OVERVIEW PHISHING PREVENTION SECURITY TIPS
Phishing is a technique used by a hacker in order to trick you into giving them critical information, such as your Secret codes. They may also trick you into sending currency to them or downloading malware. We will show you good phishing prevention security tips to keep you safer.
The word “Phishing” stems from the traditional idea of fishing for fish. But in this case, the “lure” is a message and a website rather than a hook with a worm.
Typically the first step in a Phishing attack is to send a message to you with a hyperlink. The message may be via email, SMS or Social Media, slack, Reddit, twitter, Slack, search engine ads… The message may look authentic and may appear to have come from your bank or from a cryptocurrency related website.
Clicking on that link will usually send you to a website controlled by the hacker. This website may look identical to a legit website that you were expecting to see, or it may just look like a legit site on its own. The site may even have a message that says something like “THIS SITE IS SECURE” (but it most definitely not safe). The site may also have an SSL security certificate to make it look more legit.
On this site, you may be required to enter your login credentials which the hacker will intercept. He can then log in to the real website that you were thinking you were linking to. With that information, he can then steal your funds. Or you may be hyperlinked to a website which will ask you to download a (hacked) cryptocurrency wallet. Or the linked website might simply download malware to your computer.
These types of attacks generally are sent simultaneously to many random users in the hopes that one or more victims will click on the link and enter their secret credentials, and/or download something to their computer. There is also the more specific type of Phishing attack called “Spear Phishing”. Spear Phishing targets a very specific person or organization. In these types of attacks more is known about the targeted victims so that the message can be more specific and believable.
The Cyber Unit in the Division of Enforcement at the SEC created the website www.HoweyCoins.com to show internet users some of the ways a site can look valid when it actually could be a Phishing site.
The text below often refers to a “URL”. URL means “Uniform Resource Locator”. In short, it is the website address that you see the web browser address bar at the top of your browser. A “first level domain” name is the “dot” extension of a website name. Such as .com, .org, .info, etc. A “second level” domain name is the name that you normally associate with a website. Such as “google” or “facebook”, or “amazon”. A subdomain name would be something like “shop.facebook.com”, or “smile.amazon.com”, or “maps.google.com”.
phishing prevention security tips
STANDARD PHISHING PREVENTION SECURITY TIPS
To protect your funds, follow these fairly standard phishing prevention security tips:
- TRUST TEST: Before you click on any links that you see on any website, receive in an email, find on social media, forums, communities, see in pop-ups, ads, etc, always consider what you are clicking on. Do you really trust where the link came from? Do you really know who sent it or posted it? Do you trust the website or social media where you found it? If the answer is no then don’t click.
- SENDER EMAIL: Before clicking on a link in an email, check the exact email address an email came from even if the person’s name seems like it is from a family member, friend or co-worker. Names can easily be faked. Look at the exact email address before you click on anything in the email. Some email programs will optionally hide the exact email address so make sure that you are not using that “hide” option. The name may say “best friend bob”, but the email address could be something like this: “[email protected]”.
- CHECK URL: Before you click on any links, examine the destination URL of the link. To do this you can place your cursor over any clickable link that you received (don’t click yet). At that time you will be able to preview the actual destination URL in the lower left corner of MOST browsers. Look at that URL and make sure that it seems logical to you. Pay particular attention to what is called the “second-level domain” name. Such as for “www.facebook.com” the second level domain is “facebook”. You know this is safe. Or even something like “www.shop.facebook.com”, the second level domain name is again “facebook”. But if it says something odd, like “www.facebookerr.com”, and you were expecting “facebook” then be suspicious. Or if it is something really odd like “www.a34f345fxx77LLK.com” then you should probably be very very suspicious. Only click on the link if you feel certain that this is a URL that you want to visit.
- DOT COM: Before clicking on a link, check to see if the destination website ends with “.com” or something else. Most (but not all) commercial websites will end in “.com”. Note that if a website does end in “.com”, that does not ensure that the site is legit. Conversely, if a site ends in something other then “.com” does not mean the site is fake. Checking for “.com” is just one tiny tip that MAYBE the site you have been directed it is, or is not, legit.
