A phishing scam discussion.

[salad daging]

FIRST USER:  argued that such phishing scam drains it victim money from wallet automatically in a quick instant on connecting to the fake site.

I'm not sure about this user, saying that accessing a phishing site will automatically drain the balance directly, but don't know that the phishing site has been designed in such a way.
I used to access some phishing sites for curiosity and only to the extent that it is not directly drained, unless connecting the wallet.

SECOND USER: argued that connecting your wallet alone to a phishing site does not automatically drain it, ontil you the victim have to perform a signing in your of your information or wallet private key.

This makes more sense, and often the victim's mistake is from their own connecting a web wallet to a phishing site or filling out a form that asks for a seed phrase.

Regardless, just be careful with phishing sites because now there are so many phishing sites scattered.
4 days in a row I received a phishing email from Trezor.

[Stalker22]

I suppose they could both be right.  It really just depends on how the specific scam is set up.

I suppose both of them are talking from their different knowledge base and experiences, I've a friend that her wallet, Trust wallet to be precise was drained immediately she connected to a site through DAPPS section, so I believe I have seen instant connection scam before, but I haven't known anyone who had to sign a transaction before their wallets were drained.

It depends on what you mean by being "connected to a site."  In my experience, you usually have to grant specific permissions regarding exactly what a dApp can do with your wallet.  You have to be extremely careful here; I have seen users who barely read what they are confirming, which is usually why they end up with an empty wallet after visiting scam websites. 

I have also read that the website you're connected to might have an exploit designed to run an automatic unintended code on your device or even get remote access to your device and if it is achieved successfully, then the attack can remove your assets.

AFAIK, this is only possible if there is a security vulnerability in the software or hardware you are using that can be exploited. The most recent example is the vulnerability in MediaTek processors, which affects almost all Android devices on the market.

I only hope the second person is not trying to undermine the risk in connecting your wallet to scam sites because you do not know the configuration you would meet, so it is better not to even connect your main wallet to any third-party service.

Thats true.  Better to be safe than sorry.

[Zoomic]

Depends on how the site is built, there are scam Dapps which are design to extract the key to your wallet immediately you sign in that wallet connect permission, there are also those who which they need to send you something which you need to from your wallet permit it, so both of them are some how right just that one tries to use his explaination to debunk the other persons own.

If I am a scammer and I have the  opportunity to execute both type of phishing, I will obviously choose that immediately your wallet is connected, it should drain. Unless the resources to set is up is very much expensive, if not, that is the most reliable one for the scammers.

Again, anyone who is willing to connect their main wallet to an unknown or untrusted site will also be will to sign signature and complete transaction.

But for knowledge sake, if you connect your wallet, you have already given them the primary permission they need, every other things could fall in place.

[HONDACD125]

Keeping the argument between the two users aside at first, we need to understand that if the victim downloaded a wallet from a website, and then imported his key or seed phrase in that wallet, the attacker drained the wallet by gaining access to the wallet through that, because if someone has your private key or your seed phrase, they don't need any other permission to access your wallet as these are the most important things when it comes to decentralized wallets.

Now, talking about the argument or discussion, I would say it depends, because as mentioned by some other members, some wallets, especially on a mobile device where you have the app, you can access dApps directly from within the wallet, and in that case, a fake dApp might be able to access the wallet somehow as soon as the user connects to it. However, when it comes to wallet extensions on browsers, specifically on a pc, when you connect to a website, for the website to actually be able to have access to the wallet or to make transactions, the user has to sign a message for which he gets a notification. If the user signs it, then the wallet can be drained.

[FinneysTrueVision]

A phishing scam by itself doesn’t typically drain your wallet instantly. There has to be a malware deployment to go along with the phishing in order for it to be instant. A malware attack would only work if you are using a hot wallet on your device. Hardware wallets give an additional layer of protection.

Phishing scams are designed to get you to reveal your seed phrase or trick you into giving approval to a malicious contract. Attackers don’t immediately drain you until you’ve been compromised enough to give them control.

[SilverCryptoBullet]

Regardless, just be careful with phishing sites because now there are so many phishing sites scattered.
4 days in a row I received a phishing email from Trezor.

Be careful with words you used. These emails are from scammers, not from Trezor. I understand that you did not intend doing that, but writing "I received phishing email from Trezor" is like a fake news, so let's be more careful with words to use next times.

It's easy to recognize such emails as scam by looking at their email addresses which surely don't have trezor.io as their phishing sites and emails must be something different than trezor.io

trezor.io is the official website of Trezor hardware wallet.

Some tips to avoid these phishing scams.
Phishing scams.
Hardware wallet scams.

