Educating the Trezor Community about privacy and online safety is one of the main goals of this blog. We talk about security a lot and often, but there’s never been a better time to educate the masses about digital security than now. The whole world is turning digital, and Bitcoin is steadily reinforcing its position in our society.
There’s one security issue that thousands of people keep falling for even after all the negative publicity and media coverage it gets. Social engineering, specifically phishing, is a malicious activity that is almost immune to technological advancements. The whole principle of phishing is built around the fallibility of human judgment and perception. The attackers will lure or mislead the victim into sharing their private data, such as credit card numbers, social security numbers, passwords, or nowadays — recovery seeds.
We already wrote an article about phishing and all the different kinds of attacks and risks that are awaiting all of us out there. We recommend you to read it first because in this article we will take a look at only one specific attack, but from a different point of view.
It’s no secret that cryptocurrencies and projects surrounding them are one of the most common targets of all kinds of different attacks. Robbed exchange users, stolen recovery seeds, and all the other associated threats paint a negative public image for crypto. To many newcomers, it might feel like they’re painting a target on their back in addition to any risks created by investing in a volatile self-custody asset. Bitcoin’s dominant market position and thousands of inexperienced new users make it an ideal target for malicious actors.
Bitcoin is attractive to the “bad guys” for exactly the same reason that make it attractive to the masses. Irreversible transactions, a relatively high level of anonymity, lack of regulatory protection, and open-global infrastructure makes stealing cryptocurrencies very appealing to scammers, who would have had to spend much more effort doing other types of scams.
It is important to note, however, that the reason people fall for these scams is not because of bitcoin’s attributes, but because of the way the attackers trick the victims. It is essential to change how you operate when using bitcoin and other cryptos to become resistant to phishing attacks. Cryptocurrencies and Bitcoin explicitly are unlike any other asset we’ve ever seen before, and it will take some time before all of its users learn how to use it safely and privately. The same attributes we see as benefits such as decentralization, self-custody, or privacy, are the same place where many newcomers burn themselves. Incorrectly recorded recovery seeds, typos in the wallet address, or malicious attacks can all result in loss of your assets and an immediate change of attitude towards Bitcoin.
We realize how important and valuable your digital assets are, and there’s nothing we hate more than seeing someone lose their hard-stacked sats. But don’t despair; with the right security practices and tools, you can get very close to security perfection.
Protecting your recovery seed against phishing with Trezor
One of the most common phishing attacks in crypto is fake websites impersonating wallets, exchanges, or other services, asking unaware users to enter their recovery seed. With Trezor, you’re fully protected against remote threats, and with the right practices and a strong passphrase, you’re also safe against physical attacks targeting your recovery seed.
But what about phishing?
We thought of that too. Although there’s no way to entirely prevent phishing from happening without users’ awareness, we have designed Trezor to behave in a particular manner whenever a recovery seed is required.
The most common attack you could come across when it comes to Trezor is malicious phishing websites impersonating our official sites. It’s not uncommon for these websites to even appear as promoted ads in search engines or verified profiles on social media impersonating our accounts.
In most cases, there’s only one target of the attack — your recovery seed. The attackers will attempt to trick you into entering your recovery seed into a look-alike wallet recovery request coming from your Trezor device.
It’s often relatively easy to recognize these attacks, because none of the fraudulent sites ever really communicate with the Trezor device. You might accidentally stumble upon such a site and notice the arbitrary pop-up errors and recovery forms come up even though your Trezor is still disconnected. Remember, the order in which you are required to enter your recovery words during the recovery process is always displayed on the screen of your Trezor device, never on the computer screen. However, sometimes we make hasty decisions and mistakes. We will list all the practices to help you stay away from making a mistake like this, but first, let’s mention what happens when your recovery seed gets exposed in this way.
The order of the recovery words is always dictated on the display of Trezor hardware wallets, never inside the wallet interface.
After entering your recovery seed into a phishing form like the one above, everything gets instantly recorded on the server of the attackers controlling the phishing website. Afterward, the attackers will attempt to recover your wallet based on the provided recovery words and empty your balance. If this ever happens to you, it’s essential to stay calm and immediately access your wallet via Trezor Wallet and move your coins to an unexposed wallet.
This is the scenario that we don’t want you to experience, and it’s straightforward to prevent.
We guarantee that you’ll never fall for phishing if you follow these steps:
- Trust your device. Look for confirmation on the screen, especially when it involves transactions or your recovery seed. There’s a reason we call it a Trusted Display.
- Make sure the URL is exactly: https://wallet.trezor.io.
- Bookmark the https://wallet.trezor.io to avoid misspelling it in the address bar of your browser. We do not recommend accessing Trezor Wallet via search engines.
- Although the HTTPS certificate symbol 🔒 next to a website’s name may not be a guarantee of the authenticity of the site, be alarmed if it is missing.
- Never give your recovery seed to anyone, and be especially careful with everyone who’s asking for it, including Trezor Support. There’s no reason why anyone would need your recovery seed to troubleshoot and our agents will never ask for it.
- Carefully observe the website addresses and watch out for any misspellings or odd characters.
- Use updated security software, install security patches, and update your computer on a regular basis.
- Avoid clicking on URL links in an email or on social media unless you are absolutely sure that it is authentic. Hover above the links and images to see the URL before clicking on it and verify that you’re accessing an official webpage.
- Pay particularly close attention to shortened links, especially on social media.
- Be vigilant. Do some research first before you decide to trust a third-party service with your sensitive information, such as your extended public keys (XPUB).