The Internet changed our world. Blockchain is changing it even more, moving things to new terrain all over again. That new terrain has amazing possibilities for decentralizing power and empowering the masses. But it also has dangers. This blog post is about one kind of online danger: phishing and mistaken-identity attacks.
It’s Not Just You
Feel like there are more of those attacks than ever? It’s not just you. And, really, it’s not too surprising. Digital asset transactions on the blockchain are more private, and more permanent, than real-life transactions. Assets are transferred with minimal personal information — and there’s no easy way to take them back. That keeps things simple and portable. But it ups the rewards for anyone who can get assets transferred to them through fraud.
Anyone who’s spent time on public-facing social media like Twitter, Instagram, or the open Web knows how that happens. “Typo-squatting”, also known as “angler phishing”, is a fraud tactic fuelled by small typographical errors in an account or domain name. Think in-thread replies by a deceptively-similar account on Twitter. Or pro-active Instagram follows by a handle whose image is familiar — maybe the phisher has “borrowed” a brand icon — but whose name is just a bit off. Or a surprisingly friendly “help desk” reaching out on Telegram to solve all your problems.
An example is included below. Note how the user copies our logo, handle, and cover image, yet the account name is not ours.
Expecting one website, and landing on another one just waiting for that typo, is irritating. But typo-squatting becomes more than just irritating when applied to blockchain assets. Once you’ve been taken in by a scammer’s fake use of a brand logo, slightly misspelled handle, or in-thread reply, it can be impossible to walk the mistake back.
The Trend Hasn’t Exactly Gone Unnoticed
Every social media landscape is now cluttered with fake accounts built from real people’s profile pictures, recognizable brand logos, and nearly-familiar names or handles. More and more “blue checkmark” personalities add phrases like “doesn’t give away cryptocurrency” to their account names, to set themselves apart from scammers piggybacking on their identities. Last March, Twitter told online publication The Verge it would begin preventing accounts “from engaging with others in a deceptive manner.” Last August, security researchers at Duo Labs published a “case study detailing a large botnet of at least 15,000 bots spreading a cryptocurrency scam”, showing how to identify the scheme.
Three Tips to Help Identify and Avoid These Situations
- We never ask for your secret identifiers like your private keys or personal information. If someone is asking for such things pretending to be us, call them on it. It’s not us.
- Our official brand accounts are: @jaxx_io, @jaxx_support, and @DecentralCA, and our Web sites are at decentral.ca and jaxx.io — spelled with just those letters. All of our accounts are verified, so look for the blue checkmark next to our account names. Check the source, and make sure the Twitter handle or domain name has the correct spelling.
- When a phisher solicits you to respond in private — don’t respond. Do report.
We see phishing posts and imposter accounts frequently. We flag them and ask that they be taken down. It can take a few days before these fake accounts are removed, though. If there are doubts, please don’t engage. If you see a tweet, or profile you know is a scam — consider reporting it and letting us know, too: firstname.lastname@example.org.