Phishing measures are becoming increasingly necessary as hackers attempt to steal your personal information and funds online every day. According to a recent report by Scam Sniffer, in February, about 57,000 victims suffered losses of around $47 million due to crypto phishing scams. They pointed out that “most victims were lured to phishing websites through phishing comments from impersonated Twitter accounts.” Therefore, to avoid falling into the hands of fraudsters, you need to be able to recognize phishing and know how to protect yourself and your money. In this article, we will discuss this in detail.
Latest Hacker Attack On Exchanges
Cybersecurity company Lookout has announced the disclosure of a new phishing tool called CryptoChameleon. This tool demonstrates a new tactic aimed at some cryptocurrency exchanges such as Binance, Gemini, Coinbase, as well as the US Federal Communications Commission (FCC) via mobile phones. Attackers can create copies of single sign-on (SSO) pages and then use a combination of email and voice calls to obtain user data.
The report notes that CryptoChameleon has attacked employees of the Federal Communications Commission and Binance. In addition, users of Binance, Gemini, ShakePay, and other exchanges were affected. CryptoChameleon uses phone numbers and websites that look legitimate and represent the company’s support service in Gmail, iCloud, Outlook, X, and other services.
Lookout reported that they were able to speak to some of the victims and confirm that a combination of phone calls and messages were used to force the victim to complete the process.
In one scenario, a victim received an unsolicited phone call that spoofed a real company’s customer support line. The person on the other end of the line was the threat actor, but sounded like a member of the support team from that company.
Hackers informed the user that their account had been hacked, but they would help them restore it. During a phone conversation with the victim, the attackers would send a message that redirected to a phishing page.
The company’s analysis revealed more than 100 successful phishing attempts and ongoing phishing activity, mostly on Hostwinds, Hostinger, and Russian RetnNet servers. The vast majority of victims are located in the United States.
How Do I Recognize Phishing?
The main goal of phishing is to obtain confidential user information.
Attackers commonly send emails with malicious links on behalf of websites or exchanges. These can be security warnings, account hacking, various surveys, etc. Fraudsters usually emphasize the urgency of action or attract attention by offering a large reward for participation.
Signs that may indicate that the email is fraudulent:
- The message uses subdomains, misspelled URLs
- The message is written in a way that instills fear or a sense of urgency.
- The email asks you to confirm personal information, such as financial information or a password.
- The message is written illiterately and contains spelling and grammatical errors.
There are other verification methods used by companies such as Binance, WhiteBIT, and KuCoin, which have an additional way to verify the authenticity of an email with the Anti-Phishing feature. After activating it, the user has to enter a custom code that will signal that the email came from these companies. After saving the code, every time the user receives a technical email from the exchanges, it will contain this code.
How To Avoid Phishing Scams?
Use strong passwords and enable two-factor authentication: Use a strong and unique password for all accounts. Don’t write them down in an easily accessible place or share them with others. For storing and managing complex passwords, it’s best to use a password manager, such as 1Password, LastPass, Dashlane, and others. Enable two-factor authentication for all accounts to provide an extra layer of security. To do this, you can install a 2FA app on your phone, such as Google Authenticator, Authy, 2FAS, etc.
Don’t ignore update notifications: Security patches and updates are released primarily to address current cyberattack techniques, closing security gaps. Set your software to update automatically to avoid new threats.
Check the website address before entering your information: The URL of a page can often differ from the domain by a single letter and sometimes by case. For example, 1-l, I-l (uppercase “i” and lowercase “l”). It is also not recommended to enter passwords and logins on websites without HTTPS (a lock icon next to it) – it protects the connection and encrypts data.
Do not click on suspicious links: Commonly, scammers use links about winning millions of dollars or gifts as a lure. Therefore, do not click on such links and always check all current sweepstakes and company events.
Summary
Understanding phishing schemes and their signs is the most important thing in the fight against this type of fraud.
By knowing how to recognize harmful attacks and what methods attackers use, users can better protect their personal data. And by following the above recommendations, they can reduce the likelihood of theft.