11 imperatives to defend your bitcoin from modern scammers
Originally published on the Unchained blog.
As the value of your bitcoin grows, a less fortunate number tends to grow alongside it—the number of criminals who want to trick you and steal your bitcoin.
Swindlers from around the world are eager for the opportunity to take your hard-earned savings away from you, and they are constantly learning what methods are most effective. These days, they are capable of highly elaborate schemes, carefully designed to appear innocent or legitimate. In order to defend yourself, you must be vigilant, and learn about the common mistakes to avoid.
Bitcoin is still a relatively new technology, and most people aren’t familiar with details of how it functions. Additionally, bitcoin is an important financial tool for all ages, which includes older generations that are especially vulnerable to social engineering attacks and other scams. Helping a family member to hold bitcoin—or even holding bitcoin yourself—can feel intimidating.
In this article we offer 11 rules for you and your loved ones, which can substantially reduce the risk of falling victim to these schemes, and allow you to hold bitcoin with confidence.
1. Don’t store your bitcoin wealth on exchanges
Many bitcoin buyers will choose to keep their bitcoin with the exchange account where they purchased it, instead of managing their own bitcoin keys. By using a custodian, they might feel like they are absolving themselves of responsibility for keeping their bitcoin safe. However, this couldn’t be further from the truth.
Safely using a third party bitcoin custodian requires learning how to: use a password manager, use 2FA (TOTP not SMS!), secure a computer, secure a phone, secure an email account, etc. And that’s assuming the exchange doesn’t get hacked. It’s not as simple as people claim!
Scammers frequently target exchange accounts, because something as simple as a compromised email might be enough to eventually grant the thief access to the account, and the ability to withdraw funds. Importantly, when compared to a traditional bank or brokerage account, the stolen money can’t be insured in the same way (nobody can create more bitcoin to reimburse victims), and it can be more challenging for authorities to discover the identity of the criminal actor.
Recently, an anonymous scammer participated in an impromptu interview call which was recorded and published. Towards the end of the call, the scammer admits that people wishing to protect themselves should withdraw their bitcoin from exchanges and move it to self-custody:
“Don’t keep money in any exchanges. Keep your money in [self-custody, such as by using] a Trezor or a Ledger, and don’t give [your keys] out to anyone, no matter what they say… I wouldn’t keep money in Coinbase, Binance, Kraken, anything. Because… you can easily hack that.”
2. Never share your seed phrase with anyone—ever!
When you hold bitcoin in self-custody rather than an exchange, the surface area for a possible attack decreases dramatically. Less technical expertise is required to reach an effective level of security, and there are fewer components to protect. Still, you must familiarize yourself with these components and understand their sensitivity.
Primarily, self-custody involves protecting a seed phrase. A seed phrase is a set of words that are randomly generated by specialized equipment, and are extremely resistant to other people being able to guess them. It ultimately represents a private key which can unlock and spend the bitcoin out of your self-custody wallet. If someone else gets your seed phrase, that person will have the same level of access to your bitcoin as you do.
For this reason, seed phrases are another popular target for con artists. If they can convince you that you need to share your seed phrase with them in order to protect your bitcoin, or to receive the technical support you need, then they will be able to steal your entire wallet balance.
Under no possible circumstances should you ever share your seed phrase with a stranger. Even if the person you are communicating with seems kind and helpful. Even if they explain that the situation you are in is a unique exception to this rule. If they are asking for your seed phrase, then they are not trying to assist you, they are proving to you that they are a thief, and you would be wise to cease communications immediately.
As a final note, while there are cases where storing a seed phrase on trusted family member’s property can make sense (such as while using multisig), sharing your seed phrase with a trusted loved one comes with significant risks. If you share the key to a wallet, access to that wallet cannot be revoked, even if your relationship with that person changes. Additionally, if that person is targeted by a scammer and doesn’t deeply understand the importance of the seed phrase, then they may fall victim and lose your money for you.
3. Never expose your seed phrase to a computer or phone
If you are protecting any bitcoin amount beyond pocket change you wouldn’t care to lose, then you should be using a cold storage wallet. This means that the seed phrase has never been exposed to an internet-connected device, where a remote hacker might be able to gain access.
