Alongside a significant rise in the prominence of phishing scams, we have seen some fraudsters mimicking CertiK. As a leading security organization we would be remiss if we didn’t take the time to warn you about these targeted campaigns so please take a minute while we show you how to detect and protect against these emails.
Phishing is a type of social engineering attack which is often used to steal any type of user data. An attacker sends an email or other message to an unsuspecting victim, pretending to be someone they are not. These messages contain a link, attachment, or contact details for the victim to engage with. A successful phishing attack can result in the victim having their funds taken or their identity used as part of a wider campaign of fraud. To learn more about the different types of phishing attacks see our post What Is a Phishing Attack.
Projects and organizations often have to deal with malicious actors impersonating employees or project members in the Web3 space. This is particularly the case with Discord phishing attacks that target the NFT community.
In these attacks, a trusted account is compromised and then posts a phishing link into the server’s announcements channel leading to the theft of stolen NFTs. Prominent examples this year include the Beeple and JRNYclub Twitter hack, as well as the Bored Ape Yacht Club Discord exploit that stole 32 NFTs from community members.
CertiK analysts have tracked at least 811 incidents in 2022 leading to significant losses.
Your role in identifying these attacks is crucial, whether it be to your personal online security or the representation of the company you work for. It’s important for the security of your personal information and the security of all systems that you have access to – e.g. company intranets – to be able to identify the common signs of a potential phishing attack. Treating all emails that link you to external sites, especially unsolicited offers and invitations, with caution is the best way to avoid falling victim to a phishing attack.
Here is a real example of an unsolicited scam email from a fraudster masquerading as CertiK.
This fraudulent email displays a number of the hallmarks characteristic of a phishing email:
The most important thing to do when reading a suspicious email is to slow down. If something sounds suspicious or too good to be true, read it over again. Do NOT click any links suspected to be fraudulent and watch out for hidden hyperlinks where what you think you’re clicking is not what you intend to open.
While messenger-app based phishing has been around for a while, Discord phishing is a relatively new form and has seen malicious users target the NFT space in particular. The main goal of a scammer on Discord is to trick an unsuspecting user into granting approval for their tokens to be transferred out of their wallet. Sounds like an impossible goal, right? Well, not exactly…
Phishers have developed highly sophisticated ways of duping users into thinking they’re interacting with a legitimate website, going so far as to clone a project’s official site (in the case of the Bored Ape Yacht Club phishing attack) while making the malicious links and functions subtle enough so as not to arouse suspicion.
This fake phishing website looked almost identical to the official Bored Ape Yacht Club homepage.
For a full description of the BAYC phishing exploit see our in-depth writeup.
While Discord, Telegram, and other messenger app phishing attacks differ in the details, there are a number of important rules to keep in mind:
To combat phishing and fraudulent claims we’ve initiated a live feed that genuine projects can implement on their website. This is pulled directly from CertiK's website and is a lot harder to fake. Here are two examples. One is the new methodology, hard to fake and will take you directly to the CertiK leaderboard page.
Next to the Baby Doge example is a real screenshot from a false claim. At face value, this may look real but upon second glance it’s clearly false. Notice the off-color branding and odd phrasing. Most of the time these claims will not link you to a Leaderboard page or audit report. If they do, check for differences as there is a chance the project may be a fraudulent clone. You can often check this by opening the project directly from their leaderboard page under the project's info. This should help circumvent this.
While the platforms that scammers use differ, there are some fundamental ground rules that will help protect you from all sorts of phishing scams, whether they’re delivered to you via email, text message, Telegram, Discord, or any other platform.
If you receive any emails from somebody claiming to be CertiK and you’re not sure if it’s genuine please do not hesitate to contact us at firstname.lastname@example.org and we’ll be more than happy to help. If you do receive any spam from a fake CertiK please forward the email to us and we’ll take it from there!