How does the bitcoin source code define its 21 million cap?
Many of bitcoin’s staunchest critics have expressed doubt about its 21 million cap, but perhaps the most mindless criticism relates…,
Phishing is a form of social engineering where a bad actor sends an email or other digital communication with the intent of tricking you into revealing personal information such as passwords, credit card numbers, and other kinds of sensitive data.
Bitcoin is particularly attractive for phishing because once a bad actor gets access to private keys—whether held yourself or those a custodian holds for you—they can anonymously and irreversibly steal your funds. One way to protect yourself from this kind of dire outcome is by eliminating single points of failure with a multisig vault. Another is by equipping yourself to spot phishing attempts and stop an attack before it begins.
There are two major types of phishing attacks: phishing and spear phishing. In both types of attack, you’ll receive an email, instant message, text message, or other digital communication that includes either a malicious embedded link or a malicious attachment (or both!). The main difference between the two attacks is the manner in which they are targeted.
The most important way you can protect yourself is learning how to spot a phishing attempt. If you can discern which incoming communications are phishing, you can minimize the chance that you’re ever compromised because you know to ignore the email or text message, mark it as spam (if possible), and immediately discard it.
The simplest way to protect yourself is to let your email client do it for you! Many messaging and email applications today will warn you about suspicious messages. If your email client (i.e., Gmail. Yahoo, Outlook, etc.) detects a suspicious email, it may display a message such as, “Be careful with this message!” or “This message seems dangerous!”. Such indicators are intended to raise awareness and concern about clicking on or opening attachments included within the particular message.
If you see one of these messages, heed their warning! Some may simply highlight that something about the message is dangerous or suspicious, while others may encourage to take specific action like comfirming it is indeed phishing. It’s a good idea to take a warning like this seriously—that is, unless you’ve independently verified it to be a false flag.
Another way to protect yourself is to watch for three of the most common traits of phishing and spear phishing attacks: a sense of urgency, unsolicited contact, and reliance on impersonation.
Phishing messages typically attempt to make you act quickly. This method preys on human emotion, usually fear. The attacker may say something like “Your account is about to be deleted!”, “Your funds are at risk!”, or “Your credit card has been suspended!”. Scary or threatening statements are a clue that the message you are looking at may not be as legitimate as it appears.
This strategy is common because if the bad actor can get you to do something quickly, there’s a greater chance they’ll achieve their desired ends before suspicions are raised. This is especially true in bitcoin, where keys improperly held can open you up to permanently lost funds with just one mistake. If you feel compelled to act out of urgency, always take a second to consider the actions you’re about to take.
You should be cautious if you receive an unexpected email with a link or an attachment. Is the message from someone whom you did not expect to contact you? Is the message from an old friend or colleague you haven’t corresponded with for many years? Does the message appear markedly different from typical correspondence you might otherwise receive from the sender? Unsolicited contact like this should raise a red flag.
Phishing messages usually pretend to be from someone you already trust. This trust is used to make you lower your guard and give away information you would normally protect such as login credentials, sensitive information, or access to funds.
Here are some examples of phishing messages one might see disguised as coming from institutions or organizations with which you have a legitimate relationship.
Note that these messages look legitimate at first glance, including features such as:
All of these items are intended to trick you into believing the message is legitimate. The bad actor wants you to think, “This is coming from a trusted person or organization with which I do business. I need to pay attention. I need to take action now!”
For our purposes, context refers to the surroundings or interrelated conditions in a particular digital communication. The human brain is an excellent filter; don’t underestimate your innate ability to tell when something is a little bit off. Rather, listen to that instinct when you are looking at emails and thinking about whether to click on links or open attachments.
Sign up to be notified when we publish new blog articles.
Take a look at the example above. Note the inconsistent grammar, uncommon phrasing, and suspicious language in the body of the message. Does it make sense that the executive of a high-profile organization or institution would use such words or phrasing? Does the conversational tone match what you would expect from such a sender? Elements like these are difficult for a bad actor to impersonate and can help signal that something is out of place.
There are a couple ways to examine an email’s header to help you verify the legitimacy of a message. The first is by looking at the header in your email client directly—most email user interfaces compress the sender information but provide a caret you can click that will expand the section. You can also view the entirety of a message’s source as we describe below.
Some things to look for in the header include:
The anchor text displayed in the email body may say it is taking you somewhere you trust, but the embedded link behind that text may very well be taking you somewhere else. Be especially cautious of embedded links that display misspelled domains or domains that aren’t related to the destination where you expect to go.
A helpful technique is to use your mouse to hover over links in the message. When doing so, your browser or email client automatically displays the address where the link is taking you (often in the lower edge of the message window). As in the examination of the header discussed earlier, does the link address include any suspicious elements or irregularities? If so, perhaps the domain is not really from the organization it pretends to be.
If you’re more technically savvy, you can also examine the underlying raw data of the email message. Almost all email clients offer you an easy way to view this information. In Gmail, it is found by clicking the three dots located next to the reply arrow on the upper right section of the message. Choose Show original from the drop-down. Gmail then opens a separate window that displays the complete raw source code of the message.
There are three elements you can examine in the source data that can help identify a phishing email:
One of the most powerful techniques to keep yourself protected from phishing attacks is called “out of channel verification.” With this technique, you stop and seek confirmation of the suspected message’s validity through a separate and independent channel. In most cases, this means directly contacting the supposed sender via a contact method known to be bona fide.
Often, when a person’s email account is hacked, the bad actor uses the email address to impersonate the individual by sending messages to the person’s contact list or friends. When in doubt, the safest bet is to take steps to verify that the message is real. If the individual has been compromised, your outreach to them may be the first time they realize something is wrong.
In bitcoin we are taught, don’t trust, verify. Even outside your life in bitcoin, if you get an email or phone call from somebody claiming to be from a financial institution asking for your credit card information, or telling you that something is due, or similar—it is always good to reach out to the confirmed contact information that you know is legitimate and verify—always verify. – Justine Harper, Vice President, Concierge
What should you do if you realize too late that you clicked on a link that you shouldn’t have? Here are some basic steps you can take to help mitigate your risk:
If you ever have a question or are uncertain about a message you receive regarding your account with Unchained, you should check with client services at email@example.com to verify.
Best practices for improving your sovereignty and security are regular topics of discussion and education here at Unchained Capital. Sign up for our upcoming introduction to multisig webinar to learn how multisig protects you from the worst phishing outcomes, and be sure to check out our YouTube channel to view our full archive of helpful guides, webinars, and interviews! Join our email list below to learn more about other educational opportunities.
Many of bitcoin’s staunchest critics have expressed doubt about its 21 million cap, but perhaps the most mindless criticism relates…Ted Stevenot, Stephen Hall
When Satoshi Nakamoto created bitcoin, he established in its code a fixed number of bitcoin that will ever exist. Since…Ted Stevenot
Originally published in Parker’s dedicated Gradually, Then Suddenly publication. Bitcoin is often described as a hedge, or more specifically, a…Parker Lewis