Archive, security

The Phishing Scam - How to Avoid it ?

HitBTC Team

6 min read
The Phishing Scam - How to Avoid it ?

There are a lot of scams going on. Many scammers use well known brands to trick people into giving out their details. Various offers of free cash and games on facebook with unbelievably good prizes. The world of Bitcoin is still very young so it’s a good idea to use a reputable exchange. Even when you are make sure it is not someone portraying to be them. Some scams can be hard to detect. Although there are many other scumbag ways of maliciously obtaining unsuspecting customers’ details, we’ll have a look at one of the most common scams out there. This scam can also affect a respected business’ reputation. This is the phishing scam.

 

The Phishing Scam

 

There are many different phishing scams out there. You can find them on your email, social media, forums etc. The main idea of a phishing scam is to get people to give out their personal info. This can be your email address, passwords, credit card details and many more. How it works is this – the scammer pretends to be someone they’re not. Be it a reputable company, known person or even a government agency. The design and content can be identical to the real thing and it can be rather difficult to tell whether it is legit or not.

 

How to spot a phishing scam?

 

There’s no complete guide that will guarantee you will never fall for a dodgy scheme however here are some pointers on what you can look out for.

  • Check if the URL is legit
  • Check the address an email was sent from
  • Beware of misspelled addresses
  • Hyperlinks might be different from the destination
  • Too good to be true
  • Look out for the “padlock” symbol next to the URL. Scam URLs don’t normally bother with a security certificate.

 

One way of spotting a phishing scam is to look at the URL. A scammy website can look identical to the real one. On lots of occasions the only thing that helps you spot out the scammy one is the URL of the site. The legit URL is normally companyname.com or something similar. Scamsters can use a different domain or mis-spell the name.

 For example they’ve also duplicated our site. It looks very similar to our older web version. The main image is a bit wonky however it could be seen as the real HitBTC page. The difference is in the address – http://hitbtc.2fh.co This site was asking for you to enter your email and password. This link was posted on many facebook cryptocurrency groups advertising that there were free coin giveaways on signup. We have reported this and their host has taken it down.

 

If you’ve been affected please get in touch

 

Another important thing to look out for (and this applies almost anywhere on the Internet) is that the site holds an SSL (Secure Sockets Layer) certificate. You can easily identify a page with an SSL certificate in most browsers by checking the URL starts with “https” rather than “http”. The other thing to spot is the padlock icon that appears next to the URL (the location and appearance of this icon will vary from browser to browser. Google Chrome displays it as a green padlock symbol, to the left of the URL).

 A site with an SSL certificate will encrypt all of your information, between the point of entry (your computer) and the receiving server. This means that anybody trying to capture that data to obtain your bank details etc will have a very, very hard time accessing it. Scammers, typically, won’t use SSL certificates because they can’t get hold of one and they don’t care about the security of your data. HitBTC, by the way, does use SSL, even for both our main page and the exchange platform. You can find out more about our safety features.

 When giving them these details the scammers can easily take over your account or use your email and details for other harmful purposes. This is why we recommend using our 2-step verification. We do our best to keep things as safe as possible but also double check whenever you’re asked to give out any type of account info. Check out more on using our safety features.

 When receiving emails always check the recipient’s email. One of the most common tactics is to mis-spell or replace a letter or two. This way your eye might not spot it and take the email as a legit one. Also the human brain tends to try and fill in the gaps as it were so when letter in a word are swapped it will assume the typo and register the word still as legit.

phishing scam

For example if you were to receive an email from someone portraying as ourselves but the address is info@hitbct.com. Your mind can easily be tricked so it is best to double check who the emails are sent from before entering any sensitive info. I myself received a phishing email allegedly from the tax office. Saying that I had overpaid my taxes and was due for a refund (yeah, right!). The email had all legit logos, the form looked identical to the one on my local tax & customs page. However there seemed to be a typo in the email address. It was indeed sent by a scammer, asking for my card details so that they could generously send me some cash.

Using non legit hyperlinks is also a commonly used way of scamming people out of their details. For example let’s say you receive a phishing email from someone pretending to be your bank. They ask you to sign in and update your details via a hyperlink – click here to sign in to your account. All looks legit however when you mouse over the actual hyperlink it might not actually be the real sign in link to your bank. Beware and always check that the links are legit. Even better go and log in typing the address in yourself.

 When something sounds too good to be true then, let’s face it, it probably is. Scamsters like to trick people by offering awesome prizes in return of entering your details. Just recently I spotted a phishing scam on facebook myself. It was an Emirates share and like game. So the scammers were offering 5 first class tickets to anywhere in the world. On top of that $5000 of travel money. All that just to like and share their post and sign up on their facebook page to enter the draw. It all seemed legit – nice shiny Emirates marketing image. The emirates logo on the facebook page. However if you looked closer the page title was Emirates Air. Also their following for the world’s best airline was suspiciously small.

 

Phishing statistics

 

Around 160 million phishing emails were sent globally every day in 2012. Most of them luckily are caught by spam filters – however every day about 10% also get through. That is 16 million malicious emails every single day. Around 50% of these are opened and 800 000 malicious links are clicked on a daily basis. 10% of these clicks become victims – that’s 80 000 people sharing personal info in good faith. Scary numbers aren’t they? This data is from 2012 and the numbers are on the rise. Phishing attacks rose by 162.79% from 2010 to 2014. Furthermore a study by Intel concluded that 97% of people cannot identify a well put together phishing email as malicious. As technology is constantly evolving, so too is the complexity of the methods used by criminals looking to phish your valuable, private information. Which is why we’re seeing more and more scams using full websites rather than some deceptive email campaigns. RSA reports they discover a phishing attack every minute. Have a look at losses due to phishing attacks in 2015.

 

What to do?

 

If you think you’ve fallen victim to a phishing scam related to HitBTC, the first thing to do is to login to your account and change your password, immediately. Make it something as complex and difficult for someone to guess as possible (never use any personal information in passwords: yours, or your relatives date of birth, for example). The other thing you should do is report it to us, so that we can investigate. In the case of scam websites, cloning our page and content, we will contact the host and/or registrar of that page and demand that they take down the page immediately. The sooner you tell us, the faster we can do this, thereby preventing more people from falling victim to these kinds of criminal activities.