Binance Exchange has invested heavily in the security of its systems and its users’ assets, but just because Binance is a safe place to undertake crypto-related activities does not mean that rogue individuals have stopped perpetrating phishing and scam activities against its users. This guide will show you how to play your part by securing your Binance account from phishing and scams, two of the most prevalent malicious activities in the crypto space.
Introduction
The cryptocurrency space is a highly versatile environment with few regulations governing interaction between individuals, making it ideal for scams to thrive. If you have been in the digital asset space long enough, you must have come across several of these attempts at parting you from your hard-earned digital money.
Everything from pyramid schemes, fake giveaways, and exit scams to ransomware and blackmail, there is not a malicious activity that has not been tried on the blockchain. It is the responsibility of the user to stay vigilant and ensure that their assets are safe.
Even though a lot has been tried before and succeeded, the general community has become wiser, and some of these sneaky malicious attempts that used to work previously are now less effective. That doesn’t stop the bad guys from inventing new ways to defraud unsuspecting victims.
The good news is that most scams are related and often follow a similar pattern which means that if you learn how to identify them, you might save yourself the agony of losing your assets.
In this guide, you will learn of the most common phishing and scamming plots, how they are executed and how to identify them. Learning about them isn’t good enough; you also need to know how to protect yourself by securing your accounts. Some exchanges, such as Binance, provide the necessary security tools to do just that, while some, such as decentralized exchanges (DEXes), leave it all up to the user.
You may be able to borrow some security tips from this article to secure your assets when dealing with a DEX, but these strategies are most effective on centralized exchanges.
Before we dig into the nitty-gritty of Binance account security, let’s first get the definitions out of the way.
Definitions
What is phishing?
Phishing is a cybercrime where perpetrators use social engineering techniques such as deceptive emails, text messages, and phone calls to steal personal and corporate information. Phishing attacks are usually highly targeted at specific potential victims using highly personalized messages.
This particular crime isn’t unique to the cryptocurrency industry but has existed in the online world since emails became prevalent. Cryptocurrencies make it a lot easier to perpetrate several crimes, including phishing, as the assets have a certain level of anonymity, making them ideal payment methods for illegal payments.
An excellent example of how phishing is perpetrated within the cryptocurrency industry is when a malicious actor impersonates a reputable exchange such as Binance, sends a security update email to potential victims asking them to update their personal information. The email always contains a link to a fake Binance webpage where the victims may input sensitive account information.
Once the perpetrator gets a hold of their victims’ sensitive information, they can impersonate them and steal their assets stored within their accounts. Usually, the attackers have a monetary motive, but sometimes they may cause damage beyond just financial.
What is a scam?
A scam is any fraudulent action or activity designed to take something of value from an unsuspecting victim. Something of value could be anything, including money or digital assets such as cryptocurrencies.
An example of a typical cryptocurrency scam is the ‘celebrity giveaway promotion’ whereby an attacker impersonates a famous individual such as Elon Musk through their Twitter account or fake YouTube videos. They say that they will send back double the amount someone will send to a provided cryptocurrency address.
Often, the scammers create brand new social media profiles just to perpetrate the crime, but in rare instances, they can hack into the official accounts and post scam messages to the account’s followers. The impersonation is often so uncanny that it is hard to differentiate between fake and genuine profiles.
As you can tell from the definitions, there is barely much difference between scams and phishing. They are almost the same thing with subtle distinctions.
Types of phishing
Phishing attacks can be classified into several different categories depending on channels and the nature of the attacks. The following list comprises some of the most common types of phishing attacks:
- Email phishing: is the most common type of phishing where an attacker sends a blast email series to a target group of potential victims with a message requiring an urgent response. Typically the target is urged to click through a provided link to update their account information or try and log in to their accounts to check for a security issue. Email phishing comes in several different variations, including spear-phishing, where the perpetrator targets a single individual or company; clone phishing, where the attacker copies and resends a legitimate email to a victim with minor tweaks to the link within the email; and the CEO fraud attack in which the attacker impersonates an individual in authority and sends an instructional email to a junior staff member to perform a specific action.
