Phishing has become a very real danger to cryptocurrency firms. More than $1.1 billion worth of cryptocurrency was stolen in the first half of 2018. Another $1 billion has been stolen in ICO scams, with Ernst & Young estimating that over 10% of funds raised through initial coin offerings end up lost or stolen. It’s gotten so bad that one study found that a full 80% of all ICO’s are fake.
Fraud, unfortunately, is alive and well in the cryptocurrency space. As a result, your company’s reputation is more important than ever before.
Phishing attacks hijack your company’s credibility. They masquerade as your website in emails, websites, and on social media. They use the very trust you’ve so painstakingly built to convince your customers to hand over their personal information and wallet IDs. And when these con artists vanish, who do you see about recovering your good name?
The truth is, when it comes to phishing, your best remedy is both active, vigilant prevention and uncompromising takedown actions. Here are five principles your company can employ to make that happen:
1. Monitor Websites, Social Media, and Advertising
Phishing attacks start with stealing your corporate identity. They establish websites that look identical to your own, place nearly identical ads in your name, and create near carbon-copy social media accounts that are complete with pages and posts. They’ll send e-mails that duplicate your logo and letterhead, or tweets from a Twitter handle that changes only one inconspicuous letter from your own. Some scammers have even been found impersonating CEOs and other members of a company’s leadership team.
Their goal is simple: To free-ride off your corporate reputation. A phisher wants to mimic a website so trustworthy that users won’t think twice before plugging in their financial information. Arguably that trust is, in fact, the first thing they steal.
The good news is that you know what to look for. Constantly monitor your online environment both inside the firewall (within your network) and outside of it (on the internet at large). Use tools that search the web for your logo and other copyrights, as well as find social media accounts using names similar to yours. Have your e-mail server check for any inbound messages containing your branded content. Phishers depend on this material to duplicate your company’s look and feel, and the right tools can help you spot it even on the deep web.
Let scammers know that no matter how many fake websites they put up and no matter how many social media channels they hijack, you will take them down as soon as they are published. Soon enough they’ll give up, realizing that it isn’t worth the cost to phish someone as aware and dedicated to fighting scams as you are.
2. Guard Your Data
Sometimes security starts at home.
Your company stores a wealth of data that could be used to compromise its followers. From email addresses to personal information and financial records, your servers hold everything a phisher needs to make the scam look real.
Protect your community by protecting yourself. Establish well-known methods of communication, whether via e-mail, social media, or even snail mail. Make sure everyone in touch with your company knows exactly how they’ll hear from you. Never deviate from this process and let everyone know that non-compliant communication should be treated as illegitimate.
It is important to then secure that point of contact. Protect your network with strong, preferably two-factor, authentication. You might have your financial records under lock and key, but how secure is your e-mail server? Does your social media team understand the need to protect their Twitter and Facebook credentials? Exactly how many people can post on your Slack?
The same thing goes for personal data. People often use proprietary e-mail addresses or high-privacy accounts when it comes to financial contacts, such as blockchain firms. For them, the mere fact that a scammer knows how to reach them will give the attack legitimacy.
Double check all of these details and educate your team on security. After all, the only thing worse than a scammer creating fake accounts is one who can use the real thing.
3. Respond Quickly
There are a number of things you need to do after discovering that scammers have launched a phishing attack in your name, and all of them have to happen immediately.
Reach out to your community so that they know what is happening. While it’s true that no one wants to publicize an ongoing security issue, it will be far worse if the world reads about it in the press. Leave no ambiguity about the nature of the threat and be clear about how you will follow up. Then, ensure that you do follow up.
Identify all relevant hosts, domain registrars, and e-mail services, along with all social media channels. Contact them to try and get the malicious content blocked or taken down. Proactively reach out to all social media channels, even ones where you haven’t identified a threat. Phishing is cross-platform. Just because you haven’t found a threat on Telegram or LinkedIn doesn’t mean it’s not there.
4. Communicate and Educate
Your customers can be your first and best line of defence against phishers.
Staying engaged with your community isn’t just good business sense, it can also help you catch problems in their infancy. Establish forums, whether through your own website or through social media channels, and get actively engaged in them. Build a reputation for responding promptly to comments, e-mails, and other inquiries.
Consider setting a dedicated contact for security issues, and establish regular communication about these matters. Alert your community when you find a phishing site and invite them to do the same in return. Use your web presence to publicize evolving threats, including the growing reach of scams outside traditional social media and into Medium, Google Docs, Telegram, and other platforms previously thought fairly safe.
A culture of engagement and education will give your customers the opportunity to help you learn about suspicious behaviour out on the web. If it ends with someone forwarding you a suspicious message or asking about an unusual URL, all that effort will be worth it.
5. Enforce, Enforce, Then Enforce Some More
You can’t do this alone.
Enforcement will play a crucial role in your response to a phishing attack because, make no mistake, even if the scammers haven’t targeted anyone inside your firewall you are under attack. Respond accordingly.
Ensure in advance that your company’s legal counsel has the capacity and institutional expertise necessary to respond quickly in case of a digital threat. Discuss with them the risk that phishing poses and emphasize the importance of a quick response to any phishing site or posts detected. When you identify a phishing attack, have them immediately contact relevant 3rd party companies such as domain registrars, advertisers and social media platforms.
Attorneys will be crucial to getting offending content removed. While some platforms will work with your firm in good faith, some may not. Others may simply require the paperwork of a takedown letter or subpoena in order to process your request. As part of this process, you should make sure that all corporate content is properly protected through appropriate copyright, trademark, and other intellectual property registration. Often a court order or third party compliance will require proof of protected content, so be sure you have that paperwork ready in advance.
When good faith efforts aren’t enough, consider contacting law enforcement. Many criminals launch their phishing attacks from third-party jurisdictions and bulletproof servers. Government agencies may have the reach and authority to intervene when lawyers and domestic courts can’t.
When it comes to phishing attacks don’t pull your punches. Responding with every tool at your disposal and the full force of the law sends a message to future attackers that yours is a company they can’t afford to mess with.