What is phishing?

Phishing is a formidable cyberattack that plays on emotional triggers such as curiosity, urgency, or the lure of profit. By imitating trusted entities like banks, hackers seek to steal personal information, financial details, or access credentials. As cryptocurrencies attract an ever-wider audience, often newcomers, these scams are experiencing a worrying rise. This practical guide decrypts the mechanics of phishing and provides concrete advice for protection.

Phishing: Definition and mechanisms

The term "phishing" is actually a combination of "password" and "fishing". It refers to a technique of "fishing" for confidential data by impersonating a trusted third party. The objective is to steal information allowing access to accounts (usernames, passwords) or banking data. Today, it's a major driver of cybercrime. A phishing attack exploits psychological triggers to encourage the victim to act urgently:

• Impersonating known institutions: pretending to be a bank's back office, a public administration officer,

• Using alarmist pretexts: a security problem, an accounting issue,

• Making enticing promises: promising gifts, offering a refund on a recent purchase.

How does a phishing attack work?

A phishing email typically includes a seemingly legitimate sender, often with subtle anomalies in the address, a message encouraging quick action through emotional levers includingear, urgency andprofit motive)The message will also include a link to a counterfeit webpage imitating a trusted site such as abank orpublic service, and a form inviting users to enter sensitive information like key credentials andbank details.

Example of a message:

Subject: [URGENT] Suspicious activity on your account!

Dear customer,

We have detected a suspicious login attempt on your personal account. As a security measure, we have temporarily blocked your account.

To reactivate it, please identify yourself via this secure link: http://www.bankXYZ-verification.fr/auth?user=29387642

The BankXYZ Security Team

A phishing email can be much more than a simple lure to click on a link.The email can carry malicious elements:

• Infected attachments: PDF or Office documents, images, zip files containing malware.

• Secondary links: links leading you to infected websites triggering malware downloads.

The most dangerous aspect is that these malicious elements can activate without the user's knowledge, even without clicking. Simply previewing the email (particularly on Windows) can sometimes be enough to infect the computer.

What are the different variants of phishing?

While emails remain the dominant vector, phishing has mutated. Fraudsters have multiplied points of contact to trap maximum victims. Among the most widespread variants, we find the following.

Smishing 

A contraction of "SMS" and "phishing", Smishing involes the fraudster impersonating a company or administration (telecom operator or tax office, for example). The SMS invokes an alarming pretext ("Your subscription is expiring", "A document needs to be regularised") to encourage clicking on an infected link. This technique is formidable because users often have the reflex to immediately check a text message. The mobile format also deprives them of certain visual cues for detecting anomalies.

"Vishing" 

A contraction of "voice" and "phishing", vishing is a telephone scam that involves fake bank advisors, tax agents, or IT technicians. They play on trust and authority to put the victim at ease during a call such asimpeccable technical lingo, professional tone, and references to personal data gleaned online. They often invoke an urgent pretext (e.g."Regularise a file", "Avoid a breakdown") to precipitate the disclosure of information.

Spear phishing

Spear phising is the most personalised form of phishing. The fraudster targets a company through a specific employee, after gathering maximum information about their target such as their position in the organisation chart, their relationships, and their habits. By combining this information, they construct a tailored scenario to inspire trust: impersonating a colleague or partner, referencing an ongoing project or recent news, etc. Everything is sprinkled with credible contextual elements (a client case to handle, an invoice to pay). A meticulous staging to push the target to click on a malicious link.

Combined attacks

The threat is even stronger when attackers combine angles of attack. For example:

• An email that applies pressure ("Your account needs regularisation"), and directs you to a fake telephone service to "authenticate the operation".

• A text message encouraging you to call a number, where a fake advisor will guide the victim to install malware.

• A seemingly harmless LinkedIn invitation that conceals spear phishing to penetrate the company's treasury software. The danger of these variants is that they play on different habits. We're less on guard when checking a text message, answering the phone, or interacting on social media. And increasingly personalised scenarios lower defences against signals that would ordinarily be obvious (spelling mistakes, pixelated logos, stock phrases etc.).

