Avoiding Crypto Scams
An unfortunate side effect of cryptoassets growing in value and more users adopting them is a rise in scams and frauds within the industry. Many of these scams aren’t unique to the crypto industry but rather twists on existing scams. Most of the scams prevalent in the crypto markets revolve around obtaining private information or gaining access to a target’s funds. In this article, we will review a variety of the most common crypto scams today and provide suggestions on how best to protect your clients and yourself from falling prey to them.
Phishing scams are prevalent in almost every industry and are among the most common attacks on consumers. A phishing scam targets individuals by sending them an email or text message that appears to be from a trusted source in order to trick that individual into revealing private information that is used to gain access to that person’s accounts or funds. Rather than trying to access your bank account, a crypto phishing scam often attempts to gain access to an individual’s crypto wallet. More specifically, scammers are interested in the private keys of an individual’s wallet. All wallets have a public and private key. While the public key is used to receive cryptoassets, a cryptographic process ensures funds cannot be removed from an address without the corresponding private key. Once the hackers have acquired a user’s private key, they can steal the cryptocurrency contained in those wallets.
Many times, these emails are made to look like they were sent from legitimate companies. For example, in April and May of 2021, there was a broad phishing attack that took place in which scammers posed as Coinbase customer service or security representatives. These emails appeared to come from Coinbase, as the email was formatted with the Coinbase logo and company colors. These phony emails attempted to convince users that their account had been locked or requested they click on a fake URL that captured user login information when clicked on. Sometimes these email scams direct the consumer to a fake website made to resemble the real one and capture the login information when the user attempts to sign in.
Tips for avoiding phishing scams:
- Don't click on links in emails, even if they seem to come from a reputable source. It’s always better to type the URL directly into your browser to ensure you are going to the real website and not a fake one designed to steal your information.
- Carefully read the content of your emails. Typos and errors are good cause for suspicion. A reputable business will not contact you from a Gmail address.
- Don't open attachments. If you receive an attachment from an unknown source, do not click on it as it could contain malware that can infect your computer.
- Turn on Two Factor Authentication (2FA). This extra layer of security adds an additional verification step that makes it significantly more difficult for a hacker to access your account even if they get your login information.
Technical Support and Impersonation Scams
A variant of the email phishing scam is what has become known as the “technical support scam.” Rather than trying to obtain a target’s information via email, scammers have been known to pose as tech support to try and get your information over the phone. Similar to the email version, fraudsters impersonate a variety of companies, including Coinbase, and make false claims to trick their target into providing personal information. They may offer to help manage your cryptoassets if you give them your login credentials or they might also claim that they need remote access to your computer or other devices.
Tips for avoiding phone scams:
- Never provide sensitive information to anyone who makes unsolicited contact, regardless of the reason.
- Never give anyone remote access to your computer.
- Never give out your 2FA (2-Factor Authentication) security codes or passwords; no reputable company should ever ask you to share sensitive authentication credentials.
- Never send cryptocurrency at the behest of an alleged support agent. No reputable company would ever ask you to send cryptoassets to external addresses.
- Only contact customer support via the phone number listed on the organization’s website.
Another typical scam plays on people’s fear of missing out (aka FOMO). Fraudsters will often try to take advantage of the hype during bull markets by promoting fake initial coin offerings (ICOs) to steal a target’s funds. Some of these ICOs are made up projects with no intention of building a real product while others may try to impersonate a real company that currently does not have a token or is currently conducting a legitimate ICO.
Another investment scam is what is known as the “Load Up Scam.” In this scam, fraudsters will claim they need a higher account limit in order to continue trading. In exchange for providing them with your crypto wallet or credit card credentials, the scammer offers a portion of the investment profits. Instead, the scammers “load up” the victim's account and then take it all for themselves, leaving the victim responsible for the transactions made.
Tips for avoiding investment scams:
- Be skeptical of websites or services promising high returns or unrealistic investment opportunities. If it sounds too good to be true, it usually is.
- Research the organization thoroughly and only send cryptocurrency to trusted third parties. Search for verifiable reviews from public sources.
- Never provide your credentials to a third party.
Social Media Scams
Similar to trying to imitate corporations via email or phone calls, scammers often try to imitate popular figures in social media. These imposter accounts have become much more prevalent in recent years. For example, our own Head of Community at Onramp Invest has had imposter accounts try to scam her followers. They created a Twitter account, used the same profile picture and chose a very similar twitter handle in which the difference was designed to be hard to notice. In the example below, the scammer set up an account with two i’s in the twitter handle rather than one. These types of scammers hope that most people won’t realize this subtle difference and mistake the fake account for the real one.
