Phishing is a form of social engineering where a bad actor sends an email or other digital communication with the intent of tricking you into revealing personal information such as passwords, credit card numbers, and other kinds of sensitive data.
Bitcoin is particularly attractive for phishing because once a bad actor gets access to private keys—whether held yourself or those a custodian holds for you—they can anonymously and irreversibly steal your funds. One way to protect yourself from this kind of dire outcome is by eliminating single points of failure with a multisig vault. Another is by equipping yourself to spot phishing attempts and stop an attack before it begins.
Phishing vs. spear phishing
There are two major types of phishing attacks: phishing and spear phishing. In both types of attack, you’ll receive an email, instant message, text message, or other digital communication that includes either a malicious embedded link or a malicious attachment (or both!). The main difference between the two attacks is the manner in which they are targeted.
- Standard phishing is the older, more common variant. There’s very little customization related to the recipient, and it doesn’t cost a bad actor much to create and send this kind of message to tens or hundreds of thousands of people at a time. Bulk phishing attacks often exploit trust by impersonating a well-known entity such as a government agency, professional organization, or a mainstream business. Recent phishing scams around FedEx and DHL are good examples of this type of attack.
- Spear phishing is more narrowly targeted. With spear phishing, the bad actor knows something specific about you—information that separates you from the general population. For example, the attacker may know you are a bitcoin holder, an employee of a certain organization, a club member, a frequent traveler, or part of a particular community. The attacker uses this information to craft a persuasive message that will cause you to lower your guard. One example of a sophisticated and highly tailored spear phishing attack is the 2020 Ledger phishing email.
Learn how to spot a phishing email
The most important way you can protect yourself is learning how to spot a phishing attempt. If you can discern which incoming communications are phishing, you can minimize the chance that you’re ever compromised because you know to ignore the email or text message, mark it as spam (if possible), and immediately discard it.
1. Watch for suspicious email notifications
The simplest way to protect yourself is to let your email client do it for you! Many messaging and email applications today will warn you about suspicious messages. If your email client (i.e., Gmail. Yahoo, Outlook, etc.) detects a suspicious email, it may display a message such as, “Be careful with this message!” or “This message seems dangerous!”. Such indicators are intended to raise awareness and concern about clicking on or opening attachments included within the particular message.
If you see one of these messages, heed their warning! Some may simply highlight that something about the message is dangerous or suspicious, while others may encourage to take specific action like comfirming it is indeed phishing. It’s a good idea to take a warning like this seriously—that is, unless you’ve independently verified it to be a false flag.
2. Watch for common properties of phishing messages
Another way to protect yourself is to watch for three of the most common traits of phishing and spear phishing attacks: a sense of urgency, unsolicited contact, and reliance on impersonation.
Sense of urgency
Phishing messages typically attempt to make you act quickly. This method preys on human emotion, usually fear. The attacker may say something like “Your account is about to be deleted!”, “Your funds are at risk!”, or “Your credit card has been suspended!”. Scary or threatening statements are a clue that the message you are looking at may not be as legitimate as it appears.
This strategy is common because if the bad actor can get you to do something quickly, there’s a greater chance they’ll achieve their desired ends before suspicions are raised. This is especially true in bitcoin, where keys improperly held can open you up to permanently lost funds with just one mistake. If you feel compelled to act out of urgency, always take a second to consider the actions you’re about to take.
You should be cautious if you receive an unexpected email with a link or an attachment. Is the message from someone whom you did not expect to contact you? Is the message from an old friend or colleague you haven’t corresponded with for many years? Does the message appear markedly different from typical correspondence you might otherwise receive from the sender? Unsolicited contact like this should raise a red flag.
Impersonation of trusted entities
Phishing messages usually pretend to be from someone you already trust. This trust is used to make you lower your guard and give away information you would normally protect such as login credentials, sensitive information, or access to funds.
Here are some examples of phishing messages one might see disguised as coming from institutions or organizations with which you have a legitimate relationship.
Note that these messages look legitimate at first glance, including features such as:
- An official-looking logo toward the top of the message
- The sender is an individual with authority, such as a president or CEO
- A business-like signature block at the bottom
- The content of the message is brief
- Convincing boxes or links that say, “Click here”
All of these items are intended to trick you into believing the message is legitimate. The bad actor wants you to think, “This is coming from a trusted person or organization with which I do business. I need to pay attention. I need to take action now!”
3. Look for context clues in the message text
For our purposes, context refers to the surroundings or interrelated conditions in a particular digital communication. The human brain is an excellent filter; don’t underestimate your innate ability to tell when something is a little bit off. Rather, listen to that instinct when you are looking at emails and thinking about whether to click on links or open attachments.