A hardware wallet is the primary tool used to create this cold storage custody structure. Hardware wallets are specialized equipment designed to securely generate your seed phrase, and keep it secluded and protected even while interacting with an internet-connected device. However, if you bypass this security by taking a picture of your seed phrase with your phone’s camera, or by typing your seed phrase into a laptop computer, then your wallet can no longer be defined as cold storage. Security for that wallet would be permanently damaged. Instead of digital storage, you should store your seed phrase physically, by writing it on paper or stamping it into metal.
Thieves will attempt a variety of methods to acquire seed phrases digitally. If they can get into your email, password manager, photos, notes app, or computer more broadly, they will run searches looking for seed phrase words. However, as long as you have kept your seed phrase physical, your bitcoin would remain safe and inaccessible to the attacker.
Another approach from scammers is to try to convince you to type your seed phrase into a malicious program. There are many fake programs that are designed to look like legitimate ones from reputable companies. For example, scammers have built copies of Ledger Live and Trezor Suite that will ask you to type in your seed phrase when the program is opened. An unsuspecting user who falls for this trap would soon find out that their bitcoin has been stolen. You can protect yourself from these types of scams by simply refusing to type your seed phrase into any electronic device which isn’t a hardware wallet.
4. Follow best practices when acquiring hardware wallets
As we covered in the prior section, a hardware wallet is an important device to help you generate and protect your seed phrase. Therefore, it’s also important that you choose to use one from a well-known manufacturer with a good reputation. For example, currently some of the most popular hardware wallet brands are Trezor, Ledger, Coldcard, Blockstream, Bitbox, and Foundation. It’s prudent to conduct your own thorough research before choosing the equipment you want to use.
Once you’ve decided on the hardware wallet model you want to buy, it’s important to purchase it from a reputable source. Buying directly from the manufacturer is ideal, rather than a second-hand anonymous dealer on eBay or Amazon. It’s not worth saving a few dollars in cost, if there is a chance the device you receive has been modified or compromised in some way. Some hardware wallet manufacturers also provide a list of authorized resellers and links to official Amazon stores, which they consider safe places to purchase your device (example webpage from Trezor).
After receiving your hardware wallet, it’s also a good idea to inspect the packaging to check if it appears to have been tampered with or previously opened. Many hardware wallets have safety seals on the box or device itself, which should be intact until you remove them yourself. If anything is suspicious, you can reach out to the manufacturer for advice. Otherwise, you can feel confident using your new hardware wallet. Advanced users may also choose to check the device firmware, to ensure that it matches an official release from the manufacturer.
5. Don’t use seed phrases or accounts provided to you
Some scammers may try to get your seed phrase from you, as we’ve covered earlier in this article. However, others may try a different approach, which is to get you to send bitcoin to a seed phrase or wallet which the scammer already has access to.
You should never use a seed phrase you received from any place other than the hardware wallet you acquired safely, as described in the previous section. Additionally, when you receive a new hardware wallet, the card or booklet provided should be blank, for you to write down your seed phrase yourself. The purpose of your hardware wallet is to help you privately generate a new seed phrase which has never existed before. You should be the only person bringing that seed phrase into the physical world.
A common tactic among scammers is to warn you that your bitcoin isn’t safe where it currently is, due to a bug, vulnerability, or security breach. Next, they may provide you with a “temporary” account, wallet, or seed phrase in a manner which is designed to make you feel like it belongs to you, or even that you created it yourself. While it might feel like self-custody, and a safer place for your bitcoin to go, the opposite is true. As soon as the bitcoin is moved, the scammer will have access to your bitcoin and steal it from you.
6. Slow down when transferring bitcoin
Scammers want their victims to act before thinking. They will use a variety of tricks to distract you from considering your options or reaching out to a trusted source for help, such as by claiming your funds are in immediate danger. Moving your self-custody bitcoin around quickly because you are fearful is almost always a bad idea. As long as you’ve been following best practices to protect your seed phrase, you shouldn’t have anything to worry about, and any attempts to convince you otherwise ought to be treated with extreme skepticism.
