How to stay safe in crypto

Table of contents

1. Secret phrases
2. Social media
3. Advertisement
4. Connecting to websites
5. Phishing emails
6. ICOs & NFTs
7. Investment scams
8. Fake tokens
9. Scam scheme example
10. Conclusion

Secret phrases

If you have read the previous chapters of our learning series, you know that one of the key purposes of cryptocurrencies is self-custody, and that self-custody is all about holding and securing a secret phrase.

Therefore, we will begin this article with a refresher on secret phrases (you will find a more detailed article about what are secret phrases here) and the best practices to handle them in a safe and secure way.

About secret phrases

A secret phrase (also called a seed phrase) consists of a series of 12 or 24 random words that constitute the master key to your wallet, and therefore your assets.

You can think of it like the pin code to your bank account or credit card, as it gives you control over your crypto-assets. But more than a password, a secret phrase is also the only way to restore your wallet at any time and in any self-custodial app.

You receive a secret phrase when you create your wallet, with an app like Bridge Wallet or any other self-custodial wallet.

For example, if you use Bridge Wallet on your mobile phone and accidentally delete the app, you can easily restore your wallet with its secret phrase. Without it, it would be irrevocably lost, including all its assets.

More on secret phrases

Secret phrase security

The proper and safe handling of a secret phrase is as simple as it is important. Therefore, it is crucial that you take the time to read and learn the following rules:

1. When you create a new secret phrase, immediately write it down. Make sure to write the words in the exact same order.
2. Never show your secret phrase to someone else, or that person will be able to take your funds!
3. Store your secret phrase backup correctly in a safe spot that you won't forget (more on that below).
4. Don't take photos or screenshots of your secret phrase, as those can be easily seen or stolen.
5. Never save your secret phrase online (emails, Google Drive, etc.) or on a device that is connected to the internet (computer, mobile phone, etc.), otherwise it will be exposed to malwares and viruses.
6. Never type your secret phrase in a web form.
7. Avoid using your secret phrase unless absolutely necessary. The more you manipulate it, the more risks you take to compromise it one way or the other.
8. If you use different wallet apps, create a new secret phrase for each one of them instead of using the same secret phrase across multiple apps.

Secret phrase storage

Now that you know the basic rules to handle a secret phrase, the next important step is to back it up safely.

The most obvious way is to write it down on a piece of paper and store it in a vault or safety box. But is paper really secure? Indeed, it can easily burn or be damaged by water, turn yellow, etc. Also, ink is not eternal and it will slowly vanish over time.

A common and more secure alternative is to engrave your secret phrase on a metal support. It is not as complicated as it sounds, and many easy-to-use products exist on the market.

Metal cases are great solutions to store important amounts permanently, and investing in such products is a good idea. They will protect your secret phrase from fire, water and most environmental hazards, and can also be easily stored in a safe or any other secure location.

There is a wide range of options on the market from a variety of manufacturers. Some of them offer the option of stamping the secret phrase into steel plates, with all the necessary tools being included with the product:

Steel plate from kryptostahl.de

Some others propose metal cases that contain a pack of tiny plates with letters that you can use to form the corresponding words of the secret phrase, and lock them in the correct order within the case:

Metal case from Cryptosteel.com

You will find an in-depth review with stress tests of many different metal storage solutions in this article.

More on crypto storage

Social media

There are countless dangers lurking on social media. As most of us use them on a daily basis, it is a prime choice for scammers and hackers. The sections below will raise your awareness about the most common sources of danger.

Telegram

Many crypto projects and communities have public or private groups on the messaging app Telegram, which makes it a target of choice, especially considering the platform's lack of features to fight common scam practices.

Most of the time, scams happen in private messages. If you are contacted by someone you don't know via private message on Telegram, it is guaranteed to be a scam! So if you receive a private message, an alarm should immediately ring in your head and you should apply the following rules:

It is very important to report a suspicious user to Telegram, because the platform will automatically block that person from contacting anyone else in private message on Telegram. By reporting a scammer, you might therefore save someone else from being scammed.

