... and lost 2 years worth of work and patience in 15 minutes.
Note: I wrote this in a hurry and will probably edit and add other reflections.
If you find this helpful and still think somebody who was dumb enough to fall for this is worth listening to, follow me on twitter where I've become much more actively lately.
It all started with an email, I was checking my inbox. I usually don't even check my email lately but for some reason, just before going to dinner I was checking my email and saw this email. It peaked by interest as XTZ was mentioned.
Edit: That screenshot is hard to read, this one will give you a better idea:
On Gmail this hit my regular inbox and was not marked as potential spam or anything. Note in the screenshot below, I have subsequently marked the email as scam so there is a label now.
My first clue could have been the email domain
email.punchbowl.com. I was in a hurry so obviously didn't notice it. CoinDesk is something that I frequently read so the email was not suspicious at first look.
If you start reading the letter, Hyperbaking by Tezos is only mentioned as the second headline. They are not selling hard here. I'm pretty sure if they had made this email all about Tezos, it would be more suspicious. This is some slick marketing and copywriting techniques.
Sure enough I go to the webpage associated with this and it's pretty slick and looks legit.
But look at the email link, it also uses a custom domain. If I was paying attention, this could have been clue number 2.
Next I'm redirect to this website. Clue number 3, the actual domain of the website is slightly misspelled. Again, I could have caught on to this, but didn't.
Here' how to whole post looks like, very nicely done. Forgive this crappy screenshot but you get the idea.
The call to action is right here. To hype the FOMO it the counter is counting down from about a 1000.
Later on as I went to the page again, the counter restarted back from 3000
Now I decided to google this:
So I check out the whole youtube video while eating dinner, knowing that the countdown is happening:
Based on that I made an assessment that this is probably something real so the FOMO was building up.
Edit 2020-12018: The Youtuber realized his mistake and corrected the video, here's what he wrote in response to my comment:
So I go back to the scam website as the tab was still open.
Now I hadn't touched my wallet for a while so I recognized the Tezbox from before. Those options were not available, the only option that was available was the first one.
The wallet requires that I connect with the hardware wallet. I hadn't used this particular one before. But note the URL above 'wallet-tezos.com' is also fake. If I was familiar with the wallet, I would have noted it's off.
I connect my hardware wallet and do the validations on the hardware wallets as requested. It's nothing out of the ordinary.
Secondly, there is a nice hyperBaker button. I clicked the button, and followed the steps. It was essentially was a send transaction:
When I confirmed the transaction on my hardware wallet, I checked the transaction on the explorer.
Now I was getting anxious. How do I know where my tezos is and how will I get it back? I started looking around and landed on this website. As soon as I read the following, I knew I had been scammed.
Obviously I experienced some strong emotions having realized my foolishness. I immediately took some actions to report the email and made the comment on a Youtube video to warn others.
But I know its done now, there's no way I can get it back. I was surprised that I had fallen for this as I had been trained to note all of these signs. But there is no point being sad about it. I have suffered financial losses in the past and in situations like this I tell myself that this loss has made me learn a lesson that has insured me against a much larger loss that could happen in the future because I didn't learn this lesson. You bet that I'm going to be extra extra careful with any kind of social engineering attacks especially with crypto.
I hope this will be a good lesson for others, and that this will help people develop awareness as to how sophisticated these phishing scams are and how to protect yourself from it. The technology isn't to blame for it, but us as human beings are the most susceptible. I hope people in the ecosystem will use this as a case study to develop better interfaces and technology controls to protect consumers as digital assets become more common place. I'm as bullish about digital assets and currencies as I was before this event and have not let this scar me from life from crypto and will continue to invest in it.
If you found this helpful and still think somebody who was dumb enough to fall for this is worth listening to, follow me on twitter where I've become much more actively lately.