Bitcoin Scam Guide – Avoiding Theft and Fraud
By: Ofir Beigel | Last updated: 4/24/20
There are numerous ways to lose your Bitcoins – scams, fraud, and theft are getting more and more common these days. This post will describe how to keep your Bitcoins safe, plus give you some practical tools to use.
Bitcoin Scam Guide Summary
There are numerous types of Bitcoin scams out there. Here’s how to avoid them:
- Never expose your private key / seed phrase.
- Use the Bitcoin Scam Test before using any unknown service.
- Make sure you’re not logging into a phishing site (explained below).
- Have strong unique passwords to all related accounts.
- Enable 2FA on related accounts.
- Use a VPN or secure network to connect to your Bitcoin accounts.
That’s how to avoid scams in a nutshell. If you want a more detailed review about how to identify scams and avoid fraud or theft, keep on reading. Here’s what I’ll cover:
- The Bitcoin Scam Test
- Is Bitcoin Safe?
- What Should I Do if I Got Scammed?
- Bitcoin Scam Examples
- My Personal Scam Story
- Bitcoin Theft
- Additional Safety Tips
Don’t Like to Read? Watch Our Video Guide Instead
Use this simple 12 question test to evaluate any unknown Bitcoin service or website. Some questions require a specific tool that are located on the right sidebar. If you don’t know the answer to a specific question you can choose to skip it (however the results will be less accurate).
Bitcoin, the currency and the technology behind it, has proved to withstand numerous attacks throughout the years. The weakest link in Bitcoin’s security (as is the case with most other technologies) is usually the people who handle it.
Whenever you hear that Bitcoins were stolen, it wasn’t because there was a problem with Bitcoin’s technology, but because whoever was holding those Bitcoins wasn’t careful enough.
Saying Bitcoin isn’t safe because you hear a lot about stolen Bitcoins is like saying the dollar isn’t safe because you hear that there are a lot of robberies going on.
With great power comes great responsibility, and as long as you follow the steps in this post your Bitcoins will be safe and sound.
Before we get started, here is the most important rule you should remember:
You, and you alone, should know the private key to your Bitcoin wallet. The private key, or seed phrase, is like the combination to a safe. Whoever knows your wallet’s private key can take control of your Bitcoins.
No website or person should ever ask you for your private key – just as no one should ask you for the number combination of your safe. So keep that in mind as a red flag if you ever hear that request.
Here are some of the options at your disposal:
- Share your experience in the comments section of this post so others can learn from it.
- Report the website or service to the relevant authority.
- Report the website on review sites like TrustPilot, BitTrust and BadBitcoin.
- Take legal action against the site or service – this might not be worth your time or money (depending on how much money was taken from you).
In Scams and frauds, attackers exploit the weakness of the human factor to put their hands on your Bitcoin. Usually this is done by the fraudster claiming to be someone or something he’s not. Here are some common scams and fraud schemes:
Nigerian prince scams
Similar to emails that popped up when the Internet was just gaining mass adoption. The emails were sent by a person claiming to be a Nigerian prince that wants to share his wealth with you. This is a general term for all email scams where people ask you to send them Bitcoin.
The reason they ask for Bitcoin is because:
- Bitcoin is somewhat anonymous.
- Bitcoin transactions can’t be reversed.
How to avoid – Don’t ever send Bitcoins to someone you don’t know, and when you do send Bitcoins to someone you know, double check that you’re actually speaking to who you think you’re speaking to.
Private Key Scams
This type of scam involves people accessing your wallet’s private key or seed phrase (i.e. the password to your funds). There are several ways this scam can take form:
- Persuading the user to send over his private key / seed
- Persuading the user to give remote access to his computer and getting the private key through that access (example). This is usually done by pretending to be someone respected in the community / someone that can help you with an issue.
- Sending you a private key to use in your own wallet and then stealing the funds from that wallet (example).
How to avoid – You should never share your private key or seed phrase with ANYONE, and you alone should be the one generating it.
These scams usually include sending a fake email to the user from a known service (e.g. Blockchain.com) telling him he needs to log into his account for some strange reason by clicking on an attached link.
