An account verification scam is a type of scam in which the user is led to believe he needs to verify his account in order to continue using a service. If the user falls for the scam and proceeds to verify his account, all of his assets will be lost.
The purpose of the account verification scam is to obtain the secret recovery phrase and/or the private key of the victim’s wallet. Once obtained, the attacker can easily transfer all of the victim’s funds to himself.
The attacker is impersonating the support team of the crypto-based service (OpenSea for example), claiming that all users have to verify their accounts in order to continue using the service. The attacker controls the landing page (website) on which the fake account verification is taking place and can see all the information that the victim is inputting to the landing page. Once the private key and/or the secret recovery phrase are inputted to the fake account verification page, the attacker has full control of the victim’s wallet.
The potential victims of the account verification scams are users who already have accounts on crypto-based services and who are afraid they will lose access to the services if they do not verify their accounts.
How does the account verification scam work?
In order for the attacker to succeed, the user has to take the following actions:
- The user has to open the email send by the attacker.
- The user has to click the link to the verification page provided in the email. If the user clicks the link, the user is forwarded to the account verification landing page controlled by the attacker.
- All of the information inputted by the user is seen by the attacker. The user is prompted to provide a private key and/or the secret recovery phrase of his wallet in order to verify the account.
- If the user proceeds with the verification and provides his private key and/or secret recovery phrase, his wallet will be hijacked and all of his assets will be stolen.
How to protect yourself?
In order to protect yourself from these types of scams, always remember to never share your private key or secret recovery phrase with anyone. If anyone asks you for your private key they are trying to scam you.
For maximum protection:
- Verify the source of the emails sent to you. Do not open spam emails. Do not click links inside spam emails.
- Consider using a password management system.
- Keep your private key and your secret recovery phrase to youself. Do not share it with anyone.
- Make sure you are connecting your wallet to legitimate websites only. Bookmark your commonly used exchanges and web3 sites. Double-check the URLs. If something looks suspicious it is probably a scam.
- Consider using a cold wallet for storing your cypto assets.
Stay safe out there.