How I got phished

5 min read Original article ↗

We all know those friendly little emails asking you to immediately going to your PayPal account because otherwise you would get banned. Until recently, I felt immune.

I am working in tech for ages. I am familiar with phishing. I know how logins work and where I should look. I constantly tell my mom not to follow theses emails and not to trust anyone on the internet, esp. if they offer you something for free.

Now that phishing attack recently was lucky, and I feel so ashamed of it, that I could hide in a hole. It’s not about the money; it’s about it was happening. It’s so hard to accept that I am not immune, that I need to blog about it and tell it to whoever reads this.

I am a Coinbase user and bought my first mBTC through them. It was an experiment, to check if the Bitcoin thing would be fun for me. As I am new into this, I checked a few things with @CoinbaseSupport on Twitter.

That’s where the phishers got my Twitter nickname.

They asked me by DM:

“Would you like to fill out a quick survey about our services for double back on your next deposit?”

I agreed. The Coinbase people were very kind and helpful. At this time it was late, and I was tired already. I didn’t understand the meaning of the English terms “double back” well so I thought it would be a little Bonus on something, maybe some merch.

I was sent a link to a SurveyMonkey within a few minutes. I thought, wow, these guys are fast. I wanted to go offline, but since they were so quick with sending me the survey, I opened the link.

The questions were:

  • What would be one single thing you would improve on Coinbase?
  • What were the things you really would like to see improved?

Looked valid. A survey like that happens pretty often to me. Nothing special, and since they were of help recently, I didn’t mind. I told them by DM I had completed the survey. Before I could leave they sent me another message:

“Confirmed. Here’s your personalized double deal: [surveymonkey] Expires in 2 hours. We greatly appreciate your feedback and input.”

I went back to SurveyMonkey and was asked to send some money to a Bitcoin-Wallet. I would get back the doubled amount. Up to 3 BTC.

I was not thinking, so I just send something worth of 100€. I thought, it’s just two questions, it would be too expensive for Coinbase to pay me more. I am a nice guy, I guess.

Immediately after hitting the send button, I felt my cheeks go red, and adrenaline was pumping, even before I realized I know this was all crap.

A single BTC costs 370€ at that time. Who would every pay up to 1000€ just for a 2-minute survey? I have expected some cool stickers at max, but … Of course, why the heck did my brain not stop me?

My explanation is: they kept me in some “workflow”. If they had given me one second to breathe, they would have lost me.

You cannot reverse Bitcoin transactions. You don’t know who the recipient is. Nobody serious would ask you to send money to send it back to you. No company like Coinbase would do that, especially not using SurveyMonkey. If, they would only send you an mBTC to your account without further action.

It’s stupid, and I don’t know why my mental firewall has failed so hard. Please don’t laugh at me. I am ashamed enough.

The things which I believe led to the successful phishing attack:

  • I was not expecting an attack over Twitter. Email yes, Twitter no.
  • I did not check the Twitter name carefully enough. It was spelled CoinbaseSuport, missing an P.
  • I didn’t use all information available to check it’s valid. In example. “max 3 BTC” was ways too much for a 2-minute survey
  • I was too tired. NEVER do any financial transactions when you are tired.
  • Never believe you are immune against phishing. It’s arrogant, and it’s wrong. I spoke to a few people after it happens, and they all told me how they failed like me or how they prevented the success of the phishing attack in the last second
  • Take your time to get used to new technology. Bitcoin is like cash, but I was used to Paypal, where I can hit the “help me” button.
  • Never send money without an invoice :)
  • Never send money when somebody tells you to need to do it within a short time frame

And so on, and so on. There are too many failures that I can tell here.

On the other hand, I should send these clowns another 100 bucks. They taught me that attacks could happen everywhere. They taught me cyber criminality is a real thing. And that I should pay attention as we all need to have our personal firewall up all the time.

After letting go my anger, I am happy this will not happen so quickly again. But honestly: it will happen.

Keep your mental firewall up!

You can find me blogging on my website: https://www.grobmeier.de 
Or on Twitter: https://www.twitter.com/grobmeier

And of course, on LinkedIn.