My wife recently got a voice mail from a dude claiming to be a police officer. She was suspicious and instead of calling him back she called the police office directly and found out no officers there have that name or number.
Scamming is increasing on many fronts. People have to be skeptical and careful. It seems like I have a friend of family member telling me about a scam attempt every couple of weeks.
Law enforcement is both inequiped and unmotivated to stop it. That is not gonna change. I don't see legislation fixing this either. We just have to be educated and help those in our circles.
I'm active in my small community and we hear our local community contact from the county Sheriff warn us about scams every month. The weaknesses aren't unfixable. People just don't understand it yet. I think most just still think there should be some easy fix that doesn't require thinking and changing behavior.
I've been thinking about offering a free workshop for my church regarding online security. Basic stuff. Not sure how many would be interested but I think it's worth trying.
Do NOT use Google Authenticator! So many mistakes in this story but that one sticks out to me as one many may not be aware of.
attackers had used his Gmail account to gain access to his Coinbase account from a VPN connection in California, providing the multi-factor code from his Google Authenticator app. Unbeknownst to him at the time, Google Authenticator by default also makes the same codes available in one’s Google account online.
My kids were screaming so I put my seed into a phishing site lol best line ever, and here I am in a quiet controlled environment sweating when I do something as simple as generate a new public key.
fuck, imagine having all 40 btc on one single device and also having a pic of the seed phrase on google photos. maybe some hubris of being in early.
scams are so fucked, these days, not only do I never click on any email link, period, I don't engage with any calls from people saying it's the bank and I don't click on anything from text messages. anything crypto linked to a different address etc
i never even call back numbers.
what a waste of energy though, having to independently verify every number etc
from article:
Griffin said that after receiving the pop-up prompt from Google on his phone, he felt more at ease that he really was talking to someone at Google. In reality, the thieves caused the alert to appear on his phone merely by stepping through Google’s account recovery process for Griffin’s Gmail address.
“As soon as I clicked yes, I gave them access to my Gmail, which was synched to Google Photos,” Griffin said.
Unfortunately for Griffin, years ago he used Google Photos to store an image of the secret seed phrase that was protecting his cryptocurrency wallet. Armed with that phrase, the phishers could drain all of his funds.
“From there they were able to transfer approximately $450,000 out of my Exodus wallet,” Griffin recalled.
Just days after Griffin was robbed, a scammer impersonating Google managed to phish 45 bitcoins — approximately $4,725,000 at today’s value — from Tony, a 42-year-old professional from northern California. Tony agreed to speak about his harrowing experience on condition that his last name not be used.
Tony got into bitcoin back in 2013 and has been investing in it ever since. On the evening of May 15, 2024, Tony was putting his three- and one-year-old boys to bed when he received a message from Google about an account security issue, followed by a phone call from a “Daniel Alexander” at Google who said his account was compromised by hackers.
Tony said he had just signed up for Google’s Gemini AI (an artificial intelligence platform formerly known as “Bard”), and mistakenly believed the call was part of that service. Daniel told Tony his account was being accessed by someone in Frankfurt, Germany, and that he could evict the hacker and recover access to the account by clicking “yes” to the prompt that Google was going to send to his phone.
The Google prompt arrived seconds later. And to his everlasting regret, Tony clicked the “Yes, it’s me” button.
Then came another call, this one allegedly from security personnel at Trezor, a company that makes encrypted hardware devices made to store cryptocurrency seed phrases securely offline. The caller said someone had submitted a request to Trezor to close his account, and they forwarded Tony a message sent from his Gmail account that included his name, Social Security number, date of birth, address, phone number and email address.
Tony said he began to believe then that his Trezor account truly was compromised. The caller convinced him to “recover” his account by entering his cryptocurrency seed phrase at a phishing website (verify-trezor[.]io) that mimicked the official Trezor website.
“At this point I go into fight or flight mode,” Tony recalled. “I’ve got my kids crying, my wife is like what the heck is going on? My brain went haywire. I put my seed phrase into a phishing site, and that was it.”
Almost immediately, all of the funds he was planning to save for retirement and for his children’s college fund were drained from his account.
“I made mistakes due to being so busy and not thinking correctly,” Tony told KrebsOnSecurity. “I had gotten so far away from the security protocols in bitcoin as life had changed so much since having kids.”
Tony said the theft left him traumatized and angry for months.
“All I was thinking about was protecting my boys and it ended up costing me everything,” he said. “Needless to say I’m devastated and have had to do serious therapy to get through it.”
"Then came another call, this one allegedly from security personnel at Trezor, a company that makes encrypted hardware devices made to store cryptocurrency seed phrases securely offline. The caller said someone had submitted a request to Trezor to close his account, and they forwarded Tony a message..."
"Close his account". This is not how blockchains work. How does someone in Bitcoin for 12-13 years not know this? It would be explained in the Trezor 'beginners' education section. ???
“It’s interesting because copyright infringement really is an act that you’re claiming against the publisher, but for some reason these companies have taken a very hard line against it, so if you even claim there’s copyrighted material in it they just take it down and then they leave it to you to prove that you’re innocent,” Junseth said. “In Soundcloud’s instance, part of declaring your innocence is you have to give them your home address and everything else, and it says right on there, ‘this will be provided to the person making the copyright claim.'”
(This part is really important: Google Authenticator cloud settings)
When Junseth asked how potential victims could protect themselves, Daniel explained that if the target doesn’t have their Google Authenticator synced to their Google cloud account, the scammers can’t easily pivot into the victim’s accounts at cryptocurrency exchanges, as they did with Griffin.
By default, Google Authenticator syncs all one-time codes with a Gmail user’s account, meaning if someone gains access to your Google account, they can then access all of the one-time codes handed out by your Google Authenticator app.
Those things not mutually exclusive.
I know some people like multi-signature. At least that way he couldn't give out a seed phrase if drunk/tired/lack of judgement etc. For those amount of sats seems worth it imo
If you can help even one person avoid ever having this happen, then you're doing the right thing. Educate others.
I recently reconnected with a friend from high school that I haven't spoken to in many years. He wanted to get started with bitcoin. He said he had already purchased some from Coinbase, but it's just on their server where he bought it. He has never used a wallet yet.
Here's a screenshot of the last of the stuff I told him:
“I know I definitely made mistakes, but I also know Google could do a lot better job protecting people,” he says
This sucks but if after all he did and all that happened he thinks google should do more to protect people he has learned nothing. One of the main problems bitcoin solved is trusted third parties.
Every single hardware wallet manufacturer, every. single. one says explicitly under NO circumstances should you provide a seed phrase to anyone else
from an exchange
from tech support
from a 'crypto' company
or to anyone else.
In addition, the explicit guidance from every. single. company that makes HW wallets IS DO NOT TAKE A PICTURE OF YOUR SEED PHRASE. IT IS IN BOLD IN THE INSTRUCTIONS
Gmail and Google are entry points for phishing attacks
I fell victim to a toll road scam a few months ago.
Long story short: it was user error, i.e. I was gullible.
Fortunately I didn't lose any money because Discover sent me a security alert and locked my account after a couple suspicious Uber Eats orders of 20 bucks and 90 bucks. I knew something was off because I rarely order 90 bucks on Uber Eats and I don't use Discover for food/takeout
I had the same thing a few months ago - 'grub hub' order for like 60$ and I've never used them. Called the credit card company and reported it/had the card cancelled etc.