Even VPs at Blockstream are getting phished. Do not answer the phone. \ stacker news ~security

pull down to refresh

Even VPs at Blockstream are getting phished. Do not answer the phone.x.com/wtogami/status/1880743194771775826

1146 sats \ 32 comments \ @k00b 17h security

Togami knew better than to have real funds on exchanges, but he still accidentally gave attackers access to his email account when he was tired and feeling rushed. (He quickly got access to his account again and was able to contact Kraken just in case.) Togami is a more sophisticated bitcoiner than most, so please take precautions.

Do not answer the phone. Companies don't call you. Eliminate single points of failure, whether to your email account or your coins.

Listen to junseth's interviews with scammers to get acquainted with how they work: #656017 #689065

Here's a recent article covering a few on these scams: #822097

view all related items

261 sats \ 14 replies \ @grayruby 17h

I just default to assuming everyone who calls me that I don't know is a scammer. Email too. I once had an issue with my Amex credit card and they called me about it. I didn't believe them so I hung up and called the phone number on the back of the card and it turned out to be true but better safe than sorry.

31 sats \ 4 replies \ @000w2 14h

Data only eSIMs are the way

33 sats \ 3 replies \ @kepford 13h

What, no phone number is the answer to phone based scams? LOL. Sure does cut off a big vector but most people still need a phone number. VOIP numbers have the same issues.

45 sats \ 1 reply \ @000w2 13h

People can call through encrypted messaging apps, for unsolicited contact there's email. Phone numbers are an anachronism.

13 sats \ 0 replies \ @kepford 13h

No argument on that point. The phone system is deeply flawed.

43 sats \ 0 replies \ @NostrDevTeam 13h

Not having a phone number is definitely the way

21 sats \ 1 reply \ @ek 16h

I think I once got a call from the FBI and I just hung up thinking if it’s really them, they probably have better ways to contact me than through a cold call lol

192 sats \ 0 replies \ @grayruby 16h

I once got a call from someone posing as a CRA (Canada Revenue Agency) agent trying to claim I owed back taxes and if I didn't pay immediately they would press charges. I said something to the effect of "I am glad you called did you get my T5063 amendment in the mail". And the guy goes on again about how I owe these taxes. And I reply "yes, I understand but if you review the T5063 amendment I sent you, you will see you actually owe me $5000 dollars, so when can I expect my payment?" and the guy hung up. That was fun.

125 sats \ 5 replies \ @k00b OP 16h

It sounds like these guys are very good, like 10,000+ hours worth of practice, at convincing you they aren't a scammer. At this point, the more legit the call seems, the more suspicious we should be.

79 sats \ 2 replies \ @grayruby 16h

Good point. A highly professional call might be a red flag.

85 sats \ 1 reply \ @k00b OP 16h

I imagine most companies won't try very hard to convince you they are legit at least and probably aren't in a rush.

71 sats \ 0 replies \ @ek 16h

Yeah, in one legit call from a bank, they just asked for my PII before they even introduced themselves, lol

They seemed surprised that I wanted to confirm we were looking at the same document.

20 sats \ 0 replies \ @Bell_curve 7h

I was almost duped by a scammer on Telegram recently. He or she sends me a message: how is it going? my reply: I have to evacuate today scammer: do you have time to chat before you evacuate? me: no, fuck you and fuck off

userInfoBot is a great tool for unmasking users on Telegram

38 sats \ 0 replies \ @kepford 13h

I think the urgency is what gets most people. They create a panic emotion and people don't think clearly under pressure.

33 sats \ 0 replies \ @kepford 13h

Exactly. I default to only answering known numbers.

194 sats \ 0 replies \ @Aardvark 16h

My biggest fear is actually that my dad gets wreaked. I've tried to beat it into his head to not talk to people on the phone about anything. He keeps his bitcoin on the exchange and isn't interested in moving it. It's going to be a very expensive lesson if I can't convince him to use a HW wallet.

Shit, I'd even set it up for him.

17 sats \ 0 replies \ @Satosora 17h

This is happening more and more now that bitcoin has risen in price. Everyone has to take a deep breath and assess the situation before they do anything rash. I rarely hear it happening to shitcoins, but maybe it is because I am not paying attention to that kind of news.

74 sats \ 0 replies \ @Bell_curve 14h

Don’t answer phone. Or voicemail

The only voicemail message that is important is wildfire evacuation

18 sats \ 0 replies \ @kepford 13h

Trust no one is the policy one has to have double that if you are a bitcoiner.

13 sats \ 0 replies \ @kepford 13h

ALL companies need to start testing their employees with in house phishing scams. I know a couple companies that do this as a service and C level guys fall for the scams every time... Makes one wonder about them. I think busy people are very vulnerable to attack.

0 sats \ 1 reply \ @Bell_curve 7h

0 sats \ 0 replies \ @nitter 7h bot

https://xcancel.com/wtogami/status/1880838950023254427

0 sats \ 8 replies \ @NovaRift 16h

Can TOTP-based 2FA help prevent email hijacking?

150 sats \ 1 reply \ @ek 16h

Definitely, but it doesn’t make it impossible

0 sats \ 0 replies \ @NovaRift 16h

Yeah, once I asked Tutanota's customer service, and they told me it would only be from my end if I click any link or provide the OTP to a phishing site. But nowadays I am seeing everyone recommending passkey as they say TOTP is not safe. I'm really not sure why they're saying this; are they making us extra panicking?

10 sats \ 5 replies \ @k00b OP 16h

It can, but not if you're using something like google auth and syncing it to your gmail account. Because once they gain access to your gmail account, they have access to your 2nd factor auth method and can login to any accounts that use those two factors. That's why many of these attackers go after the gmail account.

20 sats \ 4 replies \ @NovaRift 16h

No, I don't use G Auth; I've heard it's dangerous as they don't encrypt keys. I use Aegis and Bitwarden. I have separated things so they don't get connected. Thanks.

12 sats \ 3 replies \ @WeAreAllSatoshi 16h

I think Google Authenticator is fine as long as you don’t enable the cloud sync feature or whatever it’s called. I haven’t don’t a thorough analysis of it, though

0 sats \ 2 replies \ @NovaRift 16h

But there isn't even a point connecting everything to one service when you have such better alternatives.

Read this :

https://www.keepersecurity.com/blog/2024/07/03/google-authenticator-vs-keeper/

Google Authenticator does not provide end-to-end encryption, which makes it susceptible to hackers. If there's a data breach or someone compromises your Google account, all your 2FA secrets will be unprotected.

30 sats \ 1 reply \ @WeAreAllSatoshi 16h

Yea I’m not making such a recommendation. I’m just speaking to the sync feature

100 sats \ 0 replies \ @NovaRift 16h

Gotcha! thanks.

0 sats \ 0 replies \ @nitter 17h bot

https://xcancel.com/wtogami/status/1880743194771775826