Initial coin offerings (ICOs) have been just as much a boon for crooks as they have been for investors.
Like clockwork, after a high-profile ICO is announced, cyber-criminals hatch a scheme to trick excited retail investors to send their ether or Bitcoin to a phoney address. The industry largely reacts to phishing attacks by taking to social media to voice their frustration over how much of a particular cryptocurrency they lost.
And because the industry is so new and opaque, and individuals’ delusions of savviness make people collectively gullible, the instances of successful scams are unlikely to diminish.
In addition, as more and more token sales limit the number of people that can invest in the public sales, supporters are eager to find backdoors into ICOs, which can put them at risk of not thinking an offer through.
“If you expect to have a high-profile campaign, you should expect to be a target,” said Paul Walsh, CEO of Metacert, which offers a free Chrome extension that ICO investors can use to protect themselves.
In fact, NuCypher, a proxy re-encryption project that recently launched an ICO too, which piqued the interest of many investors, has dealt with repeated phishing attempts. And each time the company detects a phishing campaign, it warns its community what to look for via its email list.
The most recent attack came over Slack, in messages delivered via slackbots, indicating an ethereum address to send ether funds to, (supposedly) in return for NuCypher tokens. In its response, NuCypher reminded investors that it would never use Slack to request investment.
Yet, some people got burned, and with that, the larger crypto community suffers every time a phishing scam succeeds.
Walsh told CoinDesk:
“Once [investors] get their fingers burnt, they are more likely to tell people: don’t do this. Then fewer people are going to invest in cryptocurrency.”
In an effort to eliminate that issue, NuCypher has taken an approach which focuses on communication and education that many other ICO issuers and the investors interested in these rounds could learn from.
But this isn’t the only way to stay safe in such a wild market. There’s a lot investors can do to protect themselves, but really, no one can do as much as the team running the ICO.
Perhaps the most important strategy for issuers is emphasizing only one communication channel where sale news will take place.
When messaging app provider Kik launched Kin, for instance, the company made it clear that all information about buying its tokens would be on, and only on, its token sale site. Even if Kik sent an update in an email or through a social channel, the update always directed readers back to the site for how to take action.
This is a particularly beneficial approach since if critical information such as wallet addresses are broadcasted via the website, it’s much harder for a fraudster to change the website than it is to send a convincing email.
Not only that, but entrepreneurs and companies that plan on, or are rumored to be running, token sales should state publicly their intentions as quickly as possible.
The problems with not being open are displayed with the Telegram ICO. Because the mobile messaging company has barely communicated with the public about the ICO, scammers can take advantage of that knowledge gap and set up fake sites pretending to offer the tokens.
Case in point, investors have taken to Twitter to complain about getting swindled by fake Telegram token sites; one disgruntled individual tweeted that he had put four ether into a site hoping to buy Telegram tokens.
Telegram’s CEO has responded to a few questions about specific URLs and the company has created a Telegram channel for reporting scam sites, but it would be far better just to be upfront about what’s going on.
Another area where issuers can lessen the chances of fraud is in their marketing, by toning down the urgency of calls to buy tokens, although this might seem counter-intuitive to many.
When a marketing team announces that there will be brief periods of special discounts, it puts a group of potential investors on a hair trigger. They know these things sell out quickly, so they need to act fast if they want to get in. In this way, investors might be tricked into following phoney links, as they act before thinking things through.
On the topic, Walsh said:
“It’s good to get enthusiasm around whatever it is you’re going to launch, but these teams need to be more mindful.”
Above all else, though, companies running ICOs need to be unequivocal about how they will communicate, so followers will know anything that doesn’t follow that format is bogus.
Much hacking these days is conducted through social engineering, not cloak-and-dagger coding.
Tricking employees into revealing critical information, or figuring out how to imitate the actual staff, are two ways attackers have had success with their scams.
In this way, issuers need to keep in mind that…