What are the consequences of a phishing attack?

Beyond credential theft, phishing exposes victims to severe damages: fraudulent use of banking data, embezzlement, takeover of online accounts, digital identity theft, blackmail, extortion with threats to disclose sensitive data, loss of access to essential services (email, administrative, notably). The consequences can be dramatic financially, but also in terms of reputation and psychological well-being. It often takes many months to repair the damage and obtain any compensation. Not to mention the difficulty of "cleaning up" one's online presence after identity theft.

Can phishing threaten smartphone security?

Mobile devices are indeed prime targets for phishing. The reason is simple: a single click on an infected link can lead to malware installation without the user's knowledge. This malware can then spy on keyboard inputs, SMS messages and files,or even take complete control of the smartphone. The risks on smartphones are indeed multiplied with intensive usage conducive to moments of inattention, multiple channels (email, SMS, messaging, social networks) and small-format interfaces that partially mask URLs.

Can phishing bypass two-factor authentication (2FA)?

Two-factor authentication (2FA) is a valuable bulwark against phishing. It adds a security layer in addition to the password, often via a temporary code received by SMS or generated by an app. Even if an attacker gets hold of your password, it's extremely unlikely for them to pass this second step. However, fraudsters use ingenuity to bypass 2FA. Among their techniques is real-time phishing. The hacker replicates an authentication form with a 2FA field. Each time the victim enters a code, they inject it in real-time on the real site, therefore authenticating in their place. 

How to spot a phishing attempt?

To foil the traps, here are the points to systematically inspect in an email:

• Message sender: any anomaly (mistake, added characters) is suspicious. If in doubt, contact the organisation through another channel.

• Message content: be wary of formal notices, catastrophising, obvious mistakes, lack of personalisation.

• Any links: before clicking, hover over the link to display the true destination. If there's a discrepancy, do not proceed.

• Unexpected attachments: never open a document whose name ends with an unusual extension (.exe, .vbs, .js). On a website, always verify the URL in the address bar. Particularly the domain name and the presence of the security padlock (HTTPS). If you have slightest doubt, leave the page immediately.

What to do when facing a phishing email?

You've analysed a suspicious email, and you're certain it's a phishing attempt. Here's what to do:

• Never click on links or open attachments. This is the golden rule. Even out of curiosity, to see what happens. The risk of compromising your device is too great.

• Report the problem to your IT department if it's a professional email. They can analyse the incident and take company-wide measures (blocking the sender, alerting colleagues).

• Forward the email to your email provider. Most have a dedicated "Report as spam/phishing" button. This feeds their detection systems to protect other users in the future.

• Delete the message from your mailbox. To avoid opening it accidentally. And to avoid unnecessarily cluttering your storage space.

• Immediately change your passwords if in doubt. If you think you've entered your credentials on a fraudulent site, change them without delay on the official site. Use a robust and unique password.

• Run your antivirus. Some phishing emails exploit software vulnerabilities to infect your computer, even without clicking. If in doubt, a thorough scan is necessary.

What are the phishing scenarios specific to crypto?

Crypto-specific phishing scenarios can be divided into 3 categories, according to the fraudsters' objective. In all cases, investors lose big. The @Scam Sniffer portal, specialising in crypto security, tracks phishing attacks: in September 2024, for example, their tool recorded 10,805 victims, with damages exceeding 46 million dollars.

Stealing account credentials on exchange platforms 

This is the most common scenario. The hacker tries to obtain the credentials (email + password) giving access to their victim's account on exchanges. They can then take control of the account and transfer all stored crypto assets to external addresses.

Examples of schemes:

• The attacker sends a fake email from the platform. Claiming suspicious activity, they urge the target to click a link to change their password. The link leads to a perfect copy of the real site, designed to steal credentials.