[Patikno]

The important conclusion is this: we should always check the legitimacy of a site, ensure it is official and free of any malicious activity, and always check information from the relevant community about the site you are planning to visit.

-snip-

By the way, I am curious about the case you described. Could you provide a source? Maybe, it will become clearer, if we read it carefully, and we can understand how the phishing scam site works.

I don't know if this is the reddit thread OP is talking about, but the story seems almost the same -- How I lost over $1M after installed Ledger Wallet from App Store



The victim downloaded a fake Ledger Wallet app on his Mac from the official App Store. He wasn't aware that the desktop version is only available from the ledger.com website. In this case, the second user's argument would be right, because simply downloading a fake app shouldn't have been enough to drain his funds. He must've been tricked into entering his seed phrase, or maybe he signed a transaction on his device without verifying the details. Still, his actions were very careless for someone with a huge amount of money. As explained by one of the mods there:

It is also crucial to understand that a fake app cannot autonomously drain your wallet just by being installed. A hardware wallet's security model dictates that assets can only be moved if the 24-word recovery phrase was typed directly into the fake app, or if a malicious transaction was physically approved on the Ledger device screen.

So, opinion number two is correct in this case, right? but, it seems my previous explanation wasn't quite right.

There is an important lesson to be emphasized in this case: the victim mistake who easily downloading an app from an unofficial source (Ledger, in this case). He should have verified the source, checked with the relevant community, or at least checked the official website first, then looked at the download link provided there.

By the way, I just visited the Ledger website, and found that Ledger provides a download link for macOS, but why doesn't it go to the Mac App Store when I try to click it? Shouldn't it redirect to the Mac App Store? just like clicking the download link for Android, which redirects directly to the Google Play Store? or, has Ledger not yet registered their account as an Apple Developer there? Cmiiw.

Ledger company should realize how important it is to provide their application there, because they are a company that must also take care of its customers carefully, and because there are many people who depend on that company for their finances.

[TypoTonic]

There is an important lesson to be emphasized in this case: the victim mistake who easily downloading an app from an unofficial source (Ledger, in this case). He should have verified the source, checked with the relevant community, or at least checked the official website first, then looked at the download link provided there.

Also, he either ignored or failed to see that the fake app has only 4 reviews, and a perfect 5 star rating. That was a huge red flag already.

By the way, I just visited the Ledger website, and found that Ledger provides a download link for macOS, but why doesn't it go to the Mac App Store when I try to click it? Shouldn't it redirect to the Mac App Store? just like clicking the download link for Android, which redirects directly to the Google Play Store? or, has Ledger not yet registered their account as an Apple Developer there? Cmiiw.

I'm not really sure why. They have it available on the App Store for iOS though. Anyway, the story I shared is no longer relevant. OP already found the thread he was referring to:

This is the exact story I'm referencing to in my op  How an ad cost a user 1.7 million dollars. I had to spend time to search for it cause I did not remember to save it.

You should probably add this to the OP @IjawMan.

[tabas]

Both explanations are correct. But you know these scammers are rogues that will not waste any moment after a victim falls for their trap. These wallet drainers are going to suck all the funds you've got and any kind of smart contract they do for that is going to get the victim's fund automatically. Whether to justify the explanation 1 and 2, the whole point here is to not falling for these phishing wallets and websites. And the responsibility is on us that we have to be careful with any of them not to fall for it. So, as we're always saying - always verify!

[salad daging]

Be careful with words you used. These emails are from scammers, not from Trezor. I understand that you did not intend doing that, but writing "I received phishing email from Trezor" is like a fake news, so let's be more careful with words to use next times.

I mean like this, this phishing email is a scammer on behalf of Trezor, sorry not to give false or misleading info, I think what we said is partly understood.

It's easy to recognize such emails as scam by looking at their email addresses which surely don't have trezor.io as their phishing sites and emails must be something different than trezor.io

This is an email from the official Trezor: <noreply@trezor.io>
And this is the sender's email on behalf of Trezor, with a random email.

Code:

<noreply@frenchmorning.   com>
<noreply@3xlogic.   com>
<noreply@prestocibergestion.   com>
<noreply@visualvisitor.   com>

[Lucius]

A long post but carefully read please.

I was going through a thread today on Reddit that OP narrated his painful experience of a loss of big  money in millions to a phishing scam which began with him downloading a phishing wallet from a fake site.
~snip~

I imagine what it must be like to have millions of dollars worth of cryptocurrency and not know how to protect yourself from something as trivial (at least for me) as phishing. Even if you don't know what phishing is, you should know what a hardware wallet is, and you can't store such amounts in a hot desktop wallet, but only in an air-gapped wallet.