🚫 Block unwanted groups and channels

It also happens that from time to time, you are suddenly invited or added into a group without having actively asked for it. Unfortunately, Telegram's default settings are set so that anyone can add you to any group. To prevent it, here is how to modify your Telegram settings:

1. Open your Telegram Settings
2. Click on "Privacy and Security"
3. Click on "Invites"
4. Under "Who can add me to group chats?", select either "Nobody" or "My Contacts". The default setting "Everybody" allows anyone to invite you to any group, which should absolutely be avoided.

🚫 Block unwanted private messages

To prevent scammers to bother you in private message, you can modify your Telegram settings as such (only available in Telegram Premium):

1. Open your Telegram Settings
2. Click on "Privacy and Security"
3. Scroll down to the section named “New chats from unknown users”
4. Activate the “Archive and mute” button

Discord

When browsing the Discord server of a crypto project, the most common danger are scammers pretending to be part of the project's support team.

When you ask a question in a channel, scammers will immediately invite you to open a support ticket by following a link that will either directly bring you to a website or to another Discord server belonging to the scammers.

Their purpose will be to lead you to connect your wallet to their website in order to help you resolve your issue, and when you do they will be able to drain your funds.

Needless to say, never click on such support links and always follow the project's official contact methods for support.

Giveaways

Even if they are no longer the most popular scam, fake giveaways still exist. They can be published across all social media platforms in many different formats.

For instance, on YouTube you can find live streams of real talks of crypto personalities, which are republished by scammers to promote a "giveaway" that shows a QR code or similar, where users needs to send cryptocurrencies in order to receive double the amount back.

This is, of course, absolute nonsense and an obvious scam. Under no circumstances should you ever send cryptocurrencies to such addresses.

Fake comments

Spam and scam comments are omnipresent and can be found in reply of the official posts of pretty much any crypto company on any social media.

Fraudsters create fake comments with fake profiles to advertise dubious coins and showcase extreme profits made through certain investments, or promote working with a broker or investment advisor. In most cases, email addresses or mobile phone numbers are also included in the comments. The scammers usually reply to their own comments with further fake profiles to make them appear legitimate:

Advertisement

Ads on social media is kind of a paradoxical situation. While most platforms explicitly forbid or restrict legitimate crypto companies to advertise their services, it is surprisingly easy to publish ads for crypto scams, including in Google's search results. It is therefore important to learn the most common types to be able to recognize and avoid them.

The most frequent type are probably ads published by fake accounts that are copies of the profiles of real companies. The tactic is to pose as a famous brand and publish a highly desirable offer, counting on the fact that you will be so excited by it that you will click on it before you have time to think. Most of the time, those ads announce an airdrop and invite you to claim your free money.

Needless to say, don't click on those. If you do, you will open a phishing website that will invite you to connect a wallet in order to drain your funds.

Another frequent type are ads for financial advisors promoting investment programs with amazing yield performance. 100% of those are scams. Why? Because real advisors who are able to deliver such financial returns don't need to run ads to get clients.

Finally, another common scam tactic is to buy ads on Google to show you links to phishing websites. For instance, if you search a crypto website on Google, the first result might be a scam ad will lead you to a fake website designed to make you connect your wallet and drain its content, while the second result is the correct one:

Connecting to websites

The world of decentralized finance is a rich and thriving ecosystem, and the majority of its users go to website-based apps like Aave or Uniswap.

To use such websites, you need to connect your wallet to it, through a choice of different options:

For instance, connecting a mobile wallet like Bridge Wallet will use WalletConnect.

The steps of connecting and using a wallet on a website will always look like this:

1. You will approve a request to connect your wallet.
2. Some websites may then ask you to sign a message to verify your wallet.
3. Once you initiate a transaction, you will need to review it and approve it in your wallet.

