Cryptocurrency Scams 101
Who Is John Smith, Really?
When someone envisions an online impersonation scheme, they might conjure up an image of a man in sunglasses and a dark hoodie, surrounded by monitors of neon green “Matrix” code.
In reality, online impersonation can be pretty low-tech. We’ll explore some frequently-seen schemes, from the easy-to-spot to tricky to catch:
1. Claim to Someone Else’s Fame
In this case, you would be contacted by someone whose name does not match up with the real person. Our users have reported being contacted by scammers on Telegram. Names or emails may be an obvious jumbled mess of letters and numbers. If this is the case, this is a likely and obvious scam.
Example: “Yes, my Telegram name is wrestlingfan316, but I am really Bill Gates and I need to verify your account number in order to send you money.”
2. Fake Name and Impersonation
This method is an additional step-up from a scammer who claims to be someone else, since the impersonator will go through the effort to make a realistic-sounding ID.
The regulation of names on chat programs or social media is more popular, but not ubiquitous. This means a scammer can potentially set their name to “Bill_Gates” or “Microsoft_Bill” without credentials to back it up. There’s no guarantee that a party is actually who their username claims to be, unless there is some sort of verification process that shows official accounts like the “Blue Check” on Twitter. Be careful when you receive a suspicious, unsolicited message without verifying the name first.
Example: “My Telegram name is Bill_Gates. Only the real Bill Gates would have this name, so I must be him!”
3. Impersonating Usernames with Look Alike Letters: The Perils of Sans-Serif
Ok, you’ve verified the actual username that Bill Gates uses, and it’s “Bill.” You’ve been talking with “BiII,” so you should be fine, right?
This is unfortunately, wrong. Take another look at the two names above. The official username is “Bill,” which is spelled with a pair of lowercase L’s. The imposter “BiII” was able to create an account with what seems like the same username, instead using a pair of upper-case i’s to create the username.
Unfortunately, this “look alike letter” spoofing is a low-tech, but highly effective impersonation trick that many buy into without conducting their own verification check.
This method can be used in spoofed email domains as well, giving correspondence a seemingly “official” appearance. For example, using an upper case “i” for a lower case “L” can make a “@GoogIe.com” and “@Google.com” email domain virtually indistinguishable.
Another easier-to-spot method would be to swap, add or jumble letters of a well-known domain. If you aren’t paying close attention, an illegitimate email from “Mircosoft” might appear to be coming from “Microsoft.”
Example: “Hello! This is biII@mircosoft.com! I have some money to transfer to you, all that’s required is some details!”
4. Email Spoofing
Of all the methods we’ve shared so far, this malware method requires the most technical know-how to pull off. Unfortunately, this also makes it the most difficult to spot.
In our previous example, spoofing is identified by carefully spotting details that are visible to the human eye. In email spoofing, a nefarious party has edited the metadata of an email to match the details of the party it seeks to impersonate. Since this data is hidden by default, a recipient will not be able to identify spoofing unless they closely examine invisible email headers. Even in these cases, a suspicious party needs to know what details to look for, in order to identify abnormalities.
Luckily, client-side detection has improved, and programs like Gmail are able to identify some spoofed data mismatches by flashing huge warning messages like these:
However, scammers are in a constant arms race with security researchers, and new exploits can fly under the radar until new methods of verification are devised.
Cryptocurrency Fraud and How to Avoid It
Whenever a new world-changing technology is released unto the masses, inspiring, industrious individuals inevitably start thinking of positive use cases. On the flip-side, other individuals nefariously plot how this technology can be used for their own under-handed gain. In the internet’s case, for every exciting new invention, we’re forced to contend with 10 Nigerian prince scams.
And while scammers are nothing new, thanks to cryptocurrencies, those committing fraud have another means of receiving illicit funds. After all, we can now send and receive large amounts of money pseudonymously over the internet without the involvement of banks or governmental bodies. We are essentially transporting money between alphanumeric strings, with no name, address or identifying details attached.
