Tl;dr: A guide to stopping naughty scammers to ensure the holidays stay nice for everyone.
The holidays are a time for giving. In 2022, 39% of charitable donations happened in November and December. Figures from 2021 show that instances of digital fraud were 127% greater during the Holiday season than the rest of the year.
With more charities accepting cryptocurrency every year, thanks to the ease, speed, and security of the transaction itself, there is also more opportunity for scammers to take advantage of our seasonal goodwill.
So what can we all do this holiday season to make sure our money goes to the right place to help those in need rather than those trying to take advantage of your giving spirit during a traditionally generous time of year?
Know the classics
It’s worth reminding yourself of the usual games that scammers play because there will be more of them during the holidays. Phishing attacks are when people send an email that looks like it’s from a company you trust to “fish” for information that you don’t mind sharing. They’ll be well-designed and usually include a link for you to click. One way to spot them is to look closely at the email address it came from – is it genuinely owned by the company, or is it close but spelled differently? Another way scammers can “fish” for information is through email invoice scams, in which you’ll get an email from Square or PayPal with an invoice which looks real but is in fact for fake goods.The invoice can read something like "Your BTC purchase is complete" or "Please complete our BTC purchase." If you follow the link and complete the payment, the scammer gets access to the account you’re using. Lastly, phishing attacks can also come in the form of text messages pretending to be from a company you know and trust, which will lead to a malicious link that they’re hoping you click.
Keep an eye out for impersonation scams. Has someone you know sent you a message that seems out of context or a little different from their usual language or tone? Look more closely at the sender before you respond. Is it really them, or could they have spoofed your friend’s number or email? Get in touch with them via a different channel (text if they’ve emailed you, or DM them on a social account if they’ve texted, for example) and make sure it’s really them.
At this time of year, we all get so many holiday-themed email attachments. Hopefully, your antivirus software is up to date (if not, it should be!), but even if it is, take a closer look at who is sending the email and what the attachment looks like. As a rule, people don’t tend to send mysterious attachments, and you shouldn’t open them. If it’s a charity sending you a note to ask for donations, go directly to that charity’s official website rather than clicking anything in the email.
Overall, just be a little more vigilant. Check the sender. Avoid links or attachments if you’re not completely sure who they’re from. Be skeptical of unsolicited messages, even at the happiest time of the year.
Run a charity check
If you’re looking to donate to charity, or you find yourself in conversation with someone who may have received a letter or email inviting them to give money, there are resources to check the legitimacy of the nonprofit organization you’re considering.
A good first stop is Charity Navigator, which keeps a database of details and ratings that explain the efficiency and trustworthiness of the organization’s structure, including how much of your donation makes it to the people in need. Another similar resource for learning more about a particular charity is Charity Watch.
As always, be extremely suspicious of unsolicited messages asking you for money, no matter how aligned the charity is with your personal values, or how convincing their marketing material may seem. A few minutes of research will help you catch people trying to take advantage of your goodwill!
Give people the gift of knowledge
Going home for the holidays or hosting people at your house? Perhaps you’ll be spending time with family who aren’t as internet savvy as you or as careful with their passwords or assets.
At some point, there will be a lull in the conversation, and - as you are now an expert in ways to stay safe this season - we’re encouraging YOU to strike up a conversation about how to spot potential online attacks.
It doesn’t have to be forced. Perhaps the post-lunch conversation has shifted onto politics or current affairs. Now is your chance! Point at the half-eaten ham on the table and turn the conversation towards pig butchering. It’s your time to shine!
Also… Give them keys as stocking stuffers
Wondering what to get people as a gift this season? Wonder no more. Two-factor authentication (also known as 2-step verification or 2FA) via SMS and apps is on the rise, and for good reason. Responding to a one-time password or code when you try to log into an account drastically reduces the chance you’ll be hacked. In fact, some kind of additional verification can potentially protect you from the vast majority of hacks, and we were thrilled to see 96% of all users adopt SMS-based codes to log in to Coinbase as of a year ago.
While SMS-based 2FA is extremely strong, it can still be hacked –and phished–if a bad actor is persistent enough (to go as far as cloning your SIM card, for example). The most secure way to protect your device, and the assets you hold on that device, is the physical security key. With a physical key, which plugs into your device’s USB drive, anything you choose to be locked remains completely secure until that key us inserted (or held near to the device if it has an NFC chip). There can be no remote hacking, and even if someone steals your device, they’ll still need your key to get in.
There are a ton of inexpensive keys on the market, and they make great stocking stuffers for people who might need more help in protecting themselves online. At Coinbase we use Yubikeys from Yubico, but there are options on the market from Kensington, Google, Thetis, and SoloKey.
Report the scams so the industry can help!
If you’re ever in doubt that a charity actually exists, or you realize someone is trying to scam you, report them immediately to the Federal Trade Commission and the FBI. If the scam is also directly related to one of your apps or accounts, for example, Coinbase, you can easily find resources to let the company know (the page for reporting phishing to Coinbase is here).
So much goes on behind the scenes between the platforms, associations, and government agencies to protect you. The more information we have, the better we can stop these attempts at ruining your holidays before they happen. In fact, we often track scam attempts to specific groups of people and can point significant resources to ensure those groups are shut down for good, and you’re protected from any future attacks.
Hopefully, you now feel prepared to spread these valuable safety tips this season, alongside the usual seasonal cheer. Whoever you are spending the holidays with this year, may you all be safe and secure. Happy Holidays!
Policy,
Feb 4, 2025