Protecting Your Tez From Phishing Scams and Best Practices

What are phishing attacks? What are some of the best practices you can follow to avoid them and keep your tez safe?

Recently, I’ve encountered numerous instances where members of the Tezos community have been targeted by crypto scammers and phishing attacks. While most veterans of the web3 space are well aware of these threats, it’s crucial to continually educate newcomers, particularly within the Tezos ecosystem, which often serves as the gateway for many artists and users into web3. Many artists and other users are experiencing their first web3 interactions here on Tezos, and it’s crucial they understand the potential dangers lurking in this space and learn how to protect themselves.

Given the complexity and the huge amount of information around the topics of cybersecurity and self-custody, for the purposes of this article, I will focus on some fundamental yet vital aspects, specifically phishing attacks and best practices on how to avoid them.

Understanding Phishing Attacks

Phishing in the cryptocurrency space typically involves tricking the victim into revealing sensitive information such as private keys, wallet passwords, or recovery phrases. Attackers often use fake websites, fraudulent emails, spoofed phonecalls, or spoofed social media accounts that mimic legitimate services to lure victims. Once the attacker obtains this information, they can access the victim’s digital wallet and steal their cryptocurrency and NFTs. Let’s go over some of the most common phishing attacks:

• Email Phishing: This involves sending emails that appear to come from a reputable cryptocurrency company, such as a wallet provider or an exchange. These emails may alert the user to a security scare or an urgent update requiring immediate action. The email contains links that lead to fake websites where users are tricked into entering sensitive information.
• Social Media Phishing: Attackers use fake social media profiles or hack into existing accounts and post fraudulent messages about cryptocurrency investments. These might be direct messages or posts that include malicious links or claim to offer giveaways that require entering private keys or sending crypto to a specified address to “verify” user accounts.
• Fake Websites: Scammers create websites that look identical to legitimate cryptocurrency exchanges, wallet providers, or other well-known entities. These sites often have URLs that are often slightly misspelled of the actual sites they mimic. For example, you might be wanting to go to www.google.com and in your search browser you search for google and the search result returns a website that says Google, but with a web address of www.gooogle.com or www.google.net. These are the type of attacks that can catch the unwary user. Unsuspecting users may enter their private keys or login credentials at the offending websites, thinking they are accessing their wallets or exchange accounts, only to have their information stolen.
• Manipulated Search Engine Results: Scammers sometimes manipulate search engine results by paying for ads that promote their phishing sites. When a user searches for a legitimate cryptocurrency wallet or service, the top results might include these paid ads linking to the fake websites as mentioned above. Always, always, always, double and triple check the link you’re about to click.
• Impersonation in Messaging Apps: Scammers in apps like Telegram or Discord often mimic real admin or support accounts, changing only one character in the username. They send direct messages claiming to resolve account issues or verify details. These messages may include links to phishing sites or request sensitive information.

Best Practices to Avoid Crypto Phishing Attacks

So how can we protect our tez against these kinds of attacks? The answer is: good habits. Let’s take a look at some of the best practices you should be following when using your Tezos wallets especially when interacting with DApps in the Tezos ecosystem.

• Verify Source Authenticity: It is crucial to validate the sender’s email address or username in emails, messaging apps, and social media to guard against phishing and scams. Fraudulent communications can look strikingly genuine, so always verify the sender’s details. For websites, ensure the URL is correct and look for HTTPS security certification in the address bar, indicating that the connection is secure.
• Use Bookmarks for Regular Sites: To avoid falling for fake websites, bookmark the websites of your most frequently used cryptocurrency services (i.e. NFT marketplaces, web wallet sites, etc.). Always use these bookmarks to access the sites, ensuring you’re not redirected to counterfeit pages that mimic legitimate services.
• Transaction Vigilance: Cultivate the habit of meticulously verifying every transaction detail before finalizing it. Most wallets like Kukai and Temple typically prompt you to review the transaction details before you sign. This practice is crucial, especially if there’s a chance you’ve inadvertently accessed a fraudulent website. Even when you believe you’re conducting a straightforward transaction, you could be at risk of having your wallet drained or mistakenly sending funds to an unintended address. Always double-check, then triple-check, the transaction details to safeguard your assets.

• Tiredness And FOMO (Fear Of Missing Out): Avoid doing transactions when you are tired or under any sense of urgency. In such states, you’re more likely to overlook red flags, make errors, and you are much more prone to fall for a phishing attack. Rushing to get in that hot NFT drop or when your eyes are half-closed because you are tired are the kinds of moments scammers wish to find you in, so don’t let that happen.
• Use Cold Storage As Your Main Wallet: Cold wallets, also known as hardware wallets, securely keep your private keys offline, offering strong protection against online threats and reducing phishing risks. This is especially useful for holding large amounts of tez or as your main wallet for building your artistic brand. Maintain a separate hot wallet for daily transactions but reserve your main wallet for long-term savings or NFT minting. For convenience, hardware wallets like Ledger can be paired with online wallets such as Kukai or Temple, enabling safe transactions while keeping your main assets offline in cold storage.

I can’t emphasize enough just how large and complicated the topic of crypto security is. It’s a lot to keep track of, especially when scammers are constantly finding new ways to trick us. But understanding and defending against these threats is crucial, not just for veterans but especially for newcomers in the Tezos community. I have listed just a few of the most common attacks that I have seen in the Tezos ecosystem and there are a lot more than what I have listed, so please, be careful.

Think of securing your digital wallet like locking up your house or car — it’s a basic step you can’t afford to skip. Use the tips we’ve covered to keep your crypto safe and don’t let down your guard.

So, let’s not make it easy for the bad guys. Start taking your wallet security seriously today. Bookmark your favorite sites, double-check those transaction details, and invest in a cold wallet. It’s worth the effort to protect your tez and keep your digital life secure. Remember, an ounce of prevention is a pound in cure especially in the wild world of web3.