Steps 1 and 2 are only exchanges of data, so they must be completely free of transaction fees. Only step 3 should show you a transaction fee when reviewing the request, because that's the only moment funds will actually be moved.

When using a website, if you preview transaction fees for steps 1 and 2, beware: the request is most likely encoded in a way to trick you into approving the website to withdraw your funds and send them elsewhere.

Phishing emails

Phishing email scams are currently very popular, and therefore very dangerous. The goal of phishing is to trick you to give away sensitive information that will allow the scammer to steal something valuable from you (your identification data, your money, etc.).

Phishing emails are intended to imitate emails from genuine and reputable exchanges or service providers, and they usually look deceptively real.

Fortunately, phishing emails are quite easy to recognize if you know exactly where to look.

First of all, you should take a look at the sender's address. Does it look like correct or is something off? It has to be exact, because even remotely close addresses can be made up very easily. For example, an email sent from an address that ends with @amazon.com is legit, while @amazon-service.com is a fraud.

In our case, you will only receive emails from addresses that end with @mtpelerin.com. Here are a few examples of fraudsters who have tried to send phishing mails in our name and copied our email layout:

The first thing you can recognize here is the fake sender address. Does it not have the ending @mtpelerin.com? If so, you can block the sender and delete the e-mail immediately.

The next thing you should look at is the text/content of the e-mail. The fraudsters usually come from abroad and use translation tools. This results in strange and unusual formulations, sentence structure errors and spelling mistakes, which are also easy to recognize.

Also, the content of the email often shows clearly how fraudsters are trying to access your funds. For instance, the email will say that your wallet is supposedly blocked for some reason, and can be unlocked by paying a fee. If you know how a wallet works, you will immediately know that this is of course complete nonsense.

Bridge Wallet and all other self-custodial apps are completely decentralized, which means that only you have access to it and no one else. It is technically impossible to block a wallet, and therefore even more impossible to "unblock" it.

ICOs & NFTs

A large number of new coins, new projects and new ICOs appear on the market almost every day.

While some of them are legit, many are outright scams whose sole purpose is to try to hype you to invest money in a project or to acquire a token that will skyrocket soon.

Once you do, many of the (anonymous) project founders will simply vanish with the funds. Some of those scams even promoted by real, gullible celebrities or greedy influencers, so it can be hard sometimes to sort the grain from the chaff.

Just like with any other investment outside of the crypto world, you should only invest what you are ready to lose. Beyond that, you should always do your own research when considering an investment in a new token or in an NFT.

Investment scams

Fraudulent investment opportunities are another frequent attack vector for fraudsters, who will will try to push them to you in different ways, some of which we have already covered in the previous sections. Again, the most important thing here is to use your common sense.

Investment opportunities with huge profits are absolutely dubious and very likely to be scams. Offers gloating about going from €1,000 to €100,000 in two weeks or similar are obviously unrealistic and scams. These are often marketed under the term "1000x returns".

All investment offers made on the phone, via WhatsApp or Telegram are always scams! You will never be called by a stock exchange, a trading platform or an exchange service like us. If you are contacted by someone offering such an investment opportunity, delete the number, block the person and stop all contact immediately.

Fake tokens

Fake tokens are today one of the most common scams in the crypto space, and usually go hand in hand with other types of scams.

What many beginners don't realize is that any token - apart from Bitcoin - can be "faked".

Indeed, anyone can freely create a token on a blockchain and give it any name they want, including the name of existing tokens. Only the token's address is unique.

Inexperienced users will not notice the difference between real and fake tokens at all or, unfortunately, only much too late. They will often notice it when they try to sell those tokens, but as they are worthless it is logically not possible to do so.

Fake tokens are often paid out as an alleged profit from fake investments in order to make the customers believe they really received something. The most frequently faked token is the USDT stablecoin, which exists across several blockchains.

Here is how you can recognize fake tokens yourself. To do so, use a block explorer to visualize your wallet and its content from your browser. We use Etherscan in this example.

