Yes, another Bitcoin scam story, but this one has a twist and a lesson to be learned.
A little over 2 weeks agoI received the following email:
At first glance this seems to be a normal email blast sent out by Coindesk looking for advertisers. As you can see from the recipient line it was sent to the admin address of 99Bitcoins ([email protected]). The thing is, we don’t have an admin address, it was just captured in our inbox since all email directed to 99bitcoins.com are captured.
What was suspicious about the email
- The sender’s name – Shakil Khan. I knew who he was, he was the founder of Coindesk, this is his LinkedIn profile. Why would the founder of a 15 people company be sending out cold marketing emails ? Don’t they have at least a VP marketing or someone else not so high up ?
- The email was sent from [email protected] – I assume that Coindesk wouldn’t be sending out emails from their own domain name and not using a general Gmail address.
What was convincing about the email
- The advertising spots available were actually pretty convincing. First, the email stated specific daily impressions count. Second, the date at which the banner will be available matched what was advertised at Coindesk. If you were to visit Coindesk at the time the email was sent you would see there was an ad there for Coinsummit that was set to expire on the 6th of July.
- The Facebook URL was also pretty convincing – why would someone be stating a Facebook page that wasn’t their own ? I mean if this was a scam this may lower their success rate.
I decided to place an order
Since we’re thinking of incorporating ads in 99Bitcoins I decided to at least inquire about the prices Coindesk charges so I will have a reference. At this point I still didn’t realize this is a scam. After a very short waiting period I got a reply that it costs 2BTC to advertise on the large banner and 1.5BTC to advertise on the smaller one.
This seemed pretty low for advertising on one of the most highly visited website about Bitcoin and I thought to myself maybe I should go for it but it was still too expensive. When I turned down the offer politely “Shakil Khan” told me since they do not have a lot of advertisers he can give me the spot for 1.5BTC.
After some more negotiations I was convinced that this is a good deal and was about to send my Bitcoins, until I got the final response from the scammer:
The grammar mistakes finally aroused my suspicion and I decided to investigate further.
Contacting the REAL Coindesk
I sent out 2 emails to Coindesk’s chief editor and marketing manager – I knew these were their actual addresses since I spoke with them before. I told them about the story and got the following response:
Apparently Coindesk has known about this issue for some time now and have actually created a page for this on their website. It seems that this specific email isn’t the only way these scammers try to cheat people out of their money. Some emails even have an actual Coindesk domain “from” address but if you look at the “reply to” address you see it’s the same Gmail address.
How scammers used CAPS to manipulate users
The final thing I found out is that the Facebook page was also a scam. Instead of pointing to Coindesk’s actual FB page, the phishing email points to COLNDESK – but if you don’t write the letter “L” in caps it looks like a capital “I”. It seems that this fake Facebook page has more than 14,000 likes (probably most of them fake) which come from Croatia. The oldest post on this page is from June 2014 which proves that this is a new phishing trick that was just put into play.
What can you learn from this ?
Luck was the only thing that prevented me from losing 1.5BTC in this case. But I think I’ve learned a much more valuable lesson – and that’s how easy it just became for scammers to take your money. You see, until Bitcoin was introduced scammers had to overcome complicated barriers when they wanted someone to send them money. They needed to persuade people to wire them the money or send a check which is an action that requires more effort than clicking a button and therefor probably had a much lower success rate.
But with Bitcoin cash just became digital, and scam success rates are bound to rise because of it. Now all they have to do is convince me to click a button. Also, unlike wire transfer or checks I don’t know who they are, not even their aliases.
I think what I personally take from this story is to make sure I can positively verify the person that I’m sending money to before actually sending it. This can be done through the use of PGP signatures, which are digital signatures embedded in the email message. If someone who is not the actual sender tries to verify his identity he will fail. Remember, with Bitcoin – what’s done is done, and absurdly enough I almost didn’t follow my #1 rule for sending out Bitcoins.
Update – Scammers are using BitcoinTalk as well
As I was getting ready to publish this post I got another email, this time from the alleged “BitcoinTalk” forum. As you can see below, the same techniques are used here – a Gmail address, stating exact banner sizes etc.
And of course after I replied I got a really detailed email about the ad slots. I’ve posted this on BitcoinTalk and confirmed my suspicion this is actually a scam. This should be a warning to us all to look twice before sending Bitcoins to strangers…good luck.