats!

Ledger Twitter (X) account

Ledger Customer Support Twitter (X) account

Official Ledger Discord Server

Grootbook’s official homepage

Ledger’s Official Store

Official Ledger Live download page