A phishing scam discussion.

[sunsilk]

Both you are correct probably due to their own experiences.In my own perspective it’s crucial never to link your wallet to a scam site otherwise you’re at risk of losing your coins.Most phishing site really don’t need you to perform much or carryout much tasks,only clicking the site could reveal your login credentials,while other phishing sites require their victims to sign up and perform some tasks before they could steal their credentials and coins.But to be on the safer side after discovering a phishing site it would be necessary to desist from the site entirely.

Never connect to suspicious websites. Despite that there are a lot of warnings by the browsers that we use or the extensions that we've got.

There will be users that have the balls to continue even though they know how dangerous it is.

They have an idea on how it looks like to see a phishing website and it asks certain details that they should have kept but, they still do that.

[Hazink]

The bottom line is, phishing sites are dangerous. Just because they have different attack vectors or fail to target you at one time doesn't mean they won't get any of your information after you interact with them. You're already unsafe from future attacks if you haven't taken security measures.

Once someone notices they were almost bridged before an attack, the first thing they do is to take every security measure necessary. Even when you don't know which information might have been obtained, the safest way is just to keep sensitive and important information away from devices which are regularly connected to the internet.

[ArielRod20]

A long post but carefully read please.

I was going through a thread today on Reddit that OP narrated his painful experience of a loss of big  money in millions to a phishing scam which began with him downloading a phishing wallet from a fake site.

Subsequently, users began to make their comments about cautious procedures to take for protection of phishing links and sites. But what made me export this story from there to the forum is for the clarification of a fairly disagreement/debate between two users about this phishing scam, which I find confusing about who is correct with their replies and who is not.

FIRST USER:  argued that such phishing scam drains it victim money from wallet automatically in a quick instant on connecting to the fake site.

SECOND USER: argued that connecting your wallet alone to a phishing site does not automatically drain it, ontil you the victim have to perform a signing in your of your information or wallet private key.

I do not know if I explained the story to a simple understanding. I'm bringing this in the forum that I may know which is correctly said, so I do not misinform someone else in making effort to supply them information with similar case in future.
Thank you all.

the second user is closer: connecting alone usually isn’t enough; damage happens after signing, approving, or exposing keys, though some scams auto-exploit.

[knowngunman]

FIRST USER:  argued that such phishing scam drains it victim money from wallet automatically in a quick instant on connecting to the fake site.

SECOND USER: argued that connecting your wallet alone to a phishing site does not automatically drain it, ontil you the victim have to perform a signing in your of your information or wallet private key.

First of all, is it possible to connect a wallet to a site without signing a message?

Have you taken your time to read what the message entails when signing to connect your wallet to a site?

If you know what the signature means, I suppose you already get your answer.

To cut it short for you, both users are correct. Once you signed a message to connect your wallet, you give consent and access to your funds depending on how the site is set up. If they are scammers, they might no need extra permissions from you to move your coins.

More reason you should confirm the site correct url and review the message before signing.

[tbct_mt2]

First of all, is it possible to connect a wallet to a site without signing a message?

Have you taken your time to read what the message entails when signing to connect your wallet to a site?

With non custodial wallets, you can sign a message from your wallet because you have private key but you don't have to sign any message when you approve a smart contract. It's not necessary to sign any message as the message is only when you want to add something for communication with your trade partners for example.

Your wallet can be compromised if you approve a scam smart contract that will be used to drain and steal cryptocurrency in your wallet.

Revoke any smart contracts when you done with that token, project.
https://coinmarketcap.com/academy/article/3-minute-tips-how-to-revoke-token-approval-following-opensea-s-latest-security-episode

[Bitcasa1]

To the best of my knowledge, before a hack takes place through a phishing link, there must be some sort of permission from the owner granting access to the hacker through the link unbeknownst to the owner of such account or wallet and through this granted permission the hacker can steal information to be used against the owner of the wallet of device this is how I believe phishing scams do occur without the knowledge of the owner of such account and they end up losing their assets and vital information to the hackers. So in other words, phishing scam can only occur upon access granted by the owner of such an account without his knowledge that such activities are the motive of scammers.

