Fellow CryptoMasters,
I wanted to share a recent observation about a phishing tactic that seems to be gaining traction, and it's a bit more sophisticated than the usual fake login pages. It's what I'm calling the 'Double Dip' scam, and it targets users who might already be a bit cautious.
Here's how it typically works:
- First, you'll receive a convincing-looking email or message, often mimicking a notification from a popular exchange or wallet provider. This message might claim there's a 'security alert' or an 'unusual transaction' on your account.
- It will then prompt you to click a link to 'verify your identity' or 'secure your account.' This link leads to a fake but very realistic login page.
- If you fall for it and enter your username and password, the scammers get those details. But here's the 'double dip': they often also ask you to enter your 2FA code (like from Google Authenticator or Authy) on the same fake page. This is crucial because it bypasses your second layer of security.
- With both your login credentials and your active 2FA code, they can log into your real account almost immediately.
The really insidious part is that they might even send a second fake notification shortly after, claiming the 'security issue' is resolved, to lull you into a false sense of security. By then, it's often too late.
Key Takeaways & Prevention:
- Never enter your 2FA code on a website you reached by clicking a link in an email. Always navigate directly to the official site yourself by typing the URL or using a trusted bookmark.
- Be wary of urgent security alerts. Scammers prey on fear. Take a deep breath and verify independently.
- Use a hardware wallet for significant holdings. Even if credentials are phished, a hardware wallet requires physical confirmation for transactions.
- Enable email/SMS alerts for all logins and transactions on your exchange accounts.
Stay vigilant out there. These scams are getting smarter, and we need to be even smarter.