Recently there’s been an influx of phishers and scammers sending out malicious ads and emails.
Users are taking to email and online forums of these exchanges and wallets, to complain about the injustice of their funds getting lost or stolen. Often times, the loss of funds isn’t a result of a company’s malpractice, but more of human error. To redact human error and protect yourself online, there are several ways that users can avoid falling victim to these attacks. With the aid of a post made by Taylor from MyEtherWallet, (a company who has recently been a victim of phishers), we’ve compiled a list of simple ways to aid you in your crypto-affairs and to protect yourself online.
1. Do not accept free ETH
Just like in the real world, no one is handing out free money. If a site offers free Ether for filling out a survey or answering some questions, do not proceed. And if you have proceeded and realized your folly after clicking on the site, this leads to number 2.
2. Clear your history and autofill data
This will clear your cache, and will not fill in the malicious site’s address if you start typing in the correct web address you want to go to.
3. Don’t click exchange or wallet links within emails
Scammers create links that may seem fine and readable, but that link may direct you elsewhere, or download malicious content onto your computer. Instead of clicking on links within emails, click on the correct exchange or wallet address that’s stored in your bookmarks to make sure you’re directed to the correct site. This leads into number 4.
4. Bookmark all of your legitimate cryptocurrency sites
This will redact human error and if you’re ever unsure about a link, you can go to your bookmarks to make sure you arrive at the right place, instead of being redirected to an off-spelled malicious site.
5. Do not click on advertisements
This goes against the grain of “being a smart internet user.” Not clicking on ads you’re unsure about has been a common practice since the dawn of the internet and should continue to be practiced.
6. Install an ad blocker that turns off Google and other search engine site ads
Ad blockers allow customization. If you don’t want any ads at all, you may adjust your settings to not “allow non-intrusive advertising.” Some ad blockers allow you to whitelist specific domains such as reddit.
7. Diligently check your domain names
If you’re sitting there and thinking to yourself, “Hey, that ‘o’ kind of looks like a zero…” Stop and do not proceed to have your browser direct you or click on that link. Reread and practice number 4 on this list.
8. Use different passwords for every account and platform
You should have different passwords for Facebook, Twitter, email, credit cards, bank accounts, etc. Because if one account becomes compromised they, in essence, have access to every other account that password unlocks.
9. Do not keep your funds on an Exchange
Take them out and put them on a cold storage wallet (offline storage). Think of accessibility. If you can access it online anywhere, and anytime, so can someone else.
10. Enable 2FA
“Two Factor Authentication, also known as 2FA, two-step verification or TFA (as an acronym), is an extra layer of security that is known as "multi-factor authentication" that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately to hand - such as a physical token.”
2FA works differently on every site and exchange, so pay attention and keep all the login information, stored offline. It may seem tedious, but this is added security and when it comes to your funds, no task is too great.
From tayvano of MyEtherWallet on using 2FA for Kraken:
Kraken is a fun one with 2FA and is one of the sites getting hit hardest with phishers right now. So, together, let’s do it correctly. More info.
Login to your Kraken account.
In the upper right click on your name. Then click “Security”.
Change your password right now
In case you were unaware, it’s a good practice to occasionally change your passwords. Oh, and don’t use the same password across multiple sites. Seriously.
Once password is up to date, click on “Two-Factor Authentication”.
Find “Account Login” and click “Setup”. I prefer Google Authenticator TOTP. Learn more about TOTP/HOTP here.
Go to your Google Auth app. Add a new code -> “scan a barcode”. Scan the QR code that’s displayed on the Kraken site. This will add a line to your app with a name, some numbers, and a little timer that counts down. Enter the numbers into the field on Kraken and the click “Setup”.
Now each time you login to Kraken you will need to open the app on your phone and type in the numbers displayed. This also prevents a phisher, even one with your username and password, from ever getting into your account.
Go back to the Two-Factor page. Setup a method for “Funding”. This requires you to use your 2FA to do any withdrawals or deposits. So even if someone gets into your account, they cannot withdraw or deposit. Note! You need to have a master key password/2fa and your global settings lock TURNED ON in order for the 2fa to do its job!
Go back and add a master key password -or- edit your existing one. Here is what Kraken told me a while back the Master Key is for: ”Also I noticed that you have a master key set on your account. This is a good idea, but actually you'll need to enable the global settings lock in order for the master key to do it's job. If you check your account regularly, a short time lock, such as 2 or 3 days, should be long enough. Please note that the global settings lock prevents even the Kraken support team from changing your account settings, so be careful. Also, don't set a global settings lock without a master key-- you can always use the master to unlock settings so you can do things like add or delete withdrawal/deposit addresses, etc.”
So, the biggest issue with this key is that it is what you will use to lock / unlock your settings and do things like add a new withdrawal address. If it is the same as your Kraken password, the phishers can turn off 2fa and other things. So create one or update the existing one to be DIFFERENT than your standard Kraken password. Seriously. You can also do another Google Authenticator for this, which is recommended.
Now click on your name again and click account settings. At the very bottom, turn the Global Settings Lock “ON”. The longer the time, the safer your account is. I use 3 days as I'm always within feet of my computer. Next time you are on vacation or going to be away from trading for any extended period of time, update the time again to the amount of time you are going to be away for so you don’t have to worry about it.
You may read Taylor’s full reddit post on protecting yourself here.