As cybercriminals are becoming more sophisticated, their attacks are becoming increasingly challenging to defend against. Two of today’s most concerning types of cyberattacks for cryptoasset owners are phishing and SIM swapping. Phishing accounts for 90% of all social engineering incidents and 81% of all cyber-espionage types of attacks, while SIM swapping, although less common, can cause equally devastating effects. Cryptocurrency holders in particular, are attractive to black hat hackers and are uniquely vulnerable to phishing and SIM swapping attacks — here’s what you need to know to protect yourself.
Protecting against phishing attacks
Phishing is a socially-engineered cyberattack that is primarily used to obtain sensitive information including as usernames, passwords, bank/credit card details, or public and private keys to cryptocurrency wallets. The vast majority of phishing is done through email but it can also come through texts/SMS, social media, and chat services. Disguised as a trusted entity, the perpetrator tricks you into opening a message containing a malicious link or attachment. The links will typically then lead you to copycat sites resembling webpages of banks, payment processors, or online crypto-wallets. These sites are designed to trick you into entering your usernames and passwords.
There are also phishing scams that specifically target cryptocurrency holders. In most instances, the attackers masquerade as some of the more popular online wallet services (e.g. Blockchain.info or Coinbase) and prompt you to give up your credentials. In other scams, emails may include seemingly relevant attachments containing malware that infects your device and stealthily scans its files, searching for private keys to a cryptocurrency wallet.
As a general rule of thumb, if you get an email you weren’t expecting, and if something — anything smells “phishy,” disregard it entirely. Additionally:
- Consider anything that comes into your spam folder a red flag
- Be aware of email spoofing, which is when an attacker makes an email look like it came from a legitimate sender. For example, an email can look like it came from whitehouse.gov but it will likely (not always) go into spam since the address is spoofed.
- Attackers can also make look-alike domains using a Cyrillic character that looks identical but isn’t. Those may show up in your inbox (not spam).
- Always check the authenticity of any URLs included in the email and beware of URL redirects.
- Avoid reacting impulsively to any calls to action (downloading attachment files or replying with any sensitive information). Keep in mind that phishing attacks are designed to make you feel a sense of urgency to respond.
Preventing SIM swapping
SIM swapping is a type of account takeover attack whereby the perpetrator breaks the two-factor authentication (2FA) security protocol by hijacking your telephone number. The attack usually starts with social engineering; scammers gather your personal details (e.g. full name, address, phone number) and call your mobile phone provider pretending to be you. Using various social engineering techniques, they then convince the wireless carrier employee to port your phone number to the attacker’s subscriber identification module (SIM).
After they’ve successfully hijacked your phone number, usually just by asking for a password reset, the attackers can break into any of your accounts — email, bank/online wallet account, and others that require a call or SMS 2FA. If your phone suddenly becomes unable to make or receive calls, you may be a victim of a SIM swapping attack and should take immediate action.
To avoid becoming another SIM swapping statistic, refrain from using your phone number with 2FA where the second factor is a call or SMS-enabled authentication. In fact, if you can, avoid giving your phone number to your email or other service providers entirely. Authentication apps like Google Authenticator or Authy are a much safer alternative, as they’re tied to your physical device instead of your phone number.
If you must provide a phone number to access a specific service, contact your cell phone provider about extra layers of security for preventing number porting. Some carriers provide additional layers of security. Also, make your standard pin something random and store that pin in a secure place like a password keeper.
Safeguard your crypto assets and personal information
Ownership over cryptoassets is established solely through digital signatures (public and private keys). Couple that with the irreversible nature of blockchain transactions and you get a potential recipe for disaster. If an attacker gets ahold of your keys or your recovery phrase, whether that’s through tricking you into abdicating them yourself (phishing) or by forcefully porting your phone number and breaking the 2FA of your online wallet (SIM swapping), the result will always be the same: your funds will be lost forever.
For these reasons, taking the precautionary steps to protect your accounts, your online identity, and, ultimately, your cryptocurrency holdings, is worth the extra effort.