It’s wise to move slowly and carefully when performing a transaction, and be diligent about checking any destination addresses provided. Attackers may try to convince you to send your bitcoin to their address, as a temporary measure to protect your bitcoin. Or, they may put a malicious program on your computer, which can replace an address you’ve entered with a different address that belongs to them. If bitcoin is sent to their address, they will have succeeded in stealing it.
You should never send any bitcoin to an unsolicited address. Instead, you should only send bitcoin to an address which has been given to you by someone else if you actually intend to pay that person. If you are paying that person a large amount, it may also be prudent to try a test transaction first, and have them confirm they’ve received it, to prove you are using the correct address before you send the larger amount.
If you are trying to receive bitcoin, your wallet software will provide you with an address which you can share with the sender. If you’d like to verify that the address your software is showing you is really controlled by your own keys and not someone else’s, your hardware wallet should be able to perform this extra safety check procedure. For example, on the Unchained platform, you always have the option to use one of your hardware wallets to confirm your deposit address.
7. Move cautiously when reaching out for assistance
If you are experiencing technical difficulties while interacting with your bitcoin, it can be frustrating or worrisome. You may feel desperate for quick assistance to relieve the stress. However, moving fast can have dangerous consequences. If you aren’t careful, you might visit the wrong website or call the wrong phone number, and end up talking to a scammer, who will give you malicious advice.
It’s important to only accept advice and technical support from established businesses with a strong reputation. For example, if you are having trouble with a hardware wallet, you can look for answers on the manufacturer’s official website, or reach out to their official support team. If you have a question about your exchange account, you should discuss the matter directly with the exchange service.
However, a tactic among scammers is to set up fake websites or social media accounts designed to imitate the official, legitimate one you might be searching for. To protect yourself, you should remember to slow down and examine the details, such as the website URL, or whether or not the social media account is verified and has an expected number of followers. If anything looks suspicious at any point, refrain from proceeding and use a different method to locate the official webpage.
A huge benefit of a collaborative custody partnership is that you can establish a relationship with professional bitcoin experts who can assist you with a wide range of questions and challenges, across multiple softwares and equipment. Services like this may provide a Support PIN feature to help you verify that the person you’re speaking with is a legitimate employee.
8. Be skeptical if you didn’t initiate contact
Even if you aren’t actively seeking technical assistance, scammers may still be looking for opportunities to target your bitcoin. They will often take the approach of reaching out to you unexpectedly by phone call, text message, or email. The contact attempt can be carefully designed to mimic an official alert, warning you that something may be wrong with one or more of your financial services or tools, such as your hardware wallet, exchange account, or even traditional bank account. These attempts are designed to induce fear, and cause victims to act quickly without thinking carefully.
By text or email, scammers will often try to get you to click a link. Other times, they will simply ask for a brief response, which can appear more innocent. If you do respond, they will seize the opportunity to reach out to you with further communication, which can cause you to feel like you are the one who initiated the discussion. It’s important to take a step back and remember who really started the conversation!
To protect yourself, you should be very skeptical whenever you’re not the one who initiated the contact. If you get an alert by text or email, don’t click any links or respond directly. Instead, if you think the alert might be legitimate, reach out to the pertinent institution separately through official channels. For example, you could call your bank by using the phone number on their official website, rather than a phone number provided to you in the alert message, and then ask the representative if the alert is authentic.
If you receive a phone call from an unknown number, consider refusing to answer. After all, if it’s important the caller should leave a voicemail, giving you more time to move with caution and consider its legitimacy. Once again, if it seems like a legitimate alert, you should reach out to the appropriate institution separately through official channels, rather than calling back the number provided in the voicemail. If you do answer the phone and begin dealing with a person in real time, don’t be afraid to hang up and call the institution separately. Being rude is far better than being the victim of a crafty financial attack.
9. Don’t let strangers on the internet earn your trust
Many readers will recognize this as obvious advice that has been around for a very long time. However, it’s worth mentioning that in recent years, the methods of fooling people have become much more sophisticated and successful.