- DNS spoofing or Pharming: DNS stands for Domain Name System, and it refers to the internet system for assigning IP addresses to computers within the global network. In a DNS spoofing attack, the malicious party will hack the DNS system and switch an IP address to a legitimate website with a fake website. Whenever visitors to the actual website type in the website address in their browser, they are directed to the phony website the attacker uses to harvest their sensitive information such as login details. One example of this attack happened in 2018 when attackers managed to DNS spoof the popular MyEtherWallet website stealing thousands of dollars within a two-hour period in which the attack took place.
- Typosquatting: in this attack, hackers take advantage of common misspellings of popular websites to lure unsuspecting victims onto fake websites where they collect login information from the victims trying to access their accounts.
- Content injection: the phishing attack involves a hacker gaining access to the servers of a popular website through which they edit certain pages on which target victims are required to provide sensitive information such as login pages. Conversely, hackers might attack a popular browser used by their target victim(s), install computer viruses that serve malicious scripts to collect sensitive information. These computer viruses can also serve malvertising campaigns and other malware to the victims’ computers.
- Reverse technical support: a highly sophisticated social engineering attack in which an attacker impersonates a legitimate service user trying to get help through customer support. The attacker usually makes highly technical requests to the staff, and whenever the customer support staff is unable to fulfill the request, the attacker offers to ‘help’ them by requesting remote access to the staffer’s computer.
- Social media impersonation: this is a common phishing attack that is usually perpetrated on popular social media platforms, including on Twitter, Facebook, Telegram groups, WhatsApp groups, and Discord servers. Typically, the attacker who poses as a customer support agent will respond to questions from users (or new community members), asking them to perform specific actions such as providing PII information, clicking on links, sending cryptocurrency to external addresses, etc.
Common cryptocurrency scams
As we have described above, a scammer aims to get something of value from someone else fraudulently. It could be personal credentials, fiat money, or cryptocurrencies. Whatever it is, if it is acquired fraudulently, that is considered scamming.
Here are some of the more common scams perpetrated on the cryptocurrency industry:
- Fake exchanges: it is common to come across companies that have been created to offer crypto trading services only for the founders to disappear with their users’ assets. An example of this scam is the infamous QuadrigaCX, one of the largest cryptocurrency exchanges in Canada that became insolvent overnight after its founder – the sole holder of the exchange’s cold wallet keys – allegedly died on a trip to India.
- Fake giveaways: this type of scam is especially predominant on social media sites such as Twitter. The fraud is commonly perpetrated by a scammer who promises to give away double the amount a victim sends to a given address. To make the hustle more ‘legitimate’, the scammers impersonate the account of a famous individual or company such as Binance.
- Fake ICO projects: ICOs were common pre-2019 when new projects sold their vision to prospective investors. The initials represent Initial Coin Offerings, and basically, anyone could launch a whitepaper, pitch the idea to a group or community on the internet, and these investors would send some crypto to the project’s crypto address, funds that could be used to implement the idea. Many of these ICO projects turned out to be scams as their founders would suddenly disappear with investor funds with no recourse.
- Ponzis and pyramid schemes: the two schemes have a similar operational structure whereby the creator convinces investors to recruit new members into the fold with whose investments they use to pay the initial investors as interest. The interest often stops when there are no new members to recruit, and the Ponzi or pyramid scheme unfolds. The founders usually disappear with funds under their control. One example of this in the cryptocurrency field is OneCoin scheme.
How to secure your Binance account from phishing and scams
Now that you have an idea of what to look out for in terms of phishing and scam attempts, let’s focus on protecting your assets kept on the Binance exchange. These techniques are applicable to the vast majority of other exchanges, as well as for securing funds kept offline in cold storage wallets.
- Use strong passwords: the most basic form of security ensures that you avoid easy-to-guess passwords such as birth dates, names or places or people you are related to, etc. Strong passwords include random alphanumeric characters that are hard. Password managers help create these passwords with a few clicks and store the passwords safe for you, so you don’t have to remember a string of extended characters.
- Use second-factor authentication (2FA): Binance supports 2FA security using email, SMS, authentication code generators, and universal 2FA-compatible authenticators such as Yubico’s YubiKey. 2FA introduces the extra layer of verification, ensuring that a hacker has a more challenging time accessing your account.
- Enable anti-phishing code: an anti-phishing code is a string of characters familiar to you that you want Binance to attach to official communication emails it sends to your inbox. The code helps you identify genuine emails from phishing ones. This is a great way to avoid phishing scams.
