A phishing scam discussion.

[sunsilk]

Both you are correct probably due to their own experiences.In my own perspective it’s crucial never to link your wallet to a scam site otherwise you’re at risk of losing your coins.Most phishing site really don’t need you to perform much or carryout much tasks,only clicking the site could reveal your login credentials,while other phishing sites require their victims to sign up and perform some tasks before they could steal their credentials and coins.But to be on the safer side after discovering a phishing site it would be necessary to desist from the site entirely.

Never connect to suspicious websites. Despite that there are a lot of warnings by the browsers that we use or the extensions that we've got.

There will be users that have the balls to continue even though they know how dangerous it is.

They have an idea on how it looks like to see a phishing website and it asks certain details that they should have kept but, they still do that.

[Hazink]

The bottom line is, phishing sites are dangerous. Just because they have different attack vectors or fail to target you at one time doesn't mean they won't get any of your information after you interact with them. You're already unsafe from future attacks if you haven't taken security measures.

Once someone notices they were almost bridged before an attack, the first thing they do is to take every security measure necessary. Even when you don't know which information might have been obtained, the safest way is just to keep sensitive and important information away from devices which are regularly connected to the internet.

[ArielRod20]

A long post but carefully read please.

I was going through a thread today on Reddit that OP narrated his painful experience of a loss of big  money in millions to a phishing scam which began with him downloading a phishing wallet from a fake site.

Subsequently, users began to make their comments about cautious procedures to take for protection of phishing links and sites. But what made me export this story from there to the forum is for the clarification of a fairly disagreement/debate between two users about this phishing scam, which I find confusing about who is correct with their replies and who is not.

FIRST USER:  argued that such phishing scam drains it victim money from wallet automatically in a quick instant on connecting to the fake site.

SECOND USER: argued that connecting your wallet alone to a phishing site does not automatically drain it, ontil you the victim have to perform a signing in your of your information or wallet private key.

I do not know if I explained the story to a simple understanding. I'm bringing this in the forum that I may know which is correctly said, so I do not misinform someone else in making effort to supply them information with similar case in future.
Thank you all.

the second user is closer: connecting alone usually isn’t enough; damage happens after signing, approving, or exposing keys, though some scams auto-exploit.

[knowngunman]

FIRST USER:  argued that such phishing scam drains it victim money from wallet automatically in a quick instant on connecting to the fake site.

SECOND USER: argued that connecting your wallet alone to a phishing site does not automatically drain it, ontil you the victim have to perform a signing in your of your information or wallet private key.

First of all, is it possible to connect a wallet to a site without signing a message?

Have you taken your time to read what the message entails when signing to connect your wallet to a site?

If you know what the signature means, I suppose you already get your answer.

To cut it short for you, both users are correct. Once you signed a message to connect your wallet, you give consent and access to your funds depending on how the site is set up. If they are scammers, they might no need extra permissions from you to move your coins.

More reason you should confirm the site correct url and review the message before signing.

[tbct_mt2]

First of all, is it possible to connect a wallet to a site without signing a message?

Have you taken your time to read what the message entails when signing to connect your wallet to a site?

With non custodial wallets, you can sign a message from your wallet because you have private key but you don't have to sign any message when you approve a smart contract. It's not necessary to sign any message as the message is only when you want to add something for communication with your trade partners for example.

Your wallet can be compromised if you approve a scam smart contract that will be used to drain and steal cryptocurrency in your wallet.

Revoke any smart contracts when you done with that token, project.
https://coinmarketcap.com/academy/article/3-minute-tips-how-to-revoke-token-approval-following-opensea-s-latest-security-episode

[Bitcasa1]

To the best of my knowledge, before a hack takes place through a phishing link, there must be some sort of permission from the owner granting access to the hacker through the link unbeknownst to the owner of such account or wallet and through this granted permission the hacker can steal information to be used against the owner of the wallet of device this is how I believe phishing scams do occur without the knowledge of the owner of such account and they end up losing their assets and vital information to the hackers. So in other words, phishing scam can only occur upon access granted by the owner of such an account without his knowledge that such activities are the motive of scammers.

[Biirakedee]

To the best of my knowledge, before a hack takes place through a phishing link, there must be some sort of permission from the owner granting access to the hacker through the link unbeknownst to the owner of such account or wallet and through this granted permission the hacker can steal information to be used against the owner of the wallet of device this is how I believe phishing scams do occur without the knowledge of the owner of such account and they end up losing their assets and vital information to the hackers. So in other words, phishing scam can only occur upon access granted by the owner of such an account without his knowledge that such activities are the motive of scammers.