When the user clicks the link in the email he’s brought to a phishing site – an identical site to the original, but with a different URL. The sole purpose of this site is logging the user’s username and password. Once the user tries to log in, he basically transmits his sensitive info to the scammer.
How to avoid – Always be suspicious of emails asking you to log into a specific service. Double check the “from” email address and the URL in the browser you’re taken to. Also, it’s best to always access sites directly from the browser and not from links.
Also, make sure the site uses SSL connection – this means you should see a “lock” icon in the beginning of the address bar and that the URL immediately after begins with “https” and not “http”. Most phishing sites don’t have an SSL certificate, although there may be exceptions.
Finally, most services that you sign-up with know your name and use it in their emails. So if you are addressed as “sir” or “dear customer” see that as a warning.
Oh…and never open any email attachments from unknown senders.
Cloud Mining and Ponzi Scams
A Ponzi Scheme is a scam promising high-rates of return with little risk. The Ponzi Scheme pays out the older investors by taking money from new investors. At some point, the Ponzi Scheme operator usually disappears with the investors’ money.
Most Bitcoin Ponzi Schemes today appear in the form of cloud mining sites or coin doublers. These are sites that will promise you high-rates of return on your coins on a daily basis and will disappear with your money, after a while.
How to avoid – Just use the Bitcoin Scam Test on this page before investing in anything.
A little over 2 weeks ago I received the following email:
At first glance, this seems to be a normal email blast sent out by Coindesk looking for advertisers. As you can see from the recipient line it was sent to the admin address of 99Bitcoins ([email protected]).
The thing is, we don’t have an admin address, it was just captured in our inbox since all email directed to 99bitcoins.com are captured.
Here’s what was suspicious about the email:
- The sender’s name – Shakil Khan. I knew who he was, he was the founder of Coindesk. Why would the founder of a huge publication be sending out cold marketing emails? Don’t they have at least a VP marketing or someone else not so high up?
- The email was sent from [email protected] – I assume that Coindesk would be sending out emails from their own domain name and not using a general Gmail address.
However, the advertising spots available were actually pretty convincing. First, the email stated specific daily impressions count.
Second, the date at which the banner will be available matched what was advertised at Coindesk. If you were to visit Coindesk at the time the email was sent you would see there was an ad there for Coinsummit that was set to expire on the 6th of July.
Finally, the Facebook URL was also pretty convincing – why would someone be starting a Facebook page that wasn’t their own? I mean if this was a scam this may lower their success rate.
After some back and forth with the (still unknown) scammer I was convinced that this is a good deal and was about to send my Bitcoins until I got the final response:
The grammar mistakes finally aroused my suspicion and I decided to send an email to a verified contact I had in Coindesk. I got the following response:
It seems that this specific email isn’t the only way these scammers try to cheat people out of their money. Some emails even have an actual Coindesk domain “from” address but if you look at the “reply to” address you see it’s the same Gmail address.
The final thing I found out was that the Facebook page mentioned in the original email was not the actual Coindesk FB page. It was a fake page pointing to COLNDESK – but if you don’t write the letter “L” in caps it looks like a capital “I”.
My alertness saved me from losing money in this case. But I think I’ve learned a much more valuable lesson – and that’s how easy it just became for scammers to take your money.
You see, until Bitcoin was introduced, scammers had to overcome complicated barriers when they wanted someone to send them money. They needed to persuade people to wire them the money or send a check.
This would require them to supply an address or a bank account, which could later easily lead to their capture. More than that, these actions require more effort and had a much lower success rate.
But with Bitcoin, cash just became digital, and scam success rates are rising because of it.
I think what I personally take from this story is to make sure I can positively verify the person that I’m sending money to, before actually sending it.
Here’s another example that’s been circling around, this time from the alleged “BitcoinTalk” forum. As you can see below, the same techniques are used here – a Gmail address, stating exact banner sizes, etc.
Unlike fraudsters, thieves steal Bitcoin by circumventing security measures to gain access to their victims’ funds. Online wallets and exchanges are the weakest links in terms of Bitcoin theft. The easiest way to avoid theft from these sites is not to keep any Bitcoins on them.
