Crypto security firm Halborn has warned of a new email phishing campaign targeting MetaMask users.
In a blog post published July 28, Halborn’s technical education specialist Luis Lubeck analysed the phishing email and highlighted red flags users should look out for to keep their digital assets safe from these types of scams.
How the Scam Works
This latest scam involves an email, ostensibly from MetaMask, asking the recipient to verify their MetaMask wallet’s seed phrase. The recipient is told the seed phrase is needed by MetaMask in order to comply with regulations and that failure to comply will result in their wallet being “restricted”:
Clicking on the button to verify the seed phrase takes recipients to a fraudulent imitation of the MetaMask website where they are prompted to input their seed phrase. If the user complies, the scammers gain full access to the wallet, allowing them to steal the user’s assets.
Red Flags and Warning Signs
Lubeck cautioned that to an inexperienced, casual crypto user not paying close attention, the email could appear legitimate. However, he highlighted some important red flags, including:
- the sending address not being from a legitimate MetaMask domain, but rather from ‘metamaks.auction’;
- the lack of personalisation, such as the recipient’s real name or other identifying information; and
- the call to action button linking not to MetaMask’s website, but to a fraudulent URL.
Lubeck stressed that the best defence against phishing attacks is to be extra careful when receiving email requests related to crypto accounts or wallets:
The best defence against phishing attacks like these is to stay vigilant when receiving emails and think twice before doing anything that seems a bit unusual or potentially suspicious.
Luis Lubeck, technical education specialist, Halborn
MetaMask Frequent Target of Scammers
Due to its status as the most popular wallet for Ethereum, MetaMask is often targeted by scammers.
In April, MetaMask warned Apple users to disable iCloud backups after it was revealed their MetaMask seed phrases were being automatically backed up to the cloud storage service and then targeted in phishing attacks. In one case, a user lost over US$600,000 worth of assets to this scam.
In November 2021, a Reddit user reported his friend had lost 38 ETH to another MetaMask scam in which a paid Google ad directed users to a fake MetaMask website to install a fraudulent version of the browser extension, allowing scammers to steal users’ assets.