Delete That Text! How to Avoid 'Devastating' Account Takeover Scams
In honor of Fraud Awareness Week, Coinbase security guru Jeff Lunglhofer spoke to Decential about keeping your crypto safe
It starts with a text message. The crypto exchange you use sends a security alert that there was a failed transaction to move crypto out of your account. Was this you? If yes, press one, if no, press two. Terrified you are being ripped off, you press two and get a reply that your funds are safe but you need to call this number to secure your account.
The person on the other end of the phone speaks perfect English and knows almost everything about your account – balance, type of crypto you hold, even your self-custody wallet address. He tells you that while your account is safe for now, someone is trying to get in and you should put your coins in a secure vault product. Sound good? Sure it does, so the guy on the phone sends you a link to install a Coinbase wallet, or a Metamask wallet, and it seems legit. Over the phone you’re given a seed phrase and the wallet is set up in a few minutes. Then you move your funds, and they are gone forever as the attacker spirits them away.
The above scam is called an account takeover, and it’s all too common in the crypto world. Jeff Lunglhofer, the chief information security officer at Coinbase, walked me through the scenario when we spoke to commemorate Fraud Awareness Week, which if you didn’t know (I didn’t), it’s this week. The threat is made possible because attackers using something called a combo list, Lunglhofer said, which contain all types of personal and financial information on people who hold crypto that have been put together from stolen data in one of the myriad breaches in recent years.
“Honestly, from a Coinbase perspective, the most devastating thing we’ve seen happen over the last 18 to 24 months has been how effectively these threat actor groups are using combo lists,” Lunglhofer said. “They’ve gotten really good at pulling together, effectively, what is a dossier of a target.”
Read more: Crypto Crime Fell to 0.34% of All Blockchain Use in 2023; FTX $8.7B Theft Counted as Fraud: Chainalysis
But how can a stranger pretending to be a security member at a crypto exchange know your token balances, wallet addresses and what you own? Hacks at crypto tax services like the one at CoinTracker.Tax in August 2020 reveal all that information. As CoinDesk wrote at the time, “Operated by Kansas City-based Coin Ledger Inc., CryptoTrader.Tax allows users to import trades from 36 cryptocurrency exchanges and auto-generate cryptocurrency income gains and losses in tax reports exportable to TurboTax, the popular tax preparation software.”
Criminals wielding this amount of detail can make it almost impossible for investors to know that they’re being scammed, Lunglhofer said.
“I can be a fraudster calling you and I know your name, date of birth, social security number, every address you’ve ever lived at, your Coinbase or your crypto account holdings, what your balances are,” he said. “I have all this information that makes it incredibly easy for an attacker to establish fake bone fides as a security rep of a bank or a crypto exchange.”
Stolen funds in the crypto space amounted to $1.7 billion in 2023, a 54 percent decrease from the previous year, according to blockchain forensics firm Chainalysis. Lunglhofer said Coinbase is seeing the same trend, as they’ve succeeded in preventing more takeover scams this year. This type of fraud fell 24 percent in the third quarter this year compared with the same quarter in 2023, according to Coinbase. They've also seen a 41 percent drop in the average amount stolen in account takeover fraud over the same period, the exchange said.
And it’s not just in crypto, Lunglhofer was keen to point out. This type of crime occurs to bank customers or investors who trade on the New York Stock Exchange.
“It doesn’t matter” where investors are trading, he said. “They’re going where the money is, because that’s what these guys do.”
So how can you protect yourself from someone who has your entire financial history at their fingertips?
“If a company calls you, and wants to talk about money or security, hang up the phone!” Lunglhofer said. He advises people to then go to their web browser and type in the name of the exchange or bank that called you. Why? Because thieves have filled Google search results with fake customer support phone numbers and you could end up calling the same people who are trying to steal from you, Lunglhofer said. So instead, type in the address and find the customer support line given on company’s the web site.
“If everybody followed that guidance I bet you we would cut fraud losses by maybe 80 to 90 percent,” he said.
Combo lists are so devastating because they draw on data stolen in the seemingly never-ending data breaches in recent years. In April, the background-check service National Public Data was hacked, resulting in an estimated 2.9 billion records being stolen, including SSNs and emails, which the hacker was offering for sale online for $3.5 million, according to Wired. If you’re not too traumatized by this point, you can check if your email has been released at the site Have I Been Pwned?
As Lunglhofer noted, account takeover scams affect all forms of finance, not just crypto. In fact, Chainalysis has reported for several years now that less than 1 percent of crypto transactions are illicit. That compares with about 2 percent to 5 percent of global gross domestic product that’s estimated to be laundered in the traditional financial world every year, Lunglhofer said. In dollar terms, that’s $800 billion to $2 trillion annually.
The best defense against getting ripped off, Lunglhofer said, is to continuously educate yourself about the technology you’re using. If that happens to be a crypto wallet, it’s important to know that a wallet is nothing more than a piece of key-management software, he said. A user could have their wallet on an iPad that’s turned off and locked in a safe and yet if that user has given someone their 24-word seed phrase they have lost control of their assets.
“I’m not knocking self custody at all,” he said, “but if you don’t really understand it, don’t do it. Let a trusted exchange custody those assets for you. I’m serious, and that’s not self-serving of me, I’m honestly trying to save people heartache and loss.”
With Bitcoin at new all-time highs and just a few thousand short of $100,000, a whole new flood of retail investors will be entering the crypto market. Making sure those new investors, and everyone in the space, understands how wallets, key management and seed phrase security work is imperative. But that’s not always the case, Lunglhofer knows all too well.
“They literally think, the Bitcoin is in the wallet, it’s on the phone, physically in the safe [and turned] off, so no one can ever steal it. And that’s wrong. And there are so many people who have that exact misconception about what self custody really is,” he said. “If you want to be your own bank there’s an enormous amount of responsibility.”
lead image: Jeff Lunglhofer