Xapo today warned its users its security team has discovered a series of phishing attacks against users. Using similar tactics bad actors use to steal bank account passwords, the attackers are sending emails that initially appear to be from Xapo. They then direct customers to a malicious site that requests and records sensitive security information.
In an email to all users, Xapo said some had already fallen victim to the attacks. “Phishing” refers to attempts to trick users into thinking they’re receiving an official email from a service provider, or accessing their real account. All users need to show caution at all times when online, and look for key but subtle hints that they’re dealing with a scammer.
Xapo’s Tips to Avoid Becoming a Phishing Attack Victim
Xapo’s advice is useful for all services, not just their own. The key is to always be wary of all emails from a service you use, even the genuine ones. Never access a service by clicking on a link or button in an email, always go directly from a browser or mobile app.
1. Never enter your 6 digit SMS code on a website. The only safe place to enter it is your Xapo Mobile App.
2. Look for the secure HTTPS certificate in your address bar. (it’s usually represented by a green “lock” icon” next to the address)
3. Make sure you are at https://account.xapo.com/ when logging into Xapo and asked for your credentials.
4. If you are using the Xapo Web App please bookmark the correct URL and make sure to always log in from there.
5. Be suspicious of any email claiming to be from Xapo, especially those providing a link for you to log in and failing in this process.
6. Keep in mind that Xapo will never ask for your credentials in an email.
Xapo also provided the following images with the scam address, so everyone can see the difference:
What Is Phishing and How Does it Work?
The most common style of phishing attack involves copying exactly the design and user interface of a well-known site. You’ve probably seen hundreds of these that look like well-known banks, or brands like Google. It’s very simple to copy a site, but less easy to make it look 100 percent like the real one.
The URL, or web address, is often the key. If it’s even one character different from the one you know, leave immediately.
Xapo is a “custodial wallet” — that means it stores customers’ private keys (and thus bitcoins) on its own servers. While easier for newcomers to use, centralized storage like that is more vulnerable to hacks and scams. Anyone with your login credentials will be able to access your funds.
Xapo mitigates this risk by allowing two-factor authentication on its accounts. As always, it’s a wise idea to use it.
Are you a Xapo customer? Have you ever almost been fooled by a phishing attack? Please share your thoughts in the comments.
Images via Xapo, Wikimedia Commons