impersonating trusted crypto services (exchanges, wallets) through fake emails, texts, or websites, leading to stolen funds, often via fake login pages or malicious smart contract approvals. Scammers use fake alerts, support impersonations, or bogus airdrops to lure victims to fake sites that drain their wallets when they enter credentials or sign deceptive transactions, notes.

How Crypto Phishing Works

1. Impersonation: Attackers send messages (email, SMS, social media) that look like they're from legitimate entities like Ledger Ledger, MetaMask MetaMask, or Binance Binance.
2. Fake Websites: They direct users to look-alike websites (typosquatting, e.g., "binance.com" vs. "binans.com") where users enter login details or wallet recovery phrases.
3. Malicious Contracts: Users might be tricked into signing malicious smart contracts (drainware) that allow scammers to siphon funds from their wallets.
4. Deceptive Offers: Fake airdrops or staking rewards prompt users to connect their wallets to malicious sites to "claim" them, stealing funds in the process.

Common Red Flags

1. Urgent Requests: Demands to "verify account" or "secure funds" immediately.
2. Poor URL/Spelling: Tiny typos in website addresses or brand names.
3. Unexpected Tokens: Receiving strange tokens with clickable links in your wallet.
4. Requests for Private Keys: Legitimate services never ask for your seed phrase or private key.

Website forgery scam

This type of scam is commonly paired with other scams such as the account deactivation scam (see below). In this attack, the attacker creates a website that is virtually identical to the legitimate website of a business the victim uses, such as a bank. When the user visits the page through whatever means, be it an email phishing attempt, a hyperlink inside a forum, or via a search engine, the victim reaches a website which they believe to be the legitimate site instead of a fraudulent copy. All information entered by the victim is collected for sale or other malicious use.

In the early days of the Internet, these types of duplicate pages were fairly easy to spot due to their shoddy craftsmanship. Today the fraudulent sites may look like a picture-perfect representation of the original.

By checking the URL in the web browser, it may be possible to spot a fraud. If the URL looks different than the typical one, this should be considered highly suspect. If the page is listed as insecure and HTTPS is not on, this is a red flag and virtually guarantees the site is either broken or a phishing attack.

Attackers can, however, use domain spoofing to closely imitate the actual URL of the website. They can also use methods like domain hijacking to take over the website's actual address. Even the sharpest users can be fooled; therefore it is sometimes wise to reach out to the purported source of the email (such as by calling the bank's customer service line) to make sure the message that led to the webpage is legitimate.

Advanced-fee scam

This common email phishing attack was popularized by the “Nigerian prince” email, where an alleged Nigerian prince in a desperate situation offers to give the victim a large sum of money for a small fee upfront. Unsurprisingly, when the fee is paid, no large sum of money ever arrives. The interesting history is that this type of scam has been occurring for over a hundred years in different forms; it was originally known in the late 1800s as the Spanish Prisoner scam, in which a con artist contacted a victim to prey on their greed and sympathy. The con artist was allegedly trying to smuggle out a wealthy Spanish prisoner, who would reward the victim handsomely in exchange for the money to bribe some prison guards.

This attack (in all its forms) is mitigated by not responding to requests from unknown parties in which money has to be given to receive something in return. If it sounds too good to be true, it probably is. A simple Google search on the theme of the request or some of the text itself will often bring up the details of the scam. Spam filters can be trained to catch these types of emails as well.

What is whaling?

For attacks that are directed specifically at senior executives or other privileged users within businesses, the term whaling is commonly used. These types of attacks are typically targeted with content likely to require the attention of the victim such as legal subpoenas or other executive issues.

Another common vector of this style of attack is whaling scam emails that appear to come from an executive. A common example would be an email request coming from a CEO to someone in the finance department requesting their immediate help in transferring money. Lower-level employees are sometimes fooled into thinking the importance of the request and the person it’s coming from supersede any need to double check the request’s authenticity, resulting in the employee transferring large sums of money to an attacker.

Phishing across multiple channels

Attackers with sufficient resources to do so may conduct phishing campaigns across multiple channels at once. Instead of simply sending emails to their targets, they also send text messages, call them on the phone, reach out to them on social media, and so on. Generative AI models can help the attackers create the content they need, from email text to deepfakes of trusted persons. This article on multichannel phishing explains how Zero Trust security can help organizations defend themselves against such campaigns.

How does Cloudflare help organizations defend against phishing attacks?

Phishing can occur over a variety of attack vectors, but one of the biggest is email. Many email providers automatically try to block phishing emails, but sometimes they still get through to users, making email security an important concern.

Fortunately, there are many telltale signs that indicate an email may be part of a phishing attack. Learn how to identify a phishing email.

Additionally, Cloudflare Email Security offers advanced phishing protection, crawling the Internet and investigating phishing infrastructure to identify phishing campaigns in advance. Learn how Cloudflare Email Security works.