The most common scam on social media is what is known as the “Giveaway Scam.” These fake accounts attempt to promote a giveaway with hyperlinks to fraudulent websites and hope to gain widespread distribution by leveraging the following of genuine accounts. Oftentimes, scammers will even take it a step further and have numerous other fake accounts (that they own) respond to these posts affirming the scam as legitimate. The fraudulent websites will then ask that you “verify” your address by sending cryptocurrency to the scam giveaway.
Tips for avoiding social media scams:
- Don't trust offers that come from Twitter or Facebook. Legitimate accounts should never ask you to send crypto to an address in order to receive crypto back.
- Be skeptical of all giveaways and offers found on social media. Never send cryptocurrency to giveaways, especially if they are asking to verify your address. Do not trust screenshots in reply messages or DMs as images can be forged and altered.
- Do research on any entity soliciting you on social media. If the offer sounds too good to be true, it probably is.
- Do your best to ensure you aren’t following imposter accounts and it's the genuine account of the person you want to follow.
Messaging Platform Scams
A unique aspect of the crypto markets compared to traditional finance is that, because the industry is largely globally distributed and typically open, a lot of coordination and communication happens in messaging platforms such as Discord and Telegram. It’s often possible to interact with the development or marketing teams directly on these messaging platforms. It is also a great way for the leaders of a project to get direct feedback from users and respond to customer service issues quickly. However, the downside of these open forums is that scammers may also be present.
Fraudsters have been known to send private messages to individuals, pretending to be an admin of the forum or a support staff of the project. Similar to phishing scams, these scammers ask for private information or promise coins to a new project before they are released in exchange for bitcoin, Ethereum, or a stablecoin. Another scam happening on these messaging platforms is a new take on the original website scam. Scammers will set up a copycat group that closely mimics a legitimate group and invites as many people as they can. They often offer an opportunity to purchase tokens at a discount price or offer a flash “first-come-first-served” sale for pre-launch projects.
Tips for avoiding messaging platform scams:
- Never give out your private key, seed phrase, or other personal information through a private message or direct message.
- If you suspect that you’ve been contacted by a fake admin, copy their username and search the group for posts from this user. If nothing appears, it’s a fake admin.
- Change the group invite settings to “My Contacts” rather than everyone to limit who can send you a direct message.
In the crypto community, Airdrops have become a common phenomenon. Airdrops are when a company or project sends free coins, tokens or NFTs to a variety of wallets. By doing so, they help promote a project, reward early users and supporters, and increase liquidity once the asset is listed on an exchange. Most of the time, the receiver of the airdrops receives these new tokens or NFTs without having to make a financial investment. Thus, if the token or NFT rises in value, the recipient has made a profit but if the asset doesn't appreciate, the recipient hasn’t lost any money.
However, scammers have begun taking advantage of the increasing popularity of airdrops by conducting an airdrop of their own. By sending fictitious coins or NFTs to target wallets, they try to entice the recipient to visit malicious websites in order to claim the “free” tokens or NFT. Rather than claiming a potentially valuable asset, in reality, the victim is unknowingly approving a transfer of their personal tokens to the scammers.
Tips for avoiding airdrop scams:
- Never accept an airdrop without knowing where it came from first. If an asset is airdropped into your wallet without you knowing who sent it to you, do your research and verify its legitimacy first.
- Never provide personal financial information or private keys to an airdrop. If it asks for your private key, it is very likely a scam.
- If you are unsure, do not interact with airdropped tokens. If you are unsure if the airdrop is legitimate, it is often best to leave it in the wallet and not take any action.
- Do not hold high-value assets in the same wallet used to regularly interact with decentralized applications (Dapps). Use cold storage or reputable custodial solutions to hold an asset you do not want to be stolen.
The crypto economy presents a wide variety of opportunities for investors, but participation within this emerging asset class does not come without its risks. Financial advisors interested in providing guidance on cryptoassets and those with clients involved in the space should be well versed in the common ways in which scammers may attempt to take advantage of newcomers or unsuspecting investors. By proactively educating themselves, advisors are equipped to inform their clients of best practices for promoting safe engagement in the crypto economy.
With gratitude, Your Onramp family