Ever since the dawn of the internet, there has been a type of malicious activity almost immune to technological advancement in cybersecurity ― social engineering. Nowadays, the target of these practices can be even you and your cryptocurrencies.
Phishing is a type of attack which relies on the fallibility of human judgment and perception. Phishing, the most widespread form of attack, is regularly used to extract sensitive data such as credit card numbers, SSN, passwords, and other confidential information from unknowing users online by letting them submit this information directly to the attacker.
Trust yourdeviceYour internet browser and software wallets are often susceptible to malware and tricks implemented to mislead you or lure out information which should never get online. Your Trezor device, however, stays offline and is isolated from these attempts to misdirect you. The fundamental purpose of your Trezor device is to keep your recovery seed isolated. You should always look at your device for confirmation of all operations, especially when working with your recovery seed. Your computer should never require the use of your seed without the device knowing it.
Moreover, if you ever need to use the recovery seed to access your accounts, the device will always instruct you to enter the words in a shuffled order. We recommend entering the words of your seed directly on the device to maximize the safety of this operation.
There is a variety of phishing techniques which could be used to carry out an attack. In this article, we offer you some basic knowledge and tips on how to protect yourself against these kinds of malicious attempts.
The Impersonation techniqueis one of the fastest to carry out and technologically simplest to implement. The attacker usually impersonates a Customer Service agent or Sales representative and tries to lure sensitive information from an unaware user using emails, phone communication or a spoofed website.
Trezor (SatoshiLabs) representatives will never ever ask for your recovery seed (in any form) or a credit cardnumber.
If you ever have a problem with your device or have some questions about Trezor-related issues, be sure to reach out to us only by submitting a ticket in ourSupport Center.
We do not provide phone call or live technical support. Do not call numbers who claim to be associated with the Trezor Support team.
Many phishing techniques aim to get you to a fraudulent site where all inputs are collected and controlled by the attacker. Similarly to the impersonation techniques, these are also designed to rob you of your private keys.
DNS poisoning technique takes advantage of how the Domain Name System works and sends the visitor off in the wrong direction, making the site appear to be offline or even redirecting users to a server the attacker controls. On the other hand, BGP hijacking is a process of taking control of a group of IP prefixes assigned to a potential victim. Both methods can be identified by an invalid SSL certificate, but users can skip the warning very quickly, leading them to the malicious site. It is, therefore, crucial to be wary of all signs , especially when working with something as important as cryptocurrencies.
The Unicode domain phishing attack, also known as IDN homograph attack, relies on the fact that the affected browsers show Unicode characters used in domain names as ordinary characters, making them virtually impossible to separate from legitimate domains. If an attacker can register a domain that is visually indistinguishable from a legitimate one, he can trick users into trusting the site.
Cybersquatting refers to illegal domain name registration or use. It can have many different forms, but its primary purpose is to steal or misspell a domain name. Cybersquatting can also include advertisers who mimic domain names that are similar to famous, highly trafficked websites.
Never enter your recovery seed online in a straight sequence and never disclose the order of thewords.
So, what is it you should be focusing on to protect yourself against being a victim of a phishingattack?
Trust your device. Look for confirmation on the screen , especially when it involves transactions or your recovery seed. Make sure the URL is exactly: https://wallet.trezor.io (or https://beta-wallet.trezor.io). Although the “Secure” https lock may not be a guarantee of the authenticity of the website, be alarmed if it is missing.
Never give your recovery seed to anyone, not even Trezor Tech Support (nor CEO or anyone else). Carefully observe the website addresses and watch out for any misspellings or odd characters. Bookmark the https://wallet.trezor.io to avoid misspelling it in the address bar of your browser. Use updated security software, install security patches and updates as they are made available. Avoid clicking on links in an email or social media unless you are absolutely sure that it is authentic. (Hover above the links to see the URL before clicking on it and then enter the URL by yourself.). Pay particularly close attention to shortened links, especially on social media. Be vigilant. Do some research first before you decide to trust a third-party service with your sensitive information (even your XPUB). About Us
Trezor Model T is the next-generation hardware wallet, designed with experiences of the original Trezor in mind, combined with a modern and intuitive interface for improved user experience and security. It features a touchscreen, faster processor, and advanced coin support, as well as all the features of the Trezor One.
Trezor One is the most trusted and ubiquitous hardware wallet in the world. It offers unmatched security for cryptocurrencies, password management, Second Factor, while maintaining an absolute ease-of-use, whether you are a security expert or a brand new user.
SatoshiLabs is the innovator behind some of the most pivotal and influential projects with Bitcoin and cryptocurrencies, mainly Trezor , the world’s first cryptocurrency hardware wallet, or