• The fraudster creates fake mobile apps imitating legitimate exchange apps. By logging in, the user unknowingly gives away their credentials. The scammer intercepts them and uses them to plunder the real account. This is what happened with the Metamask wallet in October 2024. False advertisements on Google Play directed users to a clone app, until its developer Consensys was alerted by users who stopped it.

Stealing private keys giving total control of addresses

Here, the objective is to steal the precious private keys (character strings) proving ownership of crypto receiving addresses. Whoever holds these keys effectively holds the linked assets. Examples of schemes:

• The scammer sends a trapped email containing malware (a "keylogger"). If the victim opens it, the virus installs silently. It records all keystrokes, particularly when the user enters their private key to access their online wallet.

• The criminal creates a fake website or browser extension. This imitates a legitimate wallet solution (Metamask or Ledger Live). When the user imports their key to initialise this pseudo-wallet, the hacker intercepts it in real-time.

Scamming the victim with fake projects or investments

Rather than stealing access, some scammers will push their victims to transfer their crypto themselves. They rely on classic scam triggers: investment urgency, false scarcity, or astronomical returns. Examples of schemes:

• A reputed influencer announces a surprise airdrop on Twitter. An airdrop offering free tokens to their followers. But the registration site is a lure that sucks up crypto sent to cover "processing fees". Sometimes by hijacking a real signed transaction.

• A pseudo-celebrity launches their own token with fanfare, with a viral marketing plan. The operation creates buzz, the price soars, and thousands of investors rush in. Then suddenly the team disappears with the treasury, and the token becomes an empty shell.

What measures can protect against phishing risk?

Strengthen your passwords

Opt for long passwords (>12 characters), mixing uppercase, lowercase, numbers and special characters. Unique for each account. A password manager is valuable for generating and storing them securely.

Deploy multi-factor authentication

Whenever possible, activate 2FA (temporary code by SMS/app in addition to login/password) or even MFA (3 or more independent factors). It may feel constraining, but it’s very effective for securing your accounts.

Cultivate the update reflex

Keep your software and systems up to date, installing security patches without delay. This is essential to fill vulnerabilities exploited by phishing emails to execute malicious code without your knowledge.

Adopt rigorous digital hygiene

Never open attachments or links from unknown senders, and even when in doubt with a regular sender. Carefully verify interlocutors' identity. And limit personal information published online: the less info available to build a credible scenario, the harder phishing becomes.

Be critical of good deals

If an offer seems too good to be true, it probably is! Particularly ads for secret projects guaranteeing miracle returns, or influencers promising the moon and stars. Most are scams. 

Join only trusted platforms

Long-established actors invest massively in security. At Bitpanda for example, independent audits regularly validate protocol effectiveness. Multi-factor authentication is mandatory for all users. Funds are stored offline in ultra-secure environments. This high level of security at Bitpanda acts as an anti-phishing barrier:

• The platform is much harder to credibly impersonate

• Any anomaly is quickly spotted and communicated to users

• Even if credentials are stolen, hackers cannot drain accounts

Conclusion

In recent months, AI's rise has worried cybersecurity experts. Deepfakes are increasingly used in phishing campaigns, with ultra-realistic videos to impersonate third parties. Fortunately, AI also brings new defensive tools. Anomaly detection algorithms, email analysis systems andsecurity automation is also progressing. AI enables real-time analysis of considerable data volumes.

The cryptocurrency ecosystem is the preferred hunting ground for phishing enthusiasts forseveral reasons: non-specialist users eager not to miss out, digital assets stored on online platforms, and apprehension about storage tools (hot/cold wallets). However, it's mainly because cryptocurrency transactions are irreversible by the very nature of blockchain. Impossible to cancel a transfer, even fraudulent. Ultimately, humans remain the essential link. No security device can replace individual vigilance and risk awareness and this is especially true for crypto investors. 

Stay safe and informed with Bitpanda Academy

Crypto scams are constantly evolving, but knowledge is your best defence. The Bitpanda Academy offers many resources to help you stay secure in the crypto world, covering common crypto scams, the biggest risks in investing and more.