As an example, let’s examine the following screenshot:
While this can appear to be a wholesome conversation on social media, that’s far from the truth. Every participant shown is actually a fake robot, despite having typical usernames and profile pictures representing real people. The scammer in this case has engineered an artificial discussion, designed to excite readers about the possibility of making a lot of money quickly. By using multiple profiles, it looks like there are several individuals offering testimonials about someone named “Michelle Stewart” who has solved their financial problems. The bots even claim she is licensed, and try to be relatable by admitting that they “were skeptical at first.” The conversation ends by providing contact information for “Michelle” which the reader could use to fall into the scammer’s trap.
Scams on social media platforms or similar websites, such as the one above, are unlikely to take the approach of scaring you with an alert about your financial accounts or bitcoin keys, because it wouldn’t be credible. Instead, they often try to get your attention by suggesting the possibility of making a lot of money, particularly without much time or effort. If you see posts like these, a good default reaction is “this is too good to be true,” because in most cases, it is.
The goal of a scammer using these methods is to begin communicating with you in a private setting. This way, good people observing a public conversation and recognizing the scam won’t be able to step in to alert you. To protect yourself, you should ignore strangers contacting you in private direct messages, and you should also avoid unsolicited invitations to chats in Telegram, WhatsApp, Signal, Discord, and other similar applications.
10. Limit the people who know details about your bitcoin
As you learn more about bitcoin, it’s easy to become passionate about the subject and want to talk about it with family, friends, and acquaintances. Spreading the information can be a good thing, but it’s wise to be mindful of the possible implications. Knowledge of your involvement with bitcoin can also spread, and eventually make its way to people you don’t trust. You could be unknowingly setting yourself up as the target for a scammer who realizes you have bitcoin savings.
To help protect yourself, it’s important to distinguish general information about bitcoin from information pertaining to your personal bitcoin balances. For example, if you decide to talk to an acquaintance about why you believe bitcoin is an important technology, don’t provide any clues about how much bitcoin you own. Never reveal the locations of where you keep your seed phrases or hardware wallets. Avoid using social media to talk about the brands of hardware wallets you use, or other equipment and services you’ve chosen to help protect your bitcoin savings. This information could be very useful to an attacker who wants to trick you.
Some services intended to assist you with the protection of your bitcoin will need to know information of this nature. A collaborative custody partner will often be able to see your balances, and can provide consulting when it comes to your equipment selection and storage strategies. Collaborative custody can be extremely valuable to help ensure you have the right education, technical assistance, and inheritance plan. Still, it’s important to be aware of the tradeoffs whenever you enter into a partnership, and it doesn’t hurt to ask questions about what information is required or optional to reveal.
11. Use multisig wallets to protect large balances
The most common type of bitcoin wallet that beginners use is only protected by one hardware wallet and one seed phrase. This is called a singlesig wallet, and while it can be easy and convenient, it always comes with a single point of failure. If the seed phrase or hardware wallet is lost, destroyed, stolen, revealed, or compromised in some way, bitcoin can be lost forever.
However, a singlesig wallet is not the only option. As bitcoin holders become more experienced, they will learn that multisig wallets offer a higher degree of security. Multisig wallets can remove all single points of failure, so that no one item or piece of information can be lost or stolen that will cause you to lose access to your bitcoin. This is particularly effective at thwarting scammers, because even if they succeed in getting a piece of sensitive information involved with protecting your bitcoin, they would be disappointed to discover that more pieces are needed.
You can learn more about the different approaches to bitcoin custody and their tradeoffs in this comprehensive article comparing them. To summarize, a singlesig wallet might be a good option for smaller balances, but multisig is highly recommended for larger balances.
Final thoughts
We hope you found some or all of the items on this list to be helpful considerations as you defend your bitcoin savings for years to come. Although it isn’t all-encompassing, and there are other pieces of good advice available, these eleven rules should serve as a strong foundation to protect yourself, and to share with friends and family members who are attempting to do the same.
If you would like to learn more about protecting bitcoin, and perhaps engage in a partnership with trusted experts who can help you set up and operate bitcoin wallets according to all the best practices, we invite you to schedule a free consultation with our team at Unchained!
If you are already an Unchained client, please take advantage of our account security features including two-factor authentication, support PINs, and video verification. If you have any questions regarding how to protect your account, visit our Knowledge Base or reach out to us directly using the Support button on the left menu of your account.