Bitcoin hit a new high Wednesday, topping $20,000, and is continuing to rise. Maybe today is the day that you finally are ready to take the plunge and buy your first few satoshis. Before you do, here are a few suggestions to avoid falling victim to some of the bitcoin scammers and hucksters who will try to take advantage of people who are still new to the wild world of cryptocurrencies.
Do your research
The first step in the journey is to set up a wallet to store your bitcoin safely. There are plenty of bitcoin wallets on the App Store and Google Play. Just be sure to read the reviews and research the wallets before you decide on one. You want to be confident you are depositing your newly acquired bitcoin funds into a legitimate wallet that will actually keep your crypto safe and not stolen from you.
Read more: How to Store Your Bitcoins
You’ll also need to decide on an exchange where you will be able to buy your first bitcoin. There are plenty of exchanges out there and come with varying degrees of security. Most will require some form of identity verification before you can set up an account, so be prepared.
When it comes to wallets and exchanges, be sure the site you visit is reputable before you send any money. A slick website is not necessarily the sign of a legitimate business. Similarly, just because a wallet app is listed in an app store, that doesn’t guarantee it’s safe. Even if they are legitimate, the cryptocurrency world has seen exchanges and wallets hacked time and time again.
Read more: How Can I Buy Bitcoin?
Check out how long an exchange or wallet company has been around. Look for reviews and feedback, review sites such as Reddit and read through a company’s social media history. Do a news search for whatever company you’re researching because most reliable exchanges and brokers have likely been covered by prominent media outlets.
Protect your bitcoin keys
Bitcoin isn’t like your bank. There is no helpline you can call, no fraud department that might help you sort out a transaction and no way to block a “suspicious transaction.” The ethos of bitcoin is that it exists beyond the traditional financial system and gives ultimate control to the user.
Read more: How FinCEN Became a Honeypot for Sensitive Personal Data
On the one hand, this means you aren’t paying overdraft fees or having the government gain access to your personal data through your financial transactions. On the other hand, there is no centralized authority who is going to step in and save you if you share your keys and have your bitcoin stolen. In some ways, it’s the ultimate test of personal responsibility.
If you’re just entering the space, it’s worth embracing one of the core ideas of bitcoin – “not your keys, not your coins.”
A wallet generates two types of keys: a private key and a public key. The public key is used to create public addresses. These are the addresses that you will share with others to receive bitcoin.
A private key, however, should be kept absolutely private. This is the key you’ll need to encrypt and decrypt your wallet and is fundamental to making sure your bitcoin is secure. If you don’t control the private key to the wallet you’re storing your bitcoin in, then you really don’t control your bitcoin.
Sharing is not caring
Once again, don’t ever share your private key with anyone, and definitely don’t do it online.
Furthermore, when you create a wallet you’re often provided with a seed phrase. Also known as a backup phrase or recovery phrase, this is a group of words generated once upon wallet creation, and you’re instructed to write them down and store them in a safe place. The reason you’re usually instructed to write them down is so they aren’t stored on your computer, where they’re vulnerable.
This seed phrase is used to recover bitcoin funds on-chain and, as such, is often another target of scammers.
There is a reason that “not your keys, not your coins” is a common refrain. If a scammer gets your keys or your seed phrase they can clean your wallet out.
So step one, keep your private key private and your seed phrase safe.
Phishing scams: Check your links
Always be on the lookout for phishing scams. Phishing attacks are a favorite among hackers and scammers. In a phishing attack, an attacker typically impersonates a service, company or individual by way of email or other text-based communication, or by hosting a fake website. The goal is to trick a victim into revealing his or her private keys or sending bitcoin to an address the scammer owns.
These emails often look like they’re legitimate. For example, scammers have sent out fake emails that look like CoinDesk newsletters. Users of the hardware wallet Ledger have seemingly gotten emails from the company encouraging them to download a security fix when in reality, it was from scammers posing as company representatives.
These are just a couple of examples, but phishing attempts come in many forms, and not just email. You may get scammers impersonating other people on social media sending you links. You may get phone calls.
Read more: Scammers Are Forging CoinDesk Emails – Here’s How to Protect Yourself
Phishing scams come in many forms but the goal is to get you to give up data or information that could be used to compromise your digital security – and jack your bitcoin.
In any such unsolicited email, make sure you look at the sender’s address. A key clue in any phishing email is a slight misspelling of a real address or URL. For example, with the Ledger phishing scam, the email was from a “legder.com” URL, which is misspelled. An attacker will try to make the incoming email seem as real as possible, so always double-check. Another tip is to hover over any link to see where it is leading. Just because bitcoin.org is highlighted with a link does not mean it actually goes to bitcoin.org, for example.
A great habit to get into is to bookmark sites you regularly use to access your funds. Only visit those sites through your bookmarked addresses – not through an email link. That way you know you are only using legitimate URLs.
Read more: Social Engineering: A Plague on Crypto and Twitter, Unlikely to Stop
As Paul Walsh, CEO of the cybersecurity company MetaCert, told CoinDesk earlier this year, the vast majority of malware is delivered via email phishing and malicious URLs.
“Most security issues that involve dangerous URLs go undetected and, therefore, [are] not blocked,” he said.
In other words, Gmail’s spam filter isn’t going to catch everything, nor are those in more advanced security software.
No one is going to give you free bitcoin
Finally, take it slow and be cautious. There are more advanced hacking and scamming techniques out there. I’ve spoken with crypto users who have been scammed out of thousands of dollars by con men pretending to be investors in their companies, who carried out the scam over the course of months. I’ve seen cases where people gave “traders” their private keys so they could turn a profit, only to see their wallets slowly drained.
Earlier this year, for example, Twitter was hacked and prominent accounts from Elon Musk to Barack Obama to CoinDesk started tweeting, essentially, that if you sent them some bitcoin, they’d send you back more.
There are bitcoin scam ads out there on YouTube that are featured on legitimate cryptocurrency shows, even though they advertise crypto giveaways and pyramid schemes.
See also: YouTube’s Whac-a-Mole Approach to Crypto Scam Ads Remains a Problem
Fake exchanges are sending messages on Discord and other communication channels, promising free bitcoin to people who open accounts and make minimum deposits. (Spoiler alert: You won’t get free bitcoin and you’ll never get your deposit back.)
And the list of creative ways that scammers will try to take advantage of you goes on.
While it might seem farfetched that people would fall for these sorts of bitcoin scams, the Twitter hackers netted over $140,000 worth of bitcoin at the time, which is worth roughly $320,000 today. Overall, a report by blockchain analytics firm Crystal Blockchain found that 113 security attacks and 23 fraudulent schemes resulted in the theft of approximately $7.6 billion worth of crypto assets since 2011.
This applies even if you think you might be too smart to be scammed. Fraudsters come in all shapes and sizes, often playing into your own psychology.
“We assume that only other people fall for cons and scams and it will never happen to us,” said Dr. Paul Seager, a professor of social and forensic psychology at the U.K.’s University of Central Lancashire. “That makes us feel a bit more secure about ourselves and bolsters our self-esteem. ‘We’re not stupid. We don’t fall for these kinds of things,’ but that self-serving bias lures us into complacency.”
So remember: Keep your private key secret, double-check every URL and if something seems too good to be true, it probably is.