Crypto vishing: Threats and protections

Cryptocurrencies have become an integral part of the modern financial world, providing a plethora of opportunities for investment and use of digital assets. However, with the growing popularity of cryptocurrencies, the number of fraudulent schemes designed to steal money from users is increasing, too. One of these is known as vishing. Vishing (voice phishing) is a scam that uses phone calls to deceive users. Below, we will explore what vishing is and how it works, describe real cases of attacks, and discuss how to get protected against this type of scam.

Vishing is a form of phishing where scammers use phone calls to obtain confidential information from their victims. In the context of cryptocurrency, vishing is a type of scam designed to get access to cryptocurrency wallets, exchange accounts or personal data required for future attacks. Scammers may pose as cryptocurrency exchange employees, technical support personnel or even government officials.  Put simply, vishing is any scammer attack using calls and telephone communication.

Often, these three terms are confused with each other; therefore it is important to understand whether or not  vishing and smishing are the same thing. So, what is the difference between vishing and phishing?

In fact, everything is quite simple. Vishing and smishing are variations of phishing. This means that asking “phishing or vishing?” is incorrect — the two cannot be opposed. The same is true about “what is the difference between phishing and vishing?” — There is none. Vishing (as well as smishing) is a type — or another mode — of phishing attack. 

While in a vishing scam scammers use phone calls, in smishing they rely on SMS messages. Smishing will be discussed in detail in our future publications.

The vishing process can be divided into several steps:

1. Preparations. Scammers collect data about a potential victim. This may involve scraping data from social media websites, studying publicly available databases or even hacking accounts. 
2. Contacting the victim. Scammers contact the victim by phone posing as a trusted person. They may use phone number spoofing to make their calls look like they are coming from legitimate sources. 
3. Manipulation. During the call, scammers try to invoke a sense of urgency or fear in the victim. They may claim that there is a problem with the victim’s account that requires immediate action, or that identity verification is required to protect their money.
4. Obtaining data. Scammers ask the victim to provide sensitive information, such as logins, passwords, private keys or two-factor authentication codes.
5. Stealing money. Having obtained this information, the fraudsters use it to get access to the victim’s accounts to steal money.

There can be many methods of vishing and scammers get increasingly sophisticated every year. Here are just a few common examples:

1. Fake tech-support scams. The scammer calls the victim, posing as a tech support worker of a popular cryptocurrency exchange, and reports ‘suspicious activity’ on the victim’s account. Then they ask for sign-up credentials to access the victim’s account, and steal money.
2. Fake investment offers. Scammers call potential investors and offer exclusive opportunities for investment in new cryptocurrency projects. To “confirm” participation, they ask the victim to provide personal data and transfer cryptocurrency to addresses that subsequently turn out to be fraudulent.

Vishing has long been a common scam in the crypto world, and some cases are particularly famous due to the scale and sophistication of attacks.  Here are just a few of them:

1. Vishing targeted at Binance users

In one of the most famous vishing attacks that affected the crypto community, scammers targeted users of Binance, one of the world’s largest cryptocurrency exchanges. In 2018, attackers made calls to users posing as security personnel. They claimed that a suspicious activity was detected on the victim’s account and asked for personal data and two-factor authentication codes. Many users believed the calls were genuine, provided the requested data and ultimately lost their money.

2. Vishing targeted at NiceHash startup

In December 2017, NiceHash, a cryptocurrency platform for mining, suffered a major hack that resulted in the theft of about USD 63 million in Bitcoin.  The investigation found that partially the hack was possible due a successful vishing attack on one of the employees. The scammers called him posing as representatives of a partner company and were able to get access to an account, which allowed them to carry out the attack.

3. Vishing attack on founders of EtherDelta 

2017 saw another large vishing attack which was aimed at the founders of a decentralized exchange EtherDelta. The scammers claimed to be technical support officials and were able to convince one of the founders to give them access to the administrative account of the platform. This enabled the attackers to redirect users to a fake website where the scammers stole private keys and money from the platform’s users.

4. Vishing using Telegram

Telegram is a popular means of communication in the cryptocurrency community and scammers often use it for vishing attacks. In one of the incidents, fraudsters created fake accounts of employees of popular cryptocurrency projects and contacted users via Telegram. Under the pretext of technical support or participation in exclusive projects, they asked victims for private keys and other sensitive data, which resulted in the theft of cryptocurrency.

These examples highlight the importance of awareness and security measures in the cryptocurrency space.  In response to such incidents, many cryptocurrency platforms enhanced their security protocols, including multi-factor authentication, regular security notifications, and user training. Despite this, vishing still remains a significant threat, and users must be constantly vigilant to be able to protect their assets. And if a cryptocurrency incident does occur, we at SEVEN SENSES are always there to help you with the recovery of your assets. Just contact our experts and describe your case — they will help you to determine the timing and prospects of the investigation.

It is important that all users of digital and financial assets in general know the key ways of protection from vishing.

1. Never disclose any sensitive information by phone. Legitimate companies do not ask for passwords, private keys or two-factor authentication codes in this way.
2. Check information sources. If you receive a suspicious call, end the conversation and contact the company via their official channels specified on their website. 
3. Use two-factor authentication (2FA). Set up 2FA for all your accounts and use authenticator apps instead of SMS-based 2FA.
4. Stay vigilant. Always verify information, especially if the caller is trying to intimidate you or invoke a sense of urgency. Scammers often use these psychological techniques to compel the victim to act without thinking. 
5. Educate yourself, your family members, colleagues, and employees. Knowledge of different types of fraud and how to protect yourself is the best way to avoid losses. And for those who want to test their employees for being able to resist vishing and social engineering attacks in general, we offer relevant testing as part of our Penetration Test service.

Thus, vishing is a serious threat for cryptocurrency users, especially for those who are not well-versed in methods of protection.  However, by following simple security recommendations, you can considerably reduce the risk of becoming a scam victim. It is important to keep in mind, that vigilance and awareness are your main protections. Do not fall for scammers’ tricks and always check information you receive before taking any action. And should you need expert help, please contact SEVEN SENSES.