I agree with you, there's no scam if the owner doesn't give access, in modern time the security of our wallets has improved same with scammers knowledge, we must be very smart to outsmart the scammers.And the only way is to avoid unnecessary Links.

Scammers are very smart people and they go at any length to manipulate their victims, that's to say without the input of the victims , scammers can't not operate. When people cry out of being scammed,I just conclude that they have given access to scammers to scam them.

[Cookdata]

First of all, is it possible to connect a wallet to a site without signing a message?

Have you taken your time to read what the message entails when signing to connect your wallet to a site?

With non custodial wallets, you can sign a message from your wallet because you have private key but you don't have to sign any message when you approve a smart contract. It's not necessary to sign any message as the message is only when you want to add something for communication with your trade partners for example.

Your wallet can be compromised if you approve a scam smart contract that will be used to drain and steal cryptocurrency in your wallet.

Revoke any smart contracts when you done with that token, project.
https://coinmarketcap.com/academy/article/3-minute-tips-how-to-revoke-token-approval-following-opensea-s-latest-security-episode

It's worth knowing that draining of wallet with wallet approvals drain tokens, mostly ERC20 tokens, it doesn't directly drain Ethereum coin though smart contract approvals. The only way you can get your ethereum drain is if you try to claim something from a phishing website where they disguised to be the original website, you can end up sending ethereum coin to the wrong address, but the token, once you have done an approval especially unlimited, your tokens will be automatically drained without your knowledge.

Always look out for phishing links of website that is popular, don't search for platforms on Google. Over time, we noticed that Google are not help with advertisements of scam and phished websites. There are many things you can get on coingecko without going through Google. I don't trust Coinmarketcap, the fact that they can't handle their comment section on listed coins make it horrible.

[Publictalk792]

Second user technically right since by simply linking wallet to site, site is only able to see your wallet balance without being able to take out your money until time you give agreeing by signing trade or entering your secret recovery phrase. Still, warning of first user is not entirely useless since scammers nowadays use code that calls drainers and hides bad permissions as safe login or verify buttons, and this theft happens so fast that it is almost as though simply linking to Internet is cause of loss. It was found that scams involving Ice Phishing, and hidden signing is more and more common, tricking people into giving up control of their money without their knowledge, so best way of using these is to start any new link with very low burner wallet and little money in it on any site they do not know.

[Alpha Marine]

Is there a way you're going to use your wallet without inputting a seed phrase or private key? Once you get a new wallet, you will either import an address or create a new one, and since it is a fake wallet, anything you do gives to the hacker in the background. So imo, there is no other connection required. A phishing or scam link is different from having a scam wallet app. When the wallet sends all your infomation, especially your secret phrase to the hacker without you knowing, there is nothing more you can do.

That is why it is always advisible to only download a wallet from the official website. It is better the website redirect you to their app on the app/play store, than for you to go serch for it yourself.

[Mahiyammahi]

I do not know if I explained the story to a simple understanding. I'm bringing this in the forum that I may know which is correctly said, so I do not misinform someone else in making effort to supply them information with similar case in future.
Thank you all.

Both can be correct, it depends on how a user is handling his security on his device. A lot of site asks for cookie permissions, some might ask for sensitive information so our browser /Windows firewall usually show's them risks and block them. If you still ensist go those site after knowing everything if anything happens you're the only one to blame.

Other hand for connecting wallet issue, A bot can't take access your wallet unless you signed your wallet for that particular app/web3 dapps . It actually allows to spent money without user's permission. When we are signing anything there's always a warning about this and what your connected app can do with your wallet.

So I think we should consider these risk and pay attention more to our security

[Janette014]

A long post but carefully read please.

I was going through a thread today on Reddit that OP narrated his painful experience of a loss of big  money in millions to a phishing scam which began with him downloading a phishing wallet from a fake site.

Subsequently, users began to make their comments about cautious procedures to take for protection of phishing links and sites. But what made me export this story from there to the forum is for the clarification of a fairly disagreement/debate between two users about this phishing scam, which I find confusing about who is correct with their replies and who is not.

FIRST USER:  argued that such phishing scam drains it victim money from wallet automatically in a quick instant on connecting to the fake site.

SECOND USER: argued that connecting your wallet alone to a phishing site does not automatically drain it, ontil you the victim have to perform a signing in your of your information or wallet private key.

I do not know if I explained the story to a simple understanding. I'm bringing this in the forum that I may know which is correctly said, so I do not misinform someone else in making effort to supply them information with similar case in future.
Thank you all.

