We Need To Talk About Phishing

Growing up my parents always reminded me "Never talk to strangers".  I must have heard that bit of advice from just about every adult in my life at one point in time or another.  Back then I'm sure no one imagined that about 90% of the people we interact with online in the crypto space were going to be effectively digital strangers.

The modern day equivalent of "Never talk to strangers" in the crypto space is "Never sign contracts from unverified sources... especially if it originates from an email."  It's not quite as catchy, so maybe just "Don't digitally sign what you can't verify". We'll work on the slogan.

According to several sources, 254 NFT's were stolen yesterday from a set of OpenSea users, and you can find at least one description of the incident here.

The leading theory I've come across is that the users were tricked into signing a fake contract regarding the OpenSea migration via a phishing email, and that contract gave the adversaries permission to transfer their NFTs.  I'm not going to go into the details, because I don't have them all, and instead let's talk about phishing, because it's still the number one way that I see users getting compromised in a lot of different industries.

Phishing isn't just a Gen X problem.

In the Guild of Guardians community you're probably used to the Discord direct message scam, where someone masquerades as Guild of Guardians and promises you rewards in return for going to their site or sending them crypto.  It's kinda like the digital equivalent of the white van with the creepy dude offering kids candy.

Somewhere in between creepy dudes in vans and Discord scammers are phishing emails and here are some important tips on how to keep yourself safe from phishing emails.

Whenever you read an email where you might have to take some action, like clicking on a link to go somewhere, consider the following:
  • Do you recognize the sender?  Not just the display name, but the email address under it.
  • Were you expecting this email?
  • Is there some urgency to the email?  Like: "Click now or else! Time is running out!"
  • Is the email offering something that is too good to be true?
  • Do you have to click a link?
  • Is there someone you can check with to verify the email's legitimacy?
  • If there is a link, can you validate the authenticity of the url?
If you receive an email from anyone in the Guild of Guardians community there are a couple of things you can do on the Guild of Guardians official discord to help verify if it's legitimate.

You can ask in general if anyone else received a similar message and if someone from the Guild of Guardians team can confirm it's expected.  If there is a link in the email you can compare it to the list of official links in the official_links channel on the official Guild of Guardians Discord.  Remember there's often a difference between what the link displays and where it leads to.  For example this link: www.google.com looks like it goes to www.google.com, but it actually redirects to the Guild of Guardians official discord if you click on it.  You can hover over a link and it should display where it will actually take you.

Most important of all: I almost NEVER expect to receive an email from the Guild of Guardians team.  That's what we have Discord for!  However, as it turns out I did actually receive one regarding the grants program... which had a link... and I clicked on it.  Lucky for me it was legitimate.

If you receive an email impersonating Guild of Guardians feel free to send a copy to report@gogscamtracker.com and I'll be sure to pull it apart and write an article on it.  In the meantime, be safe out there, don't take candy from dudes in vans, don't talk to strangers in real life, don't sign contracts you can't verify and don't click on links in emails unless you are 100% sure they are legitimate.  Do report scams to the community so we can help keep each other safe.


Popular posts from this blog

Down MetaMask Impersonation Rabbit Hole

NameSilo Abuse Reporting

More Sites Taken Down