Take a look at the example above. Note the inconsistent grammar, uncommon phrasing, and suspicious language in the body of the message. Does it make sense that the executive of a high-profile organization or institution would use such words or phrasing? Does the conversational tone match what you would expect from such a sender? Elements like these are difficult for a bad actor to impersonate and can help signal that something is out of place.
4. Check email header and links for inconsistencies
There are a couple ways to examine an email’s header to help you verify the legitimacy of a message. The first is by looking at the header in your email client directly—most email user interfaces compress the sender information but provide a caret you can click that will expand the section. You can also view the entirety of a message’s source as we describe below.
Some things to look for in the header include:
- Misspellings or incorrect organization names in the “from:” line
- Misspellings in the domain name (watch out for I’s and L’s, as well as 0’s and O’s!)
- The domain name is not really from the organization it pretends to be (watch for .com vs .io or other uncommon domain suffixes)
Hover over links to check addresses
The anchor text displayed in the email body may say it is taking you somewhere you trust, but the embedded link behind that text may very well be taking you somewhere else. Be especially cautious of embedded links that display misspelled domains or domains that aren’t related to the destination where you expect to go.
A helpful technique is to use your mouse to hover over links in the message. When doing so, your browser or email client automatically displays the address where the link is taking you (often in the lower edge of the message window). As in the examination of the header discussed earlier, does the link address include any suspicious elements or irregularities? If so, perhaps the domain is not really from the organization it pretends to be.
5. Check the email’s raw source data for a more granular look
If you’re more technically savvy, you can also examine the underlying raw data of the email message. Almost all email clients offer you an easy way to view this information. In Gmail, it is found by clicking the three dots located next to the reply arrow on the upper right section of the message. Choose Show original from the drop-down. Gmail then opens a separate window that displays the complete raw source code of the message.
Examining an email’s raw source data
There are three elements you can examine in the source data that can help identify a phishing email:
- Sender address: Most sender’s addresses are spoofed in phishing attacks so they look like the address of a legitimate sender. Examine the raw source of the message to see if other related email addresses embedded in the script match the email of the sender. Two good places to look are the “Return-Path” and the “smtp.mailfrom”.
- Delivery path: The email raw source displays information about both the sending and receiving servers. While an email can be delivered through multiple servers, looking for consistency (or lack thereof) can provide clues. Search the raw source for “Received” and compare the sender’s address for inconsistencies.
- Email client: Average email users don’t typically send email directly from an email server itself, so this can be useful for spotting impersonators. Search the raw source for “X-mailer” to view the email client the sender used. Beware that the “X-mailer” can also be spoofed. Regardless, any inconsistencies should raise your level of concern.
Protect yourself with out of channel verification
One of the most powerful techniques to keep yourself protected from phishing attacks is called “out of channel verification.” With this technique, you stop and seek confirmation of the suspected message’s validity through a separate and independent channel. In most cases, this means directly contacting the supposed sender via a contact method known to be bona fide.
- For organizations or institutions that you have no previously designated contact information, conduct a separate web search for contact info or look for a number included on prior correspondence you know to be genuine.
- In the case of a suspicious message from a friend or prior business relationship, verify the message through a separate phone number, text message, or other trusted communication platform.
Often, when a person’s email account is hacked, the bad actor uses the email address to impersonate the individual by sending messages to the person’s contact list or friends. When in doubt, the safest bet is to take steps to verify that the message is real. If the individual has been compromised, your outreach to them may be the first time they realize something is wrong.
In bitcoin we are taught, don’t trust, verify. Even outside your life in bitcoin, if you get an email or phone call from somebody claiming to be from a financial institution asking for your credit card information, or telling you that something is due, or similar—it is always good to reach out to the confirmed contact information that you know is legitimate and verify—always verify. – Justine Harper, Vice President, Concierge
What to do if you click on a suspicious link
What should you do if you realize too late that you clicked on a link that you shouldn’t have? Here are some basic steps you can take to help mitigate your risk:
- Malevolent phishing links that seek to collect data will generally send you somewhere with a form to collect your data. If you’re ever unsure about a destination like this, do not enter any information.
- Similarly, other links may send you to a counterfeit login page. If you’re unsure, do not enter your login information.
- For bitcoin owners, never connect a hardware wallet to your computer after clicking what you think may be a phishing attempt. Also, never enter your seed phrase into a linked webform or give it to anyone who asks you for it online. Unchained will never ask for seed phrases.
If you ever have a question or are uncertain about a message you receive regarding your account with Unchained, you should check with client services at email@example.com to verify.
More helpful resources from Unchained Capital
Best practices for improving your sovereignty and security are regular topics of discussion and education here at Unchained Capital. Sign up for our upcoming introduction to multisig webinar to learn how multisig protects you from the worst phishing outcomes, and be sure to check out our YouTube channel to view our full archive of helpful guides, webinars, and interviews! Join our email list below to learn more about other educational opportunities.