The internet can be a scary place. There is malware, spyware, and worst of all scammers — or as we call them in the crypto world, bad actors. These bad actors are everywhere, from forums to chatrooms to websites that they created solely to take your hard-earned digital assets. Luckily, with a few tips and tricks from the ShapeShift team, you can keep your passwords, your personal information, and your crypto safe.

Learn about these scams and phishing attacks in crypto:

  1. Phishing Emails
  2. Twitter Scams
  3. Phishing Websites
  4. SIM Attacks

Phishing Emails

Scammers don’t have to know much about you in order to end up in your inbox. Phishing emails can be deceiving because they often appear to be from a reputable company or even someone you know. If you look closely at your inbox, there will be a few signs that give away a phishing email's malicious intent.

Whenever you receive an email from a company or website that is asking you to confirm something, whether it be your email password, a two-factor code, or other personal information, there are a few things you should ask yourself.

  • Are there grammatical or spelling errors? It‘s unlikely that a company has launched an email campaign or set up automatic emails without noticing these types of mistakes. This can be an obvious sign of a phishing attempt.
  • Where did the email come from? The sender’s email address should verify and connect the email to the company. For example, a ShapeShift email will come from and should never be confused with an email address that might closely resemble that.
  • Have they provided links? Where do these links lead? When creating a hyperlink, scammers can use whatever display text that they want. Even if a link looks legitimate, hover over it to see if the text matches the link that they provide. If it does not match or the link looks suspicious, they are likely leading you to a phishing website.
  • Are they asking for any personal information? Scammers value personal information above all else, including, but not limited to bank information, addresses, important dates, social security numbers, and credit card numbers. They may even pretend to be asking security questions to protect your personal accounts! Answers to these types of questions can help them guess passwords or gain access to your accounts. If a company is asking for your personal information via email, always proceed with caution. Or better yet, demand strong authentication before proceeding.

** Never share your crypto private keys via email whether you trust the recipient or not.

Twitter Scams

Unfortunately, there are also scammers on social media. The social platforms that are most targeted by scammers are Twitter and Telegram. There are a few different types of scams that you may run into on Twitter, but the most common types are money-based scams, bot spam, and unsolicited DMs.

Because Twitter is crawling with these bad actors, there are a few things you should consider whenever you interact on the website.

  • Not everyone has good intentions, especially if they’re trying to sell you something. Legitimate businesses most likely will not leave a sales pitch in your DMs. If someone is sending you a link to your Twitter inbox, it is best that you don’t click it. It’s not worth the risk. Ask for more info or do the research on your own.
  • People will not message you to tell you that you are in a picture or a video. This is one of the most common messages you will run into when someone is trying to scam you on social media. Worst of all, it probably came from one of your friends! That is because your friend fell for the scam and clicked the link, which triggers the DM to be sent to others in their network. Remember: if someone has a video or picture with you in it, they’ll just tag you rather than sending a message.
  • Legitimate brands will advertise on their verified page, not in the comments section. Brands who verify themselves with Twitter earn a little blue checkmark. If they do not have the checkmark, they are not a verified page. Look for the correct company name and spelling in the username that starts with @ to further verify.
  • If it sounds too good to be true, it probably is. Avoid anyone trying to give you money, free followers, or a way to get rich quick. They are likely after your personal information, bitcoin private keys or your credit card information.

ShapeShift will never:

Ask you to share your crypto private keys — period.

Ask you to send funds to our wallets on social media.

Offer to send you free crypto if you send us a smaller amount of crypto.

Ask for your personal information on social media, in DMs or by phone.

Phishing Websites

Phishing sites take a lot more work than your everyday Twitter scam, because the scammer has to perfectly replicate a legitimate company’s website. Once they do this, they attempt to gain your trust so they can collect your personal information. In the case of crypto, this can be particularly dangerous.

To keep your information and your assets safe, be sure to check the following items.

  • The URL. Phishing websites will often try to make the URL look suspiciously similar to the website URL they want to replicate. You may see them add accents or use letters that look similar to other letters. For example, if the website has a “w”, the phishing site may use “v” back-to-back.
  • Your bookmarks. If you are using Google Chrome, bookmark the homepage of every website that you use. Then, when you visit the homepage, the star to the right of the URL should be filled in blue rather than an outline. If not, you stand a chance of getting phished.
  • The webpage appearance. If the appearance looks different than you are accustomed to, be cautious. Websites often go through rebranding efforts, but it is better to be certain! You can even check their social media to see if the new look is consistent across all channels and to check for recent discussions about a rebrand.

SIM Attacks

SIM attacks take place when the user has activated two-factor authentication using text messages (SMS) and an attacker exploits the user’s personal data to get a hold of this information. How can they do this, you ask? Well, sometimes, it’s as easy as a scammer contacting your cellular network provider.

They convince the provider to transfer your data onto a new SIM — one that they control. Once they have access to this, they receive your text messages, making it very easy to gain access to your bank account, your social media accounts, and any other wallets or accounts that may let you verify logins via SMS.

If you suddenly lose access to your cell phone network, contact your provider immediately to try to block further attempts to access your accounts.

Stay Vigilant & Avoid Attacks

There are several ways that you can prevent scammers from getting your personal information. To best protect your data, follow these few rules that, at first, may seem like a bit of work, but in the long run, it could save you a lot of headaches.

  1. Bookmark websites that you use. Any time you sign up for a website, bookmark it. This will keep you from making typos when you enter the website into your URL, which helps you avoid falling victim to scams on phishing websites.
  2. Use a password manager like 1Password. If a scammer gains access to some of your personal details like your pet’s name or your birthdate, you will want to make sure your password doesn’t contain this information. The hardest-to-crack passwords are generated by password generators, but these passwords are impossible to remember. That is why you should keep them all in a safe place: a password manager. Your passwords will be strong and you will not have to remember them either.
  3. Enable two-factor authentication (2FA), but not via SMS. While many services will allow you to enable 2FA via text message, don’t! This is the way SIM attacks start! Unfortunately, some websites will automatically enable it via SMS, but you may be able to disable or change it to another method. The best method is to use a form of 2FA hardware, which plugs into your USB port and generates a number using software that pairs with it. There are other options too, like Google Authenticator or Authy.
  4. Only interact with verified pages. As previously mentioned, you can check if an account is verified by looking for a checkmark. If a profile is not verified and it is representing a brand or company, do not communicate with them, even if they contact you first.
  5. Don’t click unfamiliar links. Even if your friend or coworker sends you a link, check with them to see if they actually sent it. You can do this by calling them or asking them face-to-face. If a stranger sends you a link, you ought to be especially wary.
  6. Avoid doing business with strangers online. If someone contacts you on Reddit, Telegram, or other social media messaging platforms, they are not likely a businessperson or company. Do business with people you know or trusted network connections, not strangers on the internet.

Report Anything Suspicious

Now that you know how to be safer online, you have to remember that not everyone is aware that these scams exist. Keep your friends and family safe by teaching them these methods, and ultimately, by reporting any suspicious behavior.

  • If you have run into a Twitter scam, you can report it directly to Twitter. Learn more about this by clicking here.
  • To report suspicious websites or bad actors to ShapeShift, contact our support team.
  • If you have the misfortune of becoming the victim of a SIM attack, be sure to report this to your cell phone provider right away.

If you have any questions about the security of a website, reach out to their support team or other official accounts and wait for a response. Always remain vigilant when it comes to your online security. Like we often say in crypto: Don’t trust, verify.

Level Up Your Crypto Experience
Create a verified account & get 100 FOX Tokens to start trading without commission, spread, or trading fees.