The most recent example of a large-scale attempt at fraud through a Bitcoin scam occurred just this week, when an unknown hacker(s) was able to gain access through social engineering to high-profile Twitter accounts (like Barack Obama’s) and asked the public for Bitcoin. Twitter users were bombarded for several hours on July 15 with giveaway tweets from the likes of Elon Musk, Kim Kardashian and Apple — but also cryptocurrency exchanges Binance and Coinbase, Coindesk and Justin Sun — asking them to send BTC to a Bitcoin wallet and receive double back.
Needless to say, the around 14 BTC that was sent to the fraudster’s wallet is not being returned to anyone, anytime soon.
The irony is, cryptocurrencies are technically very safe and efficient. Due to the “crypto” portion of cryptocurrencies and the blockchain itself, transactions themselves are incredibly secure. This means that the most vulnerable part of the crypto landscape is the human element, which is incidentally the target of most scammers.
Despite all of the technology and security measures cryptocurrencies adhere to, familiar and low-tech tricks such as spoofing and impersonation are now the most effective way to scam money from unsuspecting users. Now more than ever, it’s important to ensure that your crypto funds are being sent to the intended recipient rather than an attractive or deceitful proposition.
What to Suspect When You’re Suspecting Crypto Scams
While paying attention to senders is important, the messaging and content can easily tip you off of suspicious activity. We also suggest being on the lookout for the following:
- Spelling, formatting and grammar mistakes
- Correspondence from official sources should be spell-checked and well-written. While “pobody’s nerfect,” multiple blatant grammar and spelling mistakes should raise concerns.
- If it sounds too good to be true…
- A sales team representative is offering you a 50% discount, for a limited time only! That’s great, but is the deal realistic? Lavish offers are often an attempt to hook people’s trust.
- Unsolicited contact
- It’s certainly not unusual to receive marketing emails, but if someone was looking to impersonate an email address, this is a prime opportunity to do so. Out of the blue promotions don’t need to be written off as a complete red flag, but due diligence should be performed before sensitive information or funds are exchanged.
- Use your instincts
- This is the most intangible advice we can offer. Flags may involve the overall tone of a conversation, insistence or pressure to move forward, or inconsistencies with stories and claims. Regardless, if something feels “off” to you, you have the right to pull out of a deal or to simply stop communication.
- Play sketchy games, win sketchy prizes
- This should be self-explanatory. If you are pursuing illicit activities, or seeking giant profits with little to no investment, your chances of being scammed will go up exponentially.
Stay Alert at All Times
Beyond any obvious scams (Let’s say you were able to spot “Mircosoft” and cut off communication with “BiII”), there are a few steps that you can perform to verify an identity.
- Direct contact on a verified channel, like our Telegram chat if you suddenly receive a message from someone pretending to be from CoinMarketCap
This may seem like a momentum-ending reset button, but it’s the surest way to verify that your contact is who they say they are. There are some key things to remember:
- When verifying, do not click a link, or use a contact provided in the email chain. Any of these methods may be doctored by the nefarious party.
- Depending on the size of the organization, responses may take some time, but be patient.
- Ask for verification and make sure it meets your standards.
At any point, you have every right to request a method of verification. This can include placing key details on a site’s official channel or having a phone call via an officially listed number/extension.
- Real sources should never protest an identity check and will likely have some method of verification.
- It’s up to you to determine if the evidence you’ve received is sufficient. Don’t be afraid to ask for additional verification if it does not meet your standards.
As a humanoid arachnid’s Uncle Ben once said, “With great power comes great responsibility.” The same is true with the internet and its seemingly unlimited potential. Thanks to the internet, we have thousands of ways to communicate, which unfortunately provides thousands of ways to be tricked. With crypto, we have an untraceable, anonymous method of sending money, and we also have a scammer’s dream.
Hopefully this article has provided you with some tools to help protect yourself from impersonation and scams in a crypto-based world. Be safe out there!