Phishing scams have tricked everyone from reporters at the Associated Press to Washington insiders, and what crook worth her stolen credentials would give up on such a successful strategy? So phishers are once again repurposing a classic con: Tell people they’ve won or been given a lot of money and that they just have to do XYZ—this is the identity- and/or money-stealing part—to claim what’s owed to them. In this iteration, the phishers are dangling bitcoins as the lure.
Slate’s news editor, Chad Lorenz, received the above email yesterday around 1 p.m. He quickly realized that something was wrong, even though the email looks pretty good: It’s not trying too hard, it uses the Coinbase logo (Coinbase is a popular bitcoin wallet service), and it even has a copyright sign. But Lorenz wasn’t expecting any money, and certainly not any cryptocurrency. Plus, assuming it was his lucky day, whose “external bitcoin account” was the bounty coming from? (Turns out that several other Slate staffers received the email as well.)
John OBrien, a spokesperson for Coinbase, wrote in an email that the phishing message had a few warning signs: “[T]here are a few red flags. ‘Hi,’ (not addressed to anyone) and ‘from an external account’ (not from anyone). Additionally the link will not take you to Coinbase.com.”
Phishing scams promising bitcoins seem to have been percolating in January, and Coinbase published a blog post on the topic last month, noting that it had upped its security and encouraging “all customers to exercise caution when clicking links to financial institutions or payment services online.”
The steps to identifying one of these scam emails are the same or very similar to what they would be if the phishers were promising U.S. dollars, or any currency. It seems probable that phishers are taking advantage of confusion about what bitcoin is and how it works in order to make people click the links. For example, according to a recent interview/check-in call, my 91-year-old grandma—who reads her email on an iPad—revealed that she thinks bitcoin works like a digital giftcard.
Protecting yourself just comes down to common sense, according to Chester Wisniewski, a senior security adviser at the data security firm Sophos. “Why are you randomly, unexpectedly being given money? How often does that happen?” he wrote in an email. “Even if you want to believe it is true (it never is), the correct course of action to verify the transaction is to go to the site claiming to have emailed you … never click a link in an unsolicited message.”