However, sometimes it’s inevitable to keep funds in an exchange or an online wallet. For example, if you want to trade frequently or if you’re using a certain wallet for online games.
If that’s the case, it’s important to secure your online Bitcoin accounts with a strong enough password.
Generating strong passwords
Here are some general rules for creating a strong password:
- The more characters the password has the better. Aim for at least 8 characters.
- Try to create a mix of lower and upper case letters and non traditional characters like exclamation marks, hyphens and so on.
- Don’t reuse passwords from other accounts.
Of course, the best passwords are the ones that are just a random string of text, numbers, and symbols, but they are also extremely hard to remember. That’s why I strongly recommend you get some sort of password manager to help you generate and keep track of your passwords.
Another way of remembering strong passwords is using numbers instead of certain letters as shown here:
Th!5 i5 a 5tR0ng Pa5sw0rd
These rules should be exercised each time you open a Bitcoin related account, choose a PIN code for your wallet or choose a passphrase for encrypting a file.
For example, if possible, choose a PIN code for your mobile wallet with 8 digits instead of the standard 4.
2 Factor Authentication (2FA)
Another very useful security measure you should use whenever possible is to enable Two-factor authentication for your accounts.
Two-factor authentication, also known as 2FA, is a method of confirming a user’s identity through two separate components. In most cases, it would be something a user has and something a user knows.
A good example for 2fa from everyday life is withdrawing money from an atm; only the correct combination of a bank card (something you have) and a PIN (something you know) allows the transaction to be carried out.
In the case of online accounts, something you know will be the password to the site and the something you have will be a mobile phone that will receive a text message containing a PIN code when you try to log in.
This way, even if a hacker manages to uncover your password he still can’t log in until he physically puts his hand on your mobile device.
HOWEVER, if you use a normal text message, a hacker can still manage to intercept the message as it’s being sent to your phone. That’s why it’s important to use dedicated 2FA apps that are much more suited for this task. Some of the more popular 2FA apps today are Google Authenticator and Authy.
Using trusted Networks
One thing we tend to forget is what network we are using to access online Bitcoin services like exchanges and wallets. Make sure to access sensitive information only on trusted networks that are properly secured.
For example, use your password-protected home or mobile network only and never use a public wi-fi network to access a Bitcoin service. Of course, the password for your router should also follow the rules we just talked about. Public wi-fi networks are extremely vulnerable and hackers can eavesdrop on your session.
If you have to use a public network, make sure to connect through a Virtual Private Network, also known as a VPN. VPNs are programs that hide your online footprint and encrypt your data, making life extremely hard for hackers.
Another very important security measure we already mentioned is to make sure the site you’re connecting to uses a secure SSL connection – this means you should see https:// and not http:// showing up in the address bar.
Whenever you’re sending money to an address, remember that Bitcoin transactions are irreversible. Once the money is sent, there’s no “insurance” and you can’t get it back. For this reason, make sure to always double check that the address you’re sending the money to is correct.
Never type the address in manually since Bitcoin addresses have a lot of characters and you may make a mistake. Either copy and paste the address or use the QR code of the address to scan it. If you send money to the wrong address, there’s no way to retrieve it.
Make sure you trust the person you’re sending money to. If you don’t trust them, you can always use a third party escrow service that you both agree on. One very popular escrow service is Bitrated where you can choose known figures from the Bitcoin community as arbitrators in case of a dispute.
Finally, if you’re conducting small amount transactions, one confirmation may be enough to send over the goods to a counterparty. But if you’re dealing with large amounts, wait for at least six confirmations in order to be sure that the transaction is irreversible.
As you can see there are numerous types of Bitcoin scams, and I’ve only covered the main ones. The important thing to remember is this: Bitcoin transactions are irreversible.
So check as much as you need to make sure you’re sending money to someone you trust. Once the money is sent, there’s not much you can do about it.
Have you used the Bitcoin Scam Test? Have you been scammed or fell victim to a fraud? Let me know in the comment section below.