- SPOOF URLS: Beware of “spoof” URLs. The URL looks ALMOST exactly what you think they should be but it is off by one or a few letter(s). A hacker could purchase a similar sounding domain name that ends in something else so that if you do not examine the URL closely, you will think you landed on a legitimate website. For example, a hacker could own the domain name “BankOfAmerica.co” (rather then BankOfAmerica.com).
- REQUESTED PASSWORD: Never ever click on a link in a message that tells you that you must verify your wallet or your banking password. Neither legitimate wallets nor banks will ever ask you to do this. A message asking for this information will be fake 99.9% of the time.
- PRIVATE KEYS: Never ever enter your private key(s) into anything except your own cryptocurrency wallet. Some phishing scams tell you that you need to enter your private key on their website to get something really valuable, like some other cryptocurrency. – don’t do it.
FOR FREE: Don’t click on unexpected links offering something free. Nor links offering something that seems too good to be true. - NIGERIAN PRINCE: Don’t click on links claiming to be from rich Nigerian princes who say that they have a fortune that they need your help getting into the country. Or any similar “too good to be true” sounding emails 🙂
- ONLY HTTPS: Only click on links to websites that have “HTTPS://” (NOT HTTP://) as the very first part of the URL. The “S” stands for “secure”. In the facebook example it will look like this: https://www.facebook.com These days, all financial and crypto websites will use HTTPS. If you are sent a link to a non-HTTPS website then there is a good chance that it is a malicious website. Some browsers, such as google chrome, now automatically check for HTTPS and warn you that you are browsing an insecure website. You will usually have the option to not visit those types of pages. If you choose to ignore this warning about insecure websites, then be extra cautious about entering any login information, such as banking or crypto credentials. Note that “HTTPS” does NOT mean that the site is legit. It only means that your communication with that site will be secure and not readable by others.
- USE BOOKMARKS: Consider bookmarking your most important crypto and other financial sites so that you never have to rely on potentially malicious links. This way you also don’t have to worry about forgetting or mistyping URLs and winding up on a bad website
- PASSWORD PROGRAMS: An alternative to booking your financially related websites is to use a [password program] which will store links to all of your crypto and financial websites to ensure you don’t get misdirected to a hacker site. It will also remember all of your passwords so that you only have to remember one. [link to an article about password programs]
- TYPE URL: Instead of clicking on a link, consider opening a new browser tab and typing the website address in yourself to be sure that you get to where you want to go. A great example is if you get an email from your bank or your cryptocurrency exchange – if they want you to click on their link to get to their website, don’t click. Instead, open a new browser tab and type their URL in yourself.
- BROWSER EXTENSIONS: Consider installing a browser extension, such as Cryptonite, which will tell you if a site you have clicked on is good or bad. This site does two things: (1) shows a green shield when you land a crypto related site that Cryptonite has verified as being safe. (2) Wanns you if you land on a website which is known to be a phishing website.
ADVANCED PHISHING PREVENTION SECURITY TIPS
The following advanced phishing prevention security tips are for those who want additional security and are willing to put in extra effort to get it. These tips may also address more rare, fringe issues.
- UNICODE URLS: Be aware of the fake “Unicode” hacked URL address. This is another type of “Spoof URL” site, but more difficult to spot. These URLs do seem to be exactly what you were expecting but they are hacked. Most browsers have fixed this problem but it is still an issue with Firefox. For example, the following link would seem to be the official Apple site, and if you click it in Firefox you will see the same thing in your browser address bar. I.e. www.apple.com, but this is a fake site that was created solely to demonstrate this type of spoof. In Firefox, click here https://аррӏе.com It even has a security certificate with a green padlock but it is a scam (demonstration) website.
See all of our cryptocurrency security tips.
In the comments below, you can add your own tips, and/or correct or dispute our tips.