[Biirakedee]

To the best of my knowledge, before a hack takes place through a phishing link, there must be some sort of permission from the owner granting access to the hacker through the link unbeknownst to the owner of such account or wallet and through this granted permission the hacker can steal information to be used against the owner of the wallet of device this is how I believe phishing scams do occur without the knowledge of the owner of such account and they end up losing their assets and vital information to the hackers. So in other words, phishing scam can only occur upon access granted by the owner of such an account without his knowledge that such activities are the motive of scammers.

I agree with you, there's no scam if the owner doesn't give access, in modern time the security of our wallets has improved same with scammers knowledge, we must be very smart to outsmart the scammers.And the only way is to avoid unnecessary Links.

Scammers are very smart people and they go at any length to manipulate their victims, that's to say without the input of the victims , scammers can't not operate. When people cry out of being scammed,I just conclude that they have given access to scammers to scam them.

[Cookdata]

First of all, is it possible to connect a wallet to a site without signing a message?

Have you taken your time to read what the message entails when signing to connect your wallet to a site?

With non custodial wallets, you can sign a message from your wallet because you have private key but you don't have to sign any message when you approve a smart contract. It's not necessary to sign any message as the message is only when you want to add something for communication with your trade partners for example.

Your wallet can be compromised if you approve a scam smart contract that will be used to drain and steal cryptocurrency in your wallet.

Revoke any smart contracts when you done with that token, project.
https://coinmarketcap.com/academy/article/3-minute-tips-how-to-revoke-token-approval-following-opensea-s-latest-security-episode

It's worth knowing that draining of wallet with wallet approvals drain tokens, mostly ERC20 tokens, it doesn't directly drain Ethereum coin though smart contract approvals. The only way you can get your ethereum drain is if you try to claim something from a phishing website where they disguised to be the original website, you can end up sending ethereum coin to the wrong address, but the token, once you have done an approval especially unlimited, your tokens will be automatically drained without your knowledge.

Always look out for phishing links of website that is popular, don't search for platforms on Google. Over time, we noticed that Google are not help with advertisements of scam and phished websites. There are many things you can get on coingecko without going through Google. I don't trust Coinmarketcap, the fact that they can't handle their comment section on listed coins make it horrible.

[Publictalk792]

Second user technically right since by simply linking wallet to site, site is only able to see your wallet balance without being able to take out your money until time you give agreeing by signing trade or entering your secret recovery phrase. Still, warning of first user is not entirely useless since scammers nowadays use code that calls drainers and hides bad permissions as safe login or verify buttons, and this theft happens so fast that it is almost as though simply linking to Internet is cause of loss. It was found that scams involving Ice Phishing, and hidden signing is more and more common, tricking people into giving up control of their money without their knowledge, so best way of using these is to start any new link with very low burner wallet and little money in it on any site they do not know.

[Alpha Marine]

Is there a way you're going to use your wallet without inputting a seed phrase or private key? Once you get a new wallet, you will either import an address or create a new one, and since it is a fake wallet, anything you do gives to the hacker in the background. So imo, there is no other connection required. A phishing or scam link is different from having a scam wallet app. When the wallet sends all your infomation, especially your secret phrase to the hacker without you knowing, there is nothing more you can do.

That is why it is always advisible to only download a wallet from the official website. It is better the website redirect you to their app on the app/play store, than for you to go serch for it yourself.

[Mahiyammahi]

I do not know if I explained the story to a simple understanding. I'm bringing this in the forum that I may know which is correctly said, so I do not misinform someone else in making effort to supply them information with similar case in future.
Thank you all.

Both can be correct, it depends on how a user is handling his security on his device. A lot of site asks for cookie permissions, some might ask for sensitive information so our browser /Windows firewall usually show's them risks and block them. If you still ensist go those site after knowing everything if anything happens you're the only one to blame.

Other hand for connecting wallet issue, A bot can't take access your wallet unless you signed your wallet for that particular app/web3 dapps . It actually allows to spent money without user's permission. When we are signing anything there's always a warning about this and what your connected app can do with your wallet.

So I think we should consider these risk and pay attention more to our security