Common Distribution Channels
Ads (Google Ads especially)
Commonality: Very common
Easiness To Spot: Fairly Easy
Don’t get caught off-guard.
Subscribe to get crypto scam alerts.
What Is Phishing?
Phishing describes a practice that aims to obtain valuable sensitive information – in this case, your password, private keys, recovery phrases for your cryptocurrency wallets or exchange accounts – typically through a fake website that was set up to look like a real, established authority’s website.
This trick first gained ground with the rise of internet banking, as one can now move funds virtually across the internet. Phishers will set up fake internet banking sites aim to steal users’ credentials and funds.
But stealing funds from banks is hard and often traceable. In comparison, blockchain provides built-in anonymity and transaction irreversibility, thus providing scammers and fraudsters a dream playground.
Phishing continues to be the most popular scamming technique, and it’s easy to see why.
First, it is low-effort. Most phishing techniques require low levels of technical expertise as opposed to hacking software or websites.
Second, it is low-investment. To get started with most phishing techniques, you don’t need to invest any more money than the amount needed to register a domain and an email address. Because of this, one can easily set up multiple phishing operations at the same time to capture a larger audience.
Just like any legitimate internet business, phishing sites cannot generate income unless they are visited and used by real users. Thus, they also employ real businesses’ advertising and marketing techniques to hunt down their victims.
The 3 most popular ways for crypto phishing sites to promote themselves are through ads, emails, and social media. We will break down each trick one by one below and teach you how to NOT get ‘phished’ in the future.
Crypto Ad Phishing Scams
Let’s start with a simple, real-life example to illustrate how phishing is done through ads.
MyEtherWallet is a popular wallet option for Ethereum and ERC20 compatible tokens. A simple search on Google for MyEtherWallet returned the result below.
Notice the URL returned from the first ad result is
www.myetherwallettribe.com (please DO NOT visit this site, as it is a phishing site), which is a slightly misspelled version of the real site URL
MyEtherWalletTribe may look very similar to the real MyEtherWallet site, but if you generate your private key on this phishing site and deposit tokens into the wallet, you will LOSE ALL of your funds.
MyEtherWallet is an open-sourced project, which means anyone can obtain a copy of the source code and reproduce the look and feel of the website easily. This made MEW especially popular among phishers. So, if you are a MEW user, please visit the site using only through your bookmarked official URL or just type in the address yourself.
Building phishing sites for popular cryptocurrency exchanges and wallets have become so popular that there seem to be new phishing sites featured in Google Ads every day.
Here is another example of a phishing site posing to be ShapeShift, a popular cryptocurrency exchange.
This is another Google ad for a phishing site mimicking the Blockchain wallet, a popular bitcoin wallet site.
Why do phishing sites love to purchase Google Ads?
That is because, with Google’s ranking algorithm, it’s nearly impossible for these phishing sites to rank in the top results organically due to their lack of backlinks and short site history. Phishing sites rarely, rarely last more than a year before they are busted, most of them have lifespans of just a few weeks.
So how do they snatch the spotlight to attract attention from users?
They bid on similar keywords as the real sites they mimic to gain visitors.
The simple lesson here is DO NOT click on Google ad results for crypto-related resources, as it is one of the most popular ways for phishing sites to attract visitors. To be honest, it is probably better to just install an ad-blocker for your browser and avoid all Google Ads altogether.
* We also hope that from what you have learned so far, when you visit sites from our list above, you remember to inspect the link URL. Always be on the lookout, and always be Crypto Aware!
Remember that phishers’ ultimate goal is to deceive and lead you to a spoofed-website that was made to look like the legitimate website to gain information to access your funds.
There are usually 2 ways to make a spoofed-website look legitimate – by having a similar URL and a similar website design as the real website.
While a poorly designed phishing site is definitely a giveaway that the site is illegitimate, the best way to distinguish a phishing site from the real site is through the website URL.
Phishers may be able to copy the exact look of the real website, especially when the real website is open-sourced, but they can never acquire the SAME domain address as the real site.
So what exactly is a domain name?
Let’s use Crypto Aware as an example and analyze each part of a website URL.
Crypto Aware’s homepage address (or URL) is https://www.cryptoaware.org
https indicate the protocol. HTTPS indicates that the website connection is secure, while
http (without the “s”) means the communication to the site is not encrypted and thus, not secure.
www refers to the subdomain of the website. A registered domain is allowed to have multiple subdomains to host different contents. For example, we can have different contents hosted on
blog.cryptoaware.org if we so choose.