There was a story about a character who also lost a large amount of crypto-currencies, only with him the thing was a little different - he used a hardware wallet, but then at one point he decided to enter his seed into some hot wallet, which of course was fake. Scammers have never had an easier job than they do today, just one gullible person and you can retire.

[Grace333]

Phishing scam has been in existence for a long time and the reason it doesn't get old is because it is continually developed and adjusted in ways that people will have less doubt. Even pros who have been in the crypto space for a long time can still fall for a Phishing scam just by clicking the wrong link or downloading the wrong software. We gat to be care especially since crypto and bitcoin are decentralized meaning you have less probability change or regaining access to your crypto that was stolen. Both persons can be correct depending on how the site was designed.

[SilverCryptoBullet]

It's easy to recognize such emails as scam by looking at their email addresses which surely don't have trezor.io as their phishing sites and emails must be something different than trezor.io

This is an email from the official Trezor: <noreply@trezor.io>
And this is the sender's email on behalf of Trezor, with a random email.

Code:

<noreply@frenchmorning.   com>
<noreply@3xlogic.   com>
<noreply@prestocibergestion.   com>
<noreply@visualvisitor.   com>

That's what I wanted to say.

Official emails from Trezor can be easily identified if you already know their website domain. Any official emails from Trezor must have @trezor.io, the others are phishing and scam emails.

See I chat with Trezor support (bot). It's their advice but don't trust what I quote, you can verify it by chatting with the bot.

https://trezor.io/support

Q: give me official emails of trezor please
A: I understand you're looking for official Trezor contact emails. Could you please specify the type of inquiry or department you are trying to reach? This will help me provide you with the most relevant information

Q: I want to have list of trezor official email to avoid phishing and scam emails from scammers
A: To help you avoid phishing scams and ensure the security of your digital assets, here are some guidelines and official Trezor contact details:

### Identifying Phishing Scams
Trust Only Trezor’s Display: Confirm all actions on your Trezor device, not just through a browser or app interface.
Urgent or Threatening Language: Be wary of urgent messages claiming your account is at risk.
Suspicious Email Addresses: Look out for slight variations in email addresses, such as `@trezorr.io` instead of `@trezor.io`.
Unsolicited Messages: Be cautious of messages from unknown sources.
Avoid Clicking Unknown Links or Attachments: Verify the sender before clicking any links.
Check for Spelling and Grammar Errors: Legitimate communications from Trezor are carefully proofread.
### Official Trezor Channels
Authentic Domains:
`@trezor.io`
`@invity.io`
`@vexl.it`
`@tropicsquare.com`
`@satoshilabs.com`
Official Social Media:
Twitter
Instagram
Trezor will never contact you via SMS, WhatsApp, Telegram, phone, or postal mail. If you receive such communications, it is a phishing attempt, and you should report it immediately.

I don't know about

`@invity.io`
`@vexl.it`
`@tropicsquare.com`
`@satoshilabs.com`

but the bot gave me these domains as authentic ones.

[Asuspawer09]

As far as I know yes phishing was really popular and you could get drain but it wasn't really that simple as far as I know, it wasn't like you click a link and then you instantly going to lose everything something like that, I completely disagree with that, it wasn't really easy to scam something, I mean it would probably depend on the hacker or some elite hackers but as far as I know it doesn't work that way. Most of the time for sure the 2nd User the one the is correct here, phishing is where it is going to get your data and then the drain is going happened, that is why most of the time, when you link the link your going to end up on the login page of the website or wallet, because they are trying to make you login your credential in order to open your actual wallet or account, if your not careful or not aware that it is a fake website then your going to fall into the trap. But for some users it's kinda easy to spot it, I mean, just dont link a link, actually, especially on emails.

The First user theory could still be a thing, but it needs more like of a virus like an exe files maybe, if they can drain you instanly that just mean that your hardware is already compromised it was probably able to trick you into downloading some executable file that is why they are able to run something on your hardware and do things that they wanted.

[Razmirraz]

As far as I know, phishing scams don't usually drain the victim's wallet just because they connect to a fake site. As long as you never enter personal information or wallet keys on untrusted sites, your assets will be safe. But, if you enter sensitive information like private keys or make transactions, it can be a big problem. So the comment from the second user is more accurate.
Thank you for sharing the bitter experiences of users from other platforms here. Hopefully, this experience will be a lesson for beginners to be more careful and check the legitimacy of a site before downloading a wallet.

[Ronsbit]

OP, can you please put up the link to the thread of this post on the Reddit platform here for us to see? It would give a clearer picture of what you are saying here, though.

From the little experience I have gained so far, I do not think a phishing site drain wallet immediately when connected, it can only drain when you have already given out your sensitive information via the site, and that is what they would use to steal from you.