Bitcoin phishing fraud (and how we're fighting it at Luno)
Every day it seems that more Bitcoin phishing scams come to light. In this article, we will review the main types of phishing fraud, what you can do to protect yourself against it and the lengthy measures we take to fight it.
The most common types of Bitcoin phishing scams
As we’ve written before: Bitcoin fraud happens in many ways, but one of the most persistent scams are phishing scams.
With phishing scams, people trick you into giving away your account information. These scams are not unique to Bitcoin —they happen in most industries like finance, e-commerce, payments, social media and email.
Since Bitcoin is money that can be sent and not reversed, it means that if you accidentally give someone your Luno account information, your money will be gone for good.
Below are the most common ways people get tricked.
With email phishing, you may receive an email that appears to be from Luno, but in fact comes from a scammer, asking you for information or leading you to a fraudulent website.
This email clearly comes from a scammer, as is evident from the email address. The link takes you to a phishing website.
Phishing websites are set up to look like Luno’s website, but everything entered there (like your username and password) gets recorded and can give scammers access to your actual Luno account.
Telephone or SMS phishing
With phone phishing someone may call you or send you a text message, claiming to be from Luno, to get you to give up your account password or other information.
We’ve also seen an increase in advertising phishing especially Google Adwords phishing scams. When you do a search for “Luno” on Google, someone might be running adverts that look like they’re taking you to the legitimate Luno website but instead takes you to a lookalike phishing site, where your information gets stolen.
A phishing advert that tries to get you to click through to a phishing website.
How you can protect yourself against Bitcoin phishing
You can protect yourself against phishing scams and most other attacks, simply by enabling two-factor authentication.
With two-factor authentication enabled, you will need two things to gain access to your account: your username and password (something you know) and a one-time PIN that gets generated on your mobile phone (something you have).
This means that even if you accidentally gave away your username and password to a scammer, they won’t be able to access your account, since they won’t have access to your mobile phone. It’s simply the best thing you can do in the next five minutes to make sure your account doesn’t get accessed by anyone but you.
Check the URL
Consider using the Luno app for Android, available on Google Play, or iOS, available on the App Store. If you are using the website, always make sure that you double check the domain name in the browser before logging in. It should say www.luno.com (and most browsers will display a green padlock next to it).
We wrote a more detailed article on how to keep your accounts secure, including securing your email account, securing your social media accounts, implementing a password management tool and two-factor authentication.
How Luno is fighting Bitcoin phishing fraud
Since day one, we have been committed to keeping our customers and our platform safe from harm. We do this by balancing user experience, monitoring, security and customer education. We take many proactive steps to protect Luno customers and work hard to keep the ecosystem educated and secure.
Luno isn’t just a wallet, it’s a smart wallet. We show contextual information to customers: someone in Nigeria might see a list of relevant merchants to her location, a customer in Malaysia may see the Malaysian ringgit exchange rate and information about local meetups.
We apply this logic in educating our customers, too. When an account becomes attractive to hackers (when it has has a positive balance), we guide customers to help them secure their account.
As mentioned earlier: two-factor authentication is one of the simplest, most secure ways to protect your account(s). We provide this feature on all Luno accounts, customers simply have to activate the optional (and highly recommended) feature.
If you don’t have two-factor authentication enabled on your account and we notice any suspicious activities —like login attempts from strange devices or locations— we implement systems to warn you and protect your funds, such as requiring a one time PIN (OTP) to log in.
We have registered for trademarks on the word “Luno” in many countries around the world, which helps kerb fraudsters from creating fake advertisements in many countries.
We also have systems in place to automatically scan for phishing attempts and other fraudulent behaviour.
Once we identify a phishing website, we take quick action to bring the fraudsters down. This includes, but is not limited to:
- Reporting the suspicious domain with all the major search engines
- Reporting the domain with the domain registrar for removal
- Copyright takedown requests (for using our Logo and content)
- Reporting the emails to the mail sender as fraudulent.
- If we find a phishing site, we run scripts that pollute the site with nonsense usernames and passwords, which could stall their efforts
- Reporting phishing advertisements with the relevant platforms
In addition to the actions we take and the notices and nudges inside the Luno products, we use multiple communication channels to help educate customers.
We often pay to distribute educational content about scams and phishing.
As example, at the height of the OneCoin and MMM Ponzi schemes in Nigeria, we ran paid advertisements and sponsored posts on Facebook and Twitter, targeting individuals who have liked or followed these dubious scams.
That’s right: we spent money out of our own pocket to tell people to stay clear from these schemes. There was negative backlash from some of the participants at the time and it resulted in us losing customers and revenue, which other less scrupulous platforms were happy to pick up.
We constantly write new content, focused on online security and protecting yourself against Bitcoin scams.
These are some of our most popular articles:
- Identifying Bitcoin scams
- Google ads phishing scams (and how to avoid them)
- How to prevent your Bitcoin account from getting hacked
- Tips to avoid Bitcoin scams
We send a mix of targeted and general emails to our customers. We frequently feature stories on the ever-evolving landscape of Bitcoin —the good and the bad— with suggestions on how to stay safe.
Even though Bitcoin is currently unregulated in most countries, we’ve taken the decision to implement existing rules and regulations from the financial services industry. There are many exchanges and wallets that don’t have know-your-customer (KYC), anti-money laundering (AML) and anti-terror financing (ATF) measures in place and as a result, these platforms have a much cheaper business model in acquiring customers (since they will accept anyone).
We don’t just do this because we know that regulation will eventually come to the industry, we do it to prevent criminal actors from operating on our platform (in specific) and the industry (in general).
There is no “silver bullet” that can provide absolute security, but there’s a lot that we can do (and are doing) as leaders in the industry.
We will continue to fight and stay well ahead of potential fraudsters, to keep building our smart platforms that don’t sacrifice usability and we will keep working hard to educate customers on how to secure themselves and their money online.