All subdomains are under the control of the main domain register. One can also choose to host the website on a “bare domain” (without subdomain part) and just display the root site address such as
cryptoaware.org is the website’s domain. A domain is unique and is owned by the company/person who registered it. Once a domain is registered and active, no one else can use the same domain unless the original owner is willing to sell or transfer it.
So why is it important to understand the different parts of a domain name and how they work?
Because phishers love to play tricks with a website’s URL by registering a domain name with small, easy-to-miss differences from the real website domain. If you are not careful and are not aware, small variations in domain names can make a HUGE difference; you may fall into the trap.
As we mentioned above, the same website can have variations in its subdomains, since those subdomains would still be under the control of the same domain owner. NO OTHER variations of a domain name is acceptable, as it means it is a COMPLETELY DIFFERENT DOMAIN.
Phishers often exploit this lack of knowledge in domain names to trick users into thinking their sites are legitimate when they are, in fact, NOT.
When in doubt, check the URL letter by letter, and proceed only when it is an exact match to the real site’s URL.
Crypto Email Phishing Scams
This is another popular way for phishers to contact users. Links contained in an email will lead users to a spoofed-website, and ask them to reveal sensitive information, such as their private keys etc.
You might be wondering, “I have never visited a spoofed-website before, how can they get a hold of my email address?”
Well, it’s easier than you think. There are legitimate services where you can buy email lists as leads, as well as many dark-web markets where you can buy leaked/hacked email addresses in bulk for cheap.
One popular email phishing technique is to pose as a legitimate cryptocurrency exchange or wallet service, inform the user that they have detected unusual activity on their account recently, and urge the user to confirm such activity.
Another popular phishing email template is to inform the user that there is a pending transaction for his/her exchange or wallet account, and the user needs to confirm the authenticity of the transaction before it gets processed.
Both types of emails will include a link for confirmation, and the link will subsequently lead the user to a phishing site where the user will be asked to enter sensitive information, such as passwords, private keys, etc.
Below are 2 real-life examples reported on bitcoinwhoswho blog posing to be MyEtherWallet and Coinbase respectively.
Above are just 2 examples of possible phishing emails. They both are trying to exploit users’ sense of urgency, thinking they are dealing with unauthorized transactions, and that their accounts are under attack.
When people think their accounts are not secure, they tend to act hastily, without scrutinizing whether or not the source and the content of the message are legitimate. And that’s when they visit phishing sites without looking twice.
There are few ways to distinguish phishing emails, such as the appearance of typos, wrong graphics, wrong colors, etc. However, the best way to detect them is by looking at the email sender address.
For example, in Gmail, to inspect an email sender’s information, you can simply click on the little arrow next to your name, as shown below.
You can now see, in addition to sender’s address, who it is mailed by, and whether or not it has been signed by a trusted domain.
Never trust an email solely based on the sender’s name. Anyone can put whatever name they want in the “From” field. Inspect the domain name and refer to our previous section on domain names when in doubt.
Another important thing to mention here is DO NOT click on any link and DO NOT download any attachment from untrusted emails.
Sometimes, even though the links may appear legit, for example, displaying the text
myetherwallet.com, clicking on the link may actually take you to a phishing site, such as
my-ether-phishing-example.com. Most email formatting follows standard HTML guidelines. Standard markup allows you to edit where the link redirects to, which can be vastly different than the displayed text.
Last, but not least, downloading an attachment from an untrusted source is the number 1 way to get your computer infected with malware. Read up on this cautionary tale from Reddit.
Bottom line is, if something doesn’t feel right, be extra cautious and verify your source. If you are unsure whether the email communication you received from the exchange or wallet service you use is real, reach out to them via their OFFICIAL email address, OFFICIAL Twitter account, or OFFICIAL Facebook page.
And for God’s sake, please, please do not ever reveal your password, private keys, or recovery phrase via emails or messages, EVER. Unless it is your intention to have all your funds taken away.
Crypto Social Media Phishing Scams
Social media phishing scams have been on the rise significantly in the recent months, and we have now dedicated it to its own section linked below.
There are also other types of phishing scams, such as mass text/messages, fake browser extensions, phone scams, DNS snooping, and XSS script injections, but they are much less common when compared to the above 3 categories.
All of the phishing scams are inevitably trying to trick you into giving up your sensitive information and gain access to your funds. So, if something feels suspicious, please take the time to investigate.
Always triple and quadruple check the URL of the site where you are entering your passwords, private keys, and recovery phases.
If you have seen a phishing site and/or are a victim of a phishing scam, please report it to us here, and we will make sure to take the necessary steps to report them to search engines and domain registrars.