1. Open the website etherscan.io in your browser.
2. Enter your public Ethereum address in the search bar.
3. You now see the state of your wallet on the blockchain, your balance and all transactions transparently. The first thing we see under "Token Holdings" is that we hold two tokens on the wallet, but they have no value. This is usually the sign of fake tokens. Let's click on the "Token Transfers (ERC-20)" tab to take a closer look.
   
4. We are now in the "Token Transfers (ERC-20)" tab and can view all token movements and account balances. The first thing we notice is that the tokens in the column on the right have not a real logo, but only a default gray Ethereum logo.
   
5. If we click on that token, we now have an overview of the token itself. Here, too, we can see that it has no logo, as the real stablecoin would have. The "HOLDERS" section shows only a small number of wallets, when the real tokens, in this case USDT, are usually held by millions of people. Sometimes, Etherscan will even show you a warning message that you are looking at a fake token:
   
6. We can now be sure that these are fake tokens. In comparison, below is the token screen of the real USDT. You can see a correct logo at the top left, a verified blue checkmark next to its name, and a very large number of holders as well as other token data.
   

Example of a common scam scheme

To give you an illustration, we will detail here a typical scam scheme that involves a fake investment platform and fake tokens. The diagram below gives you an overview of how it works:

First, the victim is contacted by an alleged trader / broker / investment advisor somehow, through email, social media, online ads, or on the phone (they often buy hacked contact databases). These contact methods alone should immediately raise a red flag. Sadly, many uninformed customers fall for this as they seek "financial advice" and engage in a conversation.

Then, the scammer will present their amazing investment program where the victim can earn easy money by simply depositing funds, which the investment advisor will manage for them.

They will take you to their website, which often looks professional enough to seem legit, where you will have to sign up and create a user profile. That registration will allow them to collect all your personal information, which they will use to create an account with your name on a real crypto exchange platform.

The next step will be to deposit funds to credit your account on their fake platform. To do so, they will simply give you the payment information of the real crypto platform, hoping that you don't react to the beneficiary's name. A fake advisor will sometimes accompany the victim on the phone or in visioconference to ensure they make that payment correctly. Usually, only a small sum is required at first to keep the victim's guard down.

Once the scammers have the funds, the victim is led to believe that the money is being quickly multiplied by showing a fake trading dashboard and official looking account statements. The real money is of course never trade.

Naturally, the victim will want to cash out the great gains at some point. When it happens, the fraudsters will demand to pay a commission for their work in advance, which is usually a percentage of the fictional performance. In view of the fantastic winnings, the victim usually agrees in good faith and transfers a sometimes very high amount to the fraudsters, believing they have earned far more. Of course, this is not the case, but the commission is paid with real money and funds are therefore lost forever.

To gain time to vanish, the scammers will sometimes pay the victim's huge earnings in crypto on a wallet, sending fake worthless tokens. The victim will see for instance 200,000 USDT on their wallet and will spend time trying to understand how to cash out them out in fiat. When they finally understand they got played, the scammers are long gone and no longer answer the victim's messages.

Scam recovery services

Worse, some scammers will answer under a different name and offer an investigation / recovery service to their victims. With those services, the victims will have to pay a service fee an advance, which is usually calculated as a percentage of the stolen funds.

Needless to say, you should never pay anything in advance in the hope of recovering stolen funds, or you will be scammed twice. The only correct thing to do if you have been defrauded is to go to the police and file a complaint.

Conclusion

The basics of security in the crypto space must be learned carefully by anyone who intends to use crypto seriously. If you understand them and remain vigilant, you will be able to avoid the vast majority of scams.

And of course, you should always seek to learn more and educate yourself. There is a lot of free and great educational content about cryptocurrencies online, so make use of it and take the time to read it.

If you don't know where to start, we have created a guide for beginners, which will give you all the basics you need to know.

Stay safe!