Security PSA: How to Protect Yourself from Phishing Attacks

The Coinbase Security team keeps a vigilant eye on new attack trends impacting the safety and security of Coinbase customers. In recent months, we have observed an increase of social engineering and phishing attacks involving technical support and impersonation scams. While these attacks are not due to any vulnerabilities in Coinbase systems and do not leverage any Coinbase customer data, we are committed to educating our users about the trends we are seeing. But, before we get started it’s important to reiterate the standard security measures you should always follow.

How to protect yourself…

Below are our top three recommendations for deepening your defenses against this kind of attack, including leveraging some of the tools Coinbase offers to every customer: 

1. Consider upgrading your 2FA settings to take advantage of our most secure offerings. If feasible for your personal situation, use a hardware security key and set it up with your Coinbase account and other online services. Otherwise, Coinbase Security Prompt via Coinbase mobile app is a great option for 2FA.

2. Utilize Coinbase account security features such as the Address Allowlist or Coinbase Vault to help prevent crypto theft. 

   1. Address Allowlist is excellent for customers who regularly conduct trading and/or send crypto to on-chain addresses.

   2. Coinbase Vault is great for customers who simply hold their investments in their Coinbase account without any regular trading or on-chain activity.

3. Use a dedicated email address that is only associated with your Coinbase account and no other online accounts. This is a great way to keep your email off the radar of an attacker in the case of another online service’s data being compromised. To see if your current Coinbase email has been previously leaked check haveibeenpwned.com.

Now that we’ve covered that, here’s how attackers try to compromise accounts. 

Step 1: The phone call…

The phishing scams usually begin with a phone call wherein an attacker will call you while impersonating a Coinbase employee who wants to help you with an urgent security issue on your account. This is their ploy to try and convince unsuspecting victims to disclose personal information. Never disclose information to an unexpected caller claiming to be from Coinbase. Coinbase does not place unsolicited calls to customers to discuss security settings or gather information about your account. If you do receive a phone call like this, simply hang up the phone and call Coinbase Support at 888-908-7930 to report the incident. We will help you make sure your account stays safe and secure!

Step 2: The phish… 

The attacker, still impersonating a customer support representative, will advise you they are sending you a text message containing an important link or they may verbally ask you to visit a site where you need to enter vital information to cancel a transaction or avoid account restriction; these are phishing links and will harvest your information. In the screenshot below, you’ll see an example phishing text that was reported by one of our customers.

If you were to click this link, you’d be taken to a fake Coinbase password reset page where the attacker is trying to get you to disclose your existing password. Do not do this under any circumstances. Below is an example of a fake password reset page recently used by an attacker compared to the legitimate Coinbase password reset page, which does not ask you for your old password.

Next, the attacker will try to convince you that your account’s two-factor authentication (2FA) method was changed and that you need to verify a 2FA code to secure your account. This is the attacker’s second step in compromising your Coinbase account. Below is an example of a fake 2FA page recently used by an attacker.

Once the attacker has successfully stolen a 2FA code, they’ll then ask you to copy and paste the hyperlink from your new device confirmation email into the web page. This is the third and final step in the process of compromising access to your account. Never copy and paste the device confirmation link into any webpage; Coinbase will never ask you to do this! Below is an example of a device confirmation page used by a real attacker.

Furthermore, in many cases, the attacker will also likely ask you to complete an identity verification by uploading a copy of your photo ID and a selfie to prove you are the legitimate account holder. These files can later be used against you to help an attacker gain access to various accounts and impersonate your identity. Be wary of uploading your identity documents on any website unless you are 100% certain you are on the correct webpage. Below is an example of a fake ID upload page used by a real life attacker.

Now that you have an inside look at exactly how attackers can phish login credentials and identity documents; these are the three primary red flags to lookout for:

1. Any SMS message or request, claiming to be from Coinbase, asking you to visit any website other than Coinbase.com is fraudulent; never trust any domain other than Coinbase.com.

2. A request to copy and paste a new device confirmation link into a webpage.

3. Any request to upload identity documents and/or a selfie to any website other than Coinbase.com.

By staying aware of attack trends like the one described in this PSA and adopting these methods to improve your Coinbase account security, you’ll have greatly reduced the success chances of even sophisticated phishing attacks.