How to Stay Away From Hardware Wallet Phishing Attack

Key Takeaways

  • Always use the official channels of any crypto company.
  • Ensure that your 24-word recovery phrase is safe and completely private.
  • If you receive a message from someone promising to send you a lot of cryptos if you send them a small amount first, it is likely a phishing attack. 
  • Your recovery phrase can be safely stored on a piece of paper or you can memorize it. 

With the recent phishing attack on some hardware wallets, it is important to seek a way to prevent hardware wallet phishing attacks. In the case of BC Vault, some malicious attackers created a fake BC Vault application on the Apple store. However, within a few hours of the malicious app launch, the BC Vault team notified the community of the dangers of using such application. In response to the phishing attack, Alen Salamun, the CTO of BC Vault said to the community;

“WARNING; A fake BCVault application is available on the Apple Store for iPhone/iPad” He went further to say; THIS IS NOT FROM BC VAULT.

He warned; “NEVER EVER EXPORT PRIVATE KEYS BESIDE FOR YOUR OWN USE (IF YOU KNOW WHAT YOU ARE DOING)”

Similarly, DIMA, the COO of BC Vault tweeted; “Noticed a first phishing attempt on @bc_vault : a fake app in apple app store. Don’t trust any 3rd party apps that would compromise your cold wallet!”

 Also, some Trezor customers received fake communications about their Trezor hardware wallets. The attackers used data from a competitor to locate customers that own a Trezor.

All the aforementioned cases had necessitated that we put together this post to guide you on how to protect your hardware wallet from phishing attacks. Before we go ahead with these tips to help you prevent phishing attacks, let us look into how the attack works.

How Does A Phishing Attack Work?

In the case of the BC Vault hardware wallet phishing attack, the malicious actors cloned the BC Vault application. That way, unsuspecting customers will make the mistake of sharing their private keys on such apps. Once that is done, the hackers will gain access to their wallets and can move their coins or funds to an address they own. The cloned app is available on the Apple store for iPhones or iPads. 

In the second case of the Trezor, the attackers may have purchased the customer’s data from a dark marketer. This allows them to send malicious links or emails to the contacts of the customers found on the data. Customers are asked for their recovery seed, thus completely leaving their coins unprotected. Immediately a user enters his or her recovery seed on the fake webpage, the malicious attacker clones their wallet and pulls out the funds to an address that they own. 

Now that we have had a good understanding of how phishing attacks work, let us look into the ways to prevent the attack.

Tips To Prevent Hardware Wallet Phishing Attack

DIMA and Alen of BC Vault in their response has summarized how to stay off hardware wallet phishing attack. Concurrently, let’s go through their summarized advice in details.

Be sure about the source

One of the best ways to stop phishing attacks on your hardware crypto wallet is to always be careful. When you see updates about the application, like the case of BC Vault, always verify that it is from the official sources. It is tantamount to “suicide” if you interact with unverified and unofficial third-party sources. Many people fall victim to phishing emails or clicking on links they shouldn’t due to lack of knowledge. 

In July last year, hardware wallet Ledger reported a data breach that affected the personal data of many of its customers. Most of these users continued to be the target of phishing attacks. A good number of these users reported that they received “convincing-looking” emails telling them to download the latest version of the Ledger software. However, most of the users were able to spot the scam and didn’t fall victim to it. The bottom line is to always be on the watch out for suspecting acts like the fake BC Vault application on Apple Store. 

Always Ascertain the Authenticity of the Software Updates 

One of the most used tricks of phishing attackers is to clone the original application, just like BC Vault. Some time ago, an Electrum user reported that he lost almost $15 million due to a phishing scam. The loss was a result of the user entering his private data on a malicious website. 

Most times people download fake wallet updates which transfer malware to the victim’s devices. Once such victim accesses their wallets, the malicious updates will liquidate their funds to an address owned by the scammers. Today, you can run a simple Google search to confirm whether a hacker is targeting any particular user. 

Anti-phishing records are there for everyone to see

Some companies are working round-the-clock to see that you and I do not become a victim of these phishing attacks. In September 2020, a privacy-based browser (Brave) announced that it would include anti-phishing solutions from cybersecurity firm PhisFort. If hardware wallet firms like BC Vault can implement such solutions, it will help to mitigate these nefarious attacks.

Always share your encounter with the crypto community

If you ever fall victim to a phishing attack or you successfully thwart it, you can always share your experience. This is a way of letting others avoid the mistake as you. You can share your encounter on Twitter, Reddit, your blog, or send an email to a crypto news outlet. Tell your story so that other users don’t walk through the same painful route as you. 

Always guard your recovery phase

This is a vital piece of information for any hardware wallet. If anything goes wrong with your device, you can use the “recovery phrase’ to regain access to your crypto assets. Since the recovery phrase is this important, it is the dream of every hacker to have access to it. They have developed a few tricky ways to get it out of you even without you knowing what is happening. Hackers can send a fake wallet application request just like what happened with the fake BC Vault hardware application. 

To prevent your recovery phrase from getting into the wrong hands, always keep them to yourself. Aside from that, ensure they are completely offline. If you don’t share your recovery phrase with anyone, there is practically no way they can have access to your precious crypto assets. 

Conclusion 

Hardware wallet phishing attacks will be ever-present in our society. The onus falls on the customers and hardware wallet firms to seek lasting solutions. Information is key to identifying and preventing such attacks. People got to know about the recent fake BC Vault application on Apple Store because someone alerted the general public. Crypto firms and Hardware wallet companies need to do more in enlightening their users on scammers’ tactics. 

Share