Phishing attacks are nothing new on the internet. While most are relatively amateurish (the African Princess) some are quite well put together and will fool most people if you are not paying attention. Phishing incidents have been happening more and more frequently in the virtual coin industry and the latest group targeted seems to be customers of BitPay, one of the largest cryptocurrency payment platforms in the world.
image: Bitpay via Imgur
Different companies react differently to events like this, but BitPay is already stepping up to the plate with a public statement to CoinTelegraph about what happened and where the attack was coming from. BitPay’s public statement is as follows:
There has been an email phishing attempt spoofing BitPay’s late payment notification email. As always, BitPay’s security is the main priority. There has not been a breach to our system. It’s very unfortunate that these malicious attacks have been made on the bitcoin community.
These emails came from firstname.lastname@example.org - any link in an email from this address should not be clicked. This email address is not a legitimate BitPay email address. Many of BitPay’s system emails do come from email@example.com (please note the lack of an underscore in the correct address).
The phishing attempt was mimicking a late payment notification from BitPay. A screenshot of the attempt can be found here: imgur.com/SHOEqpO. The attack prompts the receiver to click a link to invoice-bitpay.com - this is not a BitPay site.
As soon as the phishing attempt was identified, BitPay reported the fraud attempt to the domain company and were successfully able to have the site taken down (invoice-bitpay.com).
If a BitPay client has already clicked on the phishing link and entered a username and password, PLEASE go to https://bitpay.com/merchant-login and click on the Forgot Password button to reset the password immediately!
To stay vigilant and avoid any breaches, always look for the green BitPay, Inc SSL certificate indicator in the browser window. Always be extra cautious about checking the domain name and EV SSL certificate when entering a password. If you use a personal computer with good password protection, let your browser store and populate userids and passwords for you - the browser will not mistakenly enter your password on a phishing site. BitPay also strongly advises all of its merchants to enable Two-Factor Authentication on their accounts.
BitPay is continually working with its merchant base to educate them on the best security practices. Please reach out to firstname.lastname@example.org if you have any further questions.
Phishing attacks are very easy to avoid if you keep just a few rules in mind. Remember that reputable websites never ask for passwords, usernames or personal information in emails. There are also certain types of files often used in these attacks, such as .jar files, because filters are not designed to recognize them as potentially hostile.