Both Ops are reflecting from personal experience and they are right too. Every website has different ways they operate and how the scammers have set it up. Technology is here, so spammers have improved in spamming too. While some websites will request private keys, there are websites that automatically drain your wallet once you log in without requesting approval. That's why it's good to ask questions on this website before you use it. Check out phishing websites people are using before you can use them. While on it, I also advise users not to connect to any WiFi because I think WiFi connections can help scammers too.

[Davidloki]

FIRST USER:  argued that such phishing scam drains it victim money from wallet automatically in a quick instant on connecting to the fake site.

SECOND USER: argued that connecting your wallet alone to a phishing site does not automatically drain it, ontil you the victim have to perform a signing in your of your information or wallet private key.

Both user are right.

Phishing scam link operates the way it was built. If the site is built to automatically withdraw funds from your wallet it will do it, because it was assigned to read all the information in your wallet including your private keys. Meaning, that instant you tapped on the link and it took control it will start copying your private keys to bypass all authorization if needed when withdrawing your funds. Note that every year, scammers improvise fast and easy way to steal from people.

[The Cryptovator]

It doesn't matter how the attacker pushes the virus or takes control of the device; at the end of the day, victims lose their funds. This is the real concern; I am wondering how big holders just keep their money in a device that's not air-gapped. Otherwise, one should use a hardware wallet for big funds. Even though I am a small holder, I keep my funds in a hardware wallet. I don't trust software wallets or mobile wallets to keep big funds there.

Crypto users must be very careful about downloading something from the random sites. Even a hacker can't gain a seed, but it's very possible the device is compromised just for downloading and installing software. If you input a seed phrase into fake software, then your wallet will be drained automatically through their system. But it's easy for hackers to control your devise through fake software. device

[tech30338]

It doesn't matter how the attacker pushes the virus or takes control of the device; at the end of the day, victims lose their funds. This is the real concern; I am wondering how big holders just keep their money in a device that's not air-gapped. Otherwise, one should use a hardware wallet for big funds. Even though I am a small holder, I keep my funds in a hardware wallet. I don't trust software wallets or mobile wallets to keep big funds there.

Crypto users must be very careful about downloading something from the random sites. Even a hacker can't gain a seed, but it's very possible the device is compromised just for downloading and installing software. If you input a seed phrase into fake software, then your wallet will be drained automatically through their system. But it's easy for hackers to control your devise through fake software. device

I don't know why people are still being victim of phishing scam, even if there are lots of tutorials, news and reports about their experience and losing money, because of this scams, why would you even try to click a link, or message with a link, even if you don't know the sender, is it curiosity or because with the link there is also a promise of a reward, and that makes a person decided, it is because of greed?
To be safe never let your main computer or a computer with all of your information get infected, instead use another laptop for other things.

[SquirrelJulietGarden]

Crypto users must be very careful about downloading something from the random sites.

Random sites can be strange sites from new brands but phishing sites can be from a famous brand and if people don't do the right things with official websites for getting or downloading anything, they will be victims of hackers and scammers.

Officially visit websites & download apps, not fake ones.

I don't know why people are still being victim of phishing scam, even if there are lots of tutorials, news and reports about their experience and losing money

People just don't read or they read but don't pay too much attention when reading and don't absorb any useful information. Otherwise, they read it well but later they ignore those advice and return to their personal favorite habit that is bad in security and they were scammed easily.

[KiaKia]

A long post but carefully read please.

I was going through a thread today on Reddit that OP narrated his painful experience of a loss of big  money in millions to a phishing scam which began with him downloading a phishing wallet from a fake site.

Subsequently, users began to make their comments about cautious procedures to take for protection of phishing links and sites. But what made me export this story from there to the forum is for the clarification of a fairly disagreement/debate between two users about this phishing scam, which I find confusing about who is correct with their replies and who is not.

FIRST USER:  argued that such phishing scam drains it victim money from wallet automatically in a quick instant on connecting to the fake site.

SECOND USER: argued that connecting your wallet alone to a phishing site does not automatically drain it, ontil you the victim have to perform a signing in your of your information or wallet private key.

I do not know if I explained the story to a simple understanding. I'm bringing this in the forum that I may know which is correctly said, so I do not misinform someone else in making effort to supply them information with similar case in future.
Thank you all.

Scams are setup in different ways and this is why I will believe both stories.

I remember a draining tactics use by scammers where they poison your wallet, waiting for you to move the token and viola all your balance is gone in an instant.

Another one is scammers setting up an auto drain for your wallet, where by once you deposit into the wallet the whole.balance issue drain instantly, I believe that there are too many scamming strategy online today, if I were you I would believe both stories because they are real.

We are not just careful enough, and scammers are also getting smarter every time, they come up with new ways to scam people, we can never be too careful enough.