TL;DR: Coinbase customer support will never proactively contact you via phone or social media. If you are ever contacted by someone claiming to be from Coinbase or any other financial institution you do business with - never proactively provide them with any information.
We have recently seen an uptick in targeted attacks against customers of large technology and financial institutions, including Coinbase. Specifically, threat actors are using personally-identifiable information (PII) harvested from other data breaches, unrelated to Coinbase, to target customers. Armed with this PII the threat actors are directly contacting customers via texts, voice calls, social media messages, etc. and they often impersonate Coinbase customer support. If you are ever proactively contacted, hang up and reach out to a known customer support channel directly from our website or mobile application (or the website of another financial institution you do business with). If you are ever concerned about fraud related to your Coinbase account please refer here for steps you can take to immediately secure your account.
For a detailed example of one of the latest scams and how to recognize it - read on!
The Set-up
4:35pm – You notice a new text message on your mobile phone. You are surprised to see that the message appears to relate to your Coinbase account. It indicates that a transfer of 15 ETH has been suspended due to potential fraud. You are directed to call a provided toll free number to secure your account and validate the transaction. Warning Flag - the phone number was provided in the text, not through a known website or mobile application. The phone number provided is not the official phone support number for Coinbase.
4:36pm – You call the toll free number that was texted to you and are quickly connected to a calm and professional “help desk” representative who speaks to you flawlessly in your native language. Of course, you are still suspicious but the representative quickly and calmly talks you through a series of “fraudulent” transactions similar to the one noted in the text message. You quickly deny making them and you are assured that your account is safe - the “help desk” representative is here to help you. Warning Flag - the caller is only echoing information already stated in the original text message.
Setting the Hook
4:37pm – The “help desk” representative asks to confirm some of your customer information and proceeds to review your address, phone number(s), Social Security Number (if applicable), and in some cases may even review some of your balance information. Everything is correct. Even the balance information sounds about right. Warning Flag - in many cases, fraudsters will already have the sensitive details of a victim available when they call. There have been so many data breaches, your sensitive information may already be available online. Check your potential exposure here.
4:38pm – The “help desk” lets you know that your account is now frozen and to do a recovery they need you to connect to a website. They explain that shortly you will receive an email from Coinbase with a security code that you can use to enable your account recovery. Within a few seconds of being told that, you receive an email from help@coinbase.com that does exactly what the “help desk” agent says. It contains a security code. Warning Flag - many institutions will create a valid ticket number and even send valid security codes to validate a support request. In cases like this, the fraudsters themselves are requesting those codes on the victim’s behalf, using the sensitive information the fraudsters already have.
Account Takeover
4:39pm – Immediately after receiving the email from help@coinbase.com the “help desk” agent sends you another text which directs you to a website such as: httxxx://www.accountrecovery-coinbase.com. There you are prompted to enter the security code you just received from help@coinbase.com, which you do. Warning Flag - these links will appear to be a valid web address, but closer scrutiny will reveal that it is not a .coinbase.com address. Instead it is a <something_official_sounding>-coinbase.com or something similar. If the link isn’t a .coinbase.com address, it’s likely a phishing website.
4:40pm You are immediately redirected to another very convincing looking website to “secure your account”. There you are walked through providing a high degree of authentication. The website walks you through the process of taking photos of your government issued IDs and uploading them. You are instructed to take selfies with your phone / webcam and upload those as well. The “help desk” agent may remain on the line with you through this process and ask for additional information or documents. In extreme cases they may even offer to install software on your computer to assist you in the process. Warning Flag - Think carefully before you upload any sensitive information to any website or other file transfer service. If you are asked to upload files to a website provided via a text message, or via an email or direct phone call - STOP. Hang up, and use the official website or mobile app to contact support. Coinbase or any other legitimate financial institution will never offer to “assist” you by installing software on your computer.
4:50pm You are told that your account is now safe but that for security reasons you will be unable to log in for 48-72 hours. You are instructed to ignore any further emails or text messages as they are certainly from the fraudsters who may be attempting to regain access to your account.
4:51pm Over the next several minutes / hours / days, the attacker will use the stolen information to gain as much access as possible to your online accounts and will try to steal your hard earned assets.
How can users prevent these attacks?
A few simple steps can help make anyone become a much more challenging target for a fraudster. A few key points to consider:
Never speak with an individual who reaches out to you about any matter related to your financial services provider. Hang up the phone and contact support through the financial institution’s website or mobile application.
Your email address is an important aspect of your online security. Always enable strong multi-factor authentication (MFA) for your e-mail accounts.
Consider using a unique email address that you don’t use for anything else for your important financial institutions.
Enable the strongest possible authentication level for your financial accounts. We highly recommend using hardware based two-factor authentication (e.g. a Yubikey) if possible.
Always assume that your personal information is available to a fraudster. You can check your exposure yourself on https://haveibeenpwned.com/
Here are some other security tips to keep your accounts and devices secure. Stay safe!!