#Security22 Jan

Keep Your Funds Safe: Tips From Mercuryo Team

Nikolay Korinets

Fraudulent activities involving credit cards has always been a threat to both users and banking institutions. Now on top of that, people have to deal with cryptocurrency fraud.
Our security team has come up with the information you need to know about the most common threats and tips how to protect your funds.

Call from a tech support/security

Whenever someone contacts you with regards to your money, you can and must question his/her intentions and credentials.

Fraudsters are often posing as bank employees, security specialists or tech support of cryptocurrency exchange or wallet. The most sophisticated ones might even recreate the background noise of the working call centre that sounds pretty genuine.

They will notify you that there has been a suspicious card transaction, unauthorised access to your account or ask you to confirm the transaction you’ve never done. This is meant to cause some distress, and it works perfectly because most of the people tend to worry about money.

Next, they would offer to cancel the transaction or to confirm your identity. They might have some information about your account or card details which makes it look fully legit and trustworthy. Then you will be asked to provide the missing information such as SMS code, card CVV, passcode from Google Authenticator. Once you give this data money from your account are gone.

Safety measures:

  • always stay calm and question the information provided;
  • stop incoming call and call your bank, cryptocurrency exchange or wallet using the verified phone numbers on the website;
  • never provide sensitive data such as card details, CVV, SMS 2FA code, even if the person who’s calling already has some of your data.

Fake website

Email and web phishing scams are becoming more and more sophisticated. Phishing via Google Ads and through email is prevalent. If you’re searching for a particular wallet’s website, never look for their web address clicking on Google ads. If you receive emails from your bank, PayPal, crypto exchange, check if the domain is spelt correctly. Most of the users may neglect sligh differences in URL . Once you leave your data on this website the fraudster can use it to gain access to your funds.

Safety measures:

  • always double-check the URL;
  • avoid clicking on GoogleAds that pop up when you search for a particular company;
  • if you received an email that calls you to sing-in, buy or otherwise insert your data make sure you check the senders address before clicking on any links. 9 times out of 10 fake email would have a random sender’s address.
  • if you’re using a web to access your bank account or crypto wallet, ensure that your browsing is encrypted. The website must begin with HTTPS, rather than HTTP and you should see a lock sign next to the URL.

Emails, text messages with viruses or malware

This one looks similar to the fake webpage, but contains another threat to the security of your data. It is different from a phone call, and the fraudster cannot manipulate your emotions in real-time, but the success rate is still high due to a large number of emails sent.

Emails, messages in social networks and Telegram chats might contain viruses or malware, sometimes you activate a malware installation by clicking on a meme, picture or an audio file. Several malicious programs can interfere with a ‘copy and paste’ process when you send crypto to paste a different wallet address that belongs to a hacker.

Safety measures:

  • always verify the email address of the sender, sometimes it might look like a message from someone you know;
  • make sure you use licensed anti-virus software both on your phone and laptop;
  • if you use your phone or laptop for banking or crypto transactions be cautious of any software or apps you install, avoid clicking of the links, opening any files that might look weird;

Fake Apps

This one is mostly applicable to the Android devices owners who do not use 2FA which requires not only user name and password but additional information only known to the user.

There have been multiple cases when hackers posted a fake crypto app in Google Play Store, which allowed them to get access to user data the moment when users signs in.

Meanwhile, iOS devices are more vulnerable to unauthorised cryptocurrency mining. But this causes less harm compared to stealing the addresses and private keys. Mining only slows down your device’s OS.

Safety measures:

  • if you need to download an app go to the verified website of your bank or crypto wallet and seek for AppStore, Google Play icons to make sure you’re downloading the genuine one;
  • be mindful when clicking “Install the app” on Facebook Ads;
  • turn on 2FA.

Browser extensions

Some browsers might offer various extensions for working with cryptocurrency. The thing is these extensions can read everything you type while using the browser including your log in, password, wallet addresses and private key. Also, browser extensions can be used for unauthorised cryptocurrency mining. Most of the extensions are written using JavaScript, which is vulnerable to hackers attacks.

Safety measures:

  • do not download unknown browser extensions;
  • if possible use the different browser that doesn’t support extensions for your financial transactions.

Public Wi-Fi

This has been said many times but still very relevant. Not so many of us know that simple key resetting attack switches router to the hacker’s network without you noticing anything. Which means that all the data transmitted during the session, including private keys, logins and passwords becomes available to the fraudsters.

Security measures:

  • only use secure networks while accessing your wallet. Avoid unprotected public networks in coffee shops, airports and streets even if you have enabled VPN;
  • regularly update the firmware of your router, as manufacturers are continually releasing updates to strengthen the protection against key resetting attacks.

Bots in messengers

There are numerous cryptocurrency trading bots in messengers like Telegram including the malicious ones. Some of us use them to buy/sell cryptocurrency. We won’t go into details about the fees and rates they offer. Criminals can use bots to make user clicks on the link and enters the private key.

Safety measures:

  • if bot notifies you about the problem with your crypto assets, it is a good idea to verify this information with tech support of your cryptocurrency wallet;
  • ignore bot’s activity, think twice before agreeing to some actions or tapping on the buttons and links;
  • notify wallet and exchange admins about any suspicious activity.

Payments and transfers with QR codes

QR code scams become popular in China and India. The codes are easy to generate and hard to tell apart from one another. To most human eyes, they all look the same. At the moment there’s no feature that allows you to verify the recipient once you scanned a QR code with your phone.

Basically, it is the same as when you would enter your login credentials on a fake banking or crypto website. The scammers use various schemes to trick victims into scanning the QR code on their own phone or bank/crypto wallet apps. By doing so, the victims provide the scammers with the login credentials to their financial environment.

Another option is when fraudsters replace QR code with their own and thus direct all the money transfers to their wallet address. Also, malware can be installed on your phone as you scan the unknown QR code.

Safety measures:

  • avoid scanning QR codes outside your bank/crypto wallet official website;
  • do not transfer significant amounts using QR codes.

Interception of text messages

It is a good idea to enable 2FA with Google Authenticator codes. This is much safer than using SMS code for 2FA verification since SMS can be easily intercepted.

Stay safe and remain calm no matter what happens, double-check all the info and remember to report any suspicious activity immidiately.

Please contact us if you have any questions with regards to safety measures.

More articles

#security29 Oct

Myth Busters: Does Crypto Fund Illegal Activities?

#security24 Sep

Monitorance #3

#security16 Sep

Gate In, Gate Out: Crypto Deposits and Withdrawals Security