In this article, the who, what, where and when, is only secondary to the why. And why is it important to discuss scams? Well, because they can drain your coveted tokens and leave you asking questions without any compensation.
In the first ten months of 2020, over $1.8 billion US dollars was scammed from users who had had their information phished and that doesn’t include DeFi exploits, ‘rug pulls’ or CEX (Centralized Exchange) attacks. There are many who choose phishing as a career and it is a market that continues to grow.
Fun fact … if there is one exploit through code then you can assume another hundred exploits occur due to human error.
However, with a little help, you can be well protected. Historically, we have seen developments for insured exchanges where one may keep their tokens on a CEX protected by an insurance policy that is similar to what a bank would offer in traditional finance. Now there are insurance policies for DeFi users by insuring a smart contract at a premium. Yet not all is solved and so we must stay vigilant. Even the CRA and the Federal Reserve send out yearly reminders to be wary of scammers.
There are many scams out there and today we will identify some of the more popular attacks:
There is the simple solicit: Send me 1 ETH and I will return 3 ETH. Although it may seem obvious right away, Twitter and telegram users all around the globe, have proven this attack to be very profitable. There are other attacks that are much more devious. Scammers will impersonate support lines, team members, or public figureheads in order to gain user trust. Once trust is established, the attacker will request the user’s private keys to ultimately drain their wallet. The request may come disguised as a blockchain migration, support, or even an airdrop. Rest assured, all legitimate teams know never to ask for private keys. So, no matter how elaborate the scam might be, one red flag is always the same. If asked for your private keys you can be certain you are in contact with a scammer. One simple rule here stands as your best defense, always keep your PRIVATE keys, PRIVATE!
If you send this user ETH, you will not get anything of value in return.
There is an attack vector used via social engineering: This is another case in which private information is taken and not asked for. For example, let’s say you post on Twitter or Instagram about how your crypto gains are mooning. An attacker will use an algorithm that will try thousands of passwords in minutes. This is called ‘Brute Force’. Or, they may use phishing attempts. This means a fraudulent website is created, based on your browsing history, which has you create an account or log in to this ‘website’. The scammer stores this data, hoping you will have used the same password for one of your social media accounts or even an email. Through this process, they slowly gather data about your cell phone provider or the hardware wallet you use, giving them the ability to swap SIM cards:
Step by step, a profile of your information is created. They may then sell this information on the dark web, send extortion emails, or even wait for the exact information they need to drain your wallet. Admittedly, this is much more elaborate and thus users with popular profiles are usually the most common victims. What is the best way to avoid this? Keep your gains private! But if you must, there is no hard and fast rule to keep this from happening as a 2FA has been proven to be susceptible to compromise. A hardware wallet would indeed pose the hardest obstacle as one requires confirmation through a physical button in order to allow transactions, including the transaction that would drain your account, but it is not 100% guaranteed. At ChainMyne we add a third layer of security which we call 3FA. When a client initiates a withdrawal of $10K or more, we personally contact them to verify that they initiated the transfer. This is an extra service we implemented to safeguard our client’s Crypto Assets. We also recommend our clients set up Google Authenticator to add an extra layer of security when they register with ChainMyne.
Then there are the CEX hacks: To avoid this, one would have to do their due diligence when using a centralized exchange. This is why ChainMyne offers custody services under the security of GardaWorld. They keep all assets in cold storage and far out of reach from scammers.
Moving on to Defi exploits: One can simply read through a smart contract to find any exploits. This is not always so easy and not everyone is a smart contract engineer which is why insurance policies are now available for your favorite smart contracts. There are now dApps that provide insurance for a Defi smart contract. All you need to do is pay a premium as you would with your car insurance or house insurance. Now, when it comes to the infamous ‘rug pull’, it is all down to due diligence. When researching your next token, red flags can appear around every corner. You might see a celebrity endorse a new project or an up-and-coming rapper brag about a new shiny token but keep in mind, when the underlying project cannot offer a useful service there must always be a distraction to make you think it has greater value. Remember that if they have been paid by these tokens then there will come a time when they dump said tokens. Researching team members and evaluating their experience will go a long way when considering a new asset. If it seems like you have to invest immediately in order to take full advantage of a great opportunity, it generally means the team does not want you to fully research because they know a little digging will reveal the truth.
So one thing is certain. Scams will not end, and their tactics will continue to evolve. The reality is that there is no avoiding it. So be prepared for their attack with critical thinking as no one else will do it for you.
As a proud Canadian exchange, ChainMyne is building towards a new future of financial independence, transparency, trust, and accessibility. Start trading with ChainMyne today to experience for yourself how we provide our clients with best-in-class customer service, a tailored personalized experience, and easy access to building wealth. Not to mention a secure and reliable platform.