To set up or manage your anti-phishing code, visit the Binance Security page and navigate the ‘Advanced Security’ section. Under the Anti-Phishing Code tab, click on [Enable] or [Change].
- Manage withdrawal whitelist: a withdrawal whitelist is a pre-approved list of cryptocurrency addresses to which your assets can be withdrawn. Any addition to the whitelist requires a minimum number of days to activate, usually about 48 hours. Expectedly, this is a long enough time to stop any unauthorized withdrawal from your Binance account.
To enable withdrawal whitelist or manage it, follow the following steps:
a. Log in to Binance.
b. Navigate to the ‘Security’ page by hovering over the ‘User Center’ icon on the main navigation, as shown below, then click on the [Security] link.
c. Scroll down to the ‘Advance Security’ > ‘Withdrawal Whitelist’ section on the browser window. This feature is titled ‘Address Management’ on the desktop app, and it is easier to locate as there is no scrolling necessary.
d. To enable it on the website, click on the [Enable] buttons to the right side of the ‘Withdrawal Whitelist’ section, while on the desktop app, you have to toggle a button to switch it on and off.
e. Click on the [Address Management] link just under the ‘Withdrawal whitelist 24hr limit’ subsection on the website interface or [Manage] on the desktop app to add a new withdrawal address.
f. On the ‘Address Management’ page, click either of the two buttons labeled [Add Address] or [Add Multiple Addresses]
5. Manage authorized devices: whenever you access your Binance account, Binance records each device’s activity on the account, and you can track all actions performed using each device. It is recommended that you check which devices are accessing your account from time to time to ensure that all devices on your list are authorized.
To manage your account devices, use the following steps:
a. Log in to Binance.
b. Navigate to the ‘Security’ page (see the previous point for direction.)
c. Click on [Manage] next to the Device Management tab.
d. Under the ‘Action’ column of the Device Management page, you can choose to [Delete] any device you have not authorized to access your account.
6. Stay vigilant: perhaps the most crucial security measure anyone can take when navigating the cryptocurrency space is to stay alert at all times. This technique is especially vital against DNS spoofing, typosquatting, social media impersonation attacks, and other crypto-related scams.
Some attacks become apparent after one has fallen for their deceit, therefore, before taking any consequential action, make sure to step back and reflect. For unverifiable email links, you can, for instance, try to perform the suggested action using an alternative route instead of clicking on the provided link.
Final thoughts
Phishing and scams are two of the most common fraudulent activities perpetrated within the Bitcoin space. It is easy to protect oneself against these acts by adhering to the six security tips mentioned above.
Make sure to always use strong passwords for your cryptocurrency exchange accounts that are hard to guess, and implement 2-factor authentication on your account. Also, enable anti-phishing code and withdrawal address whitelist features for your Binance account, and remember to check which devices have access to your account.
Finally, always remember to stay vigilant when navigating the online space, especially within the blockchain space. Check website addresses to avoid navigating to the wrong website. Double-check emails, especially those asking you to click to update security settings or send funds to obscure crypto addresses.
The platform may aid safety and security, and Binance has done enough to provide class-leading tools to its users. However, ultimately security still lies with the user to ensure that they make the best use of the tools at their disposal.
Disclaimer: The content on this site should not be considered investment advice. Investing is speculative. When investing, your capital is at risk.
Frequently asked Questions
What is phishing?
Phishing is a type of online social engineering attack in which the attacker uses deceptive messaging against their victims, intending to collect valuable and often sensitive information such as account login details or personally identifiable information (PII).
What is the difference between phishing and Bitcoin scams?
Phishing attacks are often perpetrated to collect information about an individual or company, while scams are generally all forms of fraudulent activities, including phishing as a subcategory. With scams, the malicious party may intend to get a wide variety of valuable things from their victims, including cryptocurrency, information about them, and credit card details, among others.
What are the common types of phishing?
The most common forms of phishing within the cryptocurrency industry include email phishing, DNS spoofing or pharming, fake giveaways, fake exchanges, and scam blockchain projects launching through ICOs.
How can we prevent phishing and scam?
Binance provides its users with security tools they can set up to prevent anyone from scamming or falling for phishing attacks. The four tools include 2FA authentication, Anti-Phishing code, withdrawal whitelist, and encouraging the creation of strong passwords. Additionally, always be vigilant while online by watching out for phishing emails, double-checking website addresses, and watching out for social media impersonators.
[binance]