Beware of Coinbase Scams

I got this Coinbase-related scam in my personal inbox last week.

Coinbase is one of the world’s largest cryptocurrency exchange sites. So big and trusted, it’s the first cryptocurrency exchange to be added to the US S&P 500.  

I’ve been a Coinbase member from the beginning, so this email got my attention.

I was pretty skeptical from the start, and upon further exploration, it was definitely a scam.

The scam works by sending this email to a large number of people, and some percentage of recipients are likely to be Coinbase users (like me). The scam is to convince potential Coinbase victims that a hacker has somehow broken into their Coinbase account and added a new wallet address, which can then be used to steal the member’s value stored with Coinbase.

Wallets are the way that cryptocurrency users send and receive items of value (e.g., cryptocurrency, NFTs, contracts, etc.). Every wallet is protected by a private/public asymmetric key pair. Any user can share their public key and not be compromised, but must keep their private key…well…private. If someone knows your private key, they can essentially take control of your wallet or use it in unauthorized ways. 

Wallet addresses are unique strings of numbers and letters derived from a cryptocurrency user’s wallet’s public key. Anyone can share their public “wallet address” with another to send and receive things of value to one another. 

In this scam’s case, fake Coinbase tech support is claiming that someone else’s public wallet address has been inserted into the Coinbase user’s account as a place that can receive value from the involved user. If this were real, it would be a big deal, because it would mean the user’s Coinbase account was somehow compromised, and a thief had inserted their wallet address as a place where they could transfer (i.e., steal) the user’s Coinbase account value. 

Cryptocurrency users are always fearful of scams and hacking. It happens all the time in crypto circles. If hackers know you have significant value in your cryptocurrency account, they will attack you with everything they have got. Cryptocurrency holders are among the most targeted potential victims by scammers. And it goes well beyond simple online scams. There are many cases of rich cryptocurrency holders being physically assaulted, kidnapped, and even murdered, so that other hackers can get to the user’s cryptocurrency wallet. Thumbs have been cut off. It’s serious stuff!

I think most cryptocurrency holders with any significant holdings are hyperaware that they are high-risk targets. So, this scam preys on that fear by pretending to be Coinbase “proactively” warning you about a fraudulent crypto theft from your account. 

I don’t think Coinbase would ever send this type of warning. If they did, they would likely include some sort of URL that points directly back to their legitimate domain, coinbase.com. Instead, this email scam has no clickable URL to anywhere. 

The only way to contact “Coinbase” via the email is an 833 area code phone number, which if you call, will certainly be answered by someone claiming to be in Coinbase tech support. 833 area code numbers – if you didn’t know – are a virtual area code not linked to a particular geographic region and very, very commonly used by scammers.

The phone number isn’t “clickable.” Nothing in the email is “clickable.” That’s because it makes it harder for any anti-scam detection software or service to locate and enumerate the information unless they also have optical character recognition (OCR) abilities, which most detection software do not.

If you got fooled and called this number, they are going to ask you for your Coinbase account details…to supposedly prove you are a legitimate Coinbase member. They will ask you for your login information or reset your account, and ask you for the reset code sent to your phone to take over your account. Or they will ask you for your private key to your wallet. Most cryptocurrency neophytes do not realize the importance of the private versus public key of their wallet and will readily tell anyone who asks them for it. 

The scammers will get enough information to steal value from the victim. The victim wasn’t robbed before, but they are now.

What makes the scam even more believable is its incredible timing (intentional or not). A few hours after seeing this email, I also read the news of Coinbase really being hacked and part of its customer information (including possibly mine) obtained by hackers. So, if you didn’t know better, you might think this “emergency” missive from Coinbase was real.

The scam email timing was likely just a coincidence, because if the scammers meant to trade on the fear of the latest scam they would have probably mentioned it and pointed to a related news article in the scam email. But it goes to show you that coincidence and timing sometimes play into the success of scams. I’ve had friends get scammed because they received a fake Uber notice just as they were getting into an Uber, and so on. 

Coincidences happen. Scam coincidences happen.

Defenses
Always be suspicious of any unexpected message arriving (no matter how it arrives: email, social media, chat app, in-person, etc.) and asking you to do something you have never done before. These types of messages are very high risk. So, if any message meets these two criteria, research the request using an alternate trusted method first before performing the requested actions. This applies to any email or message request, not just one involving Coinbase.

Of course, if you did suspect this message was real, you should go to www.coinbase.com and contact their technical support using the contact methods listed on the website. You should never use the contact information provided in the message itself. That’s just asking for trouble.

I’ve also heard of Coinbase users being called by scammers, who often have some of the member’s Coinbase information (usually login name, public key, or other identifying information), who try to do the same scam. This scam doesn’t always start with an email. But they do all end up with you talking to one or more heavily accented “tech support” people who will tell you how you must act now and provide the requested information, or your crypto wallet will be drained.

Luckily for me, I’m always skeptical of any newly arriving message trying to emotionally motivate me to do something quickly. Well, that and I only had $0.03 in my crypto wallet anyway and the scammers were going to be spending a lot of effort to take my “riches.”