Crypto phishing attacks declined somewhat last month, but they became far more costly, with thousands of victims collectively losing $66 million.
In August, roughly 9,145 victims incurred total losses that were over 215% more than the previous month, according to cybersecurity company Scam Sniffer. However, this figure was inflated by a single attack in which one crypto holder lost $55 million.
In crypto phishing attacks, criminals send fake links accompanied by seemingly legitimate requests. Their objective is to manipulate victims into divulging sensitive financial information like crypto wallet private keys.
“Javelin observed marked increases in crypto fraud and scams in 2023, demonstrating that consumers are not socialized enough to the risks involved with crypto investing and crypto exchanges are missing critical account safeguards to prevent and detect fraudulent activity within their space,” said Suzanne Sando, Senior Fraud and Security Analyst at Javelin Strategy & Research. “The anonymous nature of crypto is what draws many consumers to the space in the first place–you can conduct business without revealing too much personal information. But it also makes tracking and investigation of crypto-related crimes incredibly difficult.”
Not an Outlier
Though the single instance may have inflated August’s numbers, it is not the first time that cybercriminals have stolen millions through crypto phishing. In May, a victim sent $71 million in ether tokens to a fraudulent account. While the stolen funds were later returned, it was likely because the criminal feared they were in danger of being arrested.
Last month, a crypto user sent $55 million in Dai stablecoins to a phishing address cybercriminals provided. The victim tried to reverse the transaction shortly after, but the ownership of the stablecoins had already changed hands.
Address Poisoning
The attack was part of the growing trend of “address poisoning” scams. Criminals will send a small amount of crypto to a wallet that resembles the target’s address to make it part of the wallet’s transaction history. The goal is to trick the victim into copying the fraudulent address and sending funds to the criminals.
Cybercriminals are increasingly shifting their methods toward social engineering tactics designed to manipulate users into transferring money. They have the technology to make their attempts look legitimate, and they will use any avenue that is available.
After the CrowdStrike software update caused a recent global internet outage, criminals posed as the company and sent users phishing messages that installed malicious software on the targets’ computers.
Cybercriminals also commonly pose as brands like Microsoft and Best Buy to get users to click on links they normally would not. Impersonation scams cost consumers over $208 million in 2023, according to the Federal Trade Commission.