Yesterday I received an email from "Metamask.io" with the following message:
"Metamask requires all users to verify their wallets in order to comply with KYC regulations this must be done before 27/03/2022."
The email closed with a warning — "if you don't verify your wallet, your wallet will be restricted" — and a dialogue box prompting me to click and verify my identity.
The email's phishing attempt is much more blatant when reduced to the text above, but in practice a scammer doesn't need a perfect setup — just the chance an individual will open an email and automatically respond to its contents before they realize something's not right.
This is, unfortunately, a low bar that many fall prey to at least once.
Here are some things I look for to identify whether or not a message is legitimate. Hopefully they help you in your own digital safety, or at the very least serve as a reminder to stay vigilant.
The phishing attempt
Here is the email as I received it:
Gone are the days of outrageous "Nigerian Prince" scenarios — this email actually looks legitimate at first glance. The clean format and METAMASK logo suggest professionalism. The wording also appears grammatically correct when read quickly.
I often browse email to pass the time while standing in line or waiting to get food, for example, and it's not hard to imagine I could have impulsively clicked the "verify your wallet" dialogue box before I realized the danger. Scammers have gotten very good at exploiting the informal way we conduct personal business. My Metamask email is a textbook example.
Three red flags
The most obvious red flag here is the topic itself. Metamask is a decentralized cryptocurrency wallet hosted on your local PC as a browser extension. Purchases aren't made through a Metamask marketplace, so KYC verification doesn't make sense.
But let's say you're new to cryptocurrency and this isn't obvious. You should get in the habit of always independently confirming similar messages or emails. A quick Google search — "metamask KYC verification" — immediately shows the email I received is a common scam attempt:
The second red flag is the "verify your wallet" link URL. You should always verify a link's URL goes to a respectable website. On a PC you can do this by hovering the cursor over the link. In the Metamask URL's case, the URL is questionable at best (I replaced the second half with 'X' to make sure no one can accidentally click it):
"https://click.pstmrk.it/2s/post-kuwait.netXXXXXXXXXXXXXXXXX"
The third and final red flag is the sender's email. A real communication would come from an email address affiliated with the organization. The sender's "Metamask.io" name is convincing, but the email address — "notifications@webby.app" — is not.
Final thoughts
Crypto scams are definitely out there, and they continue to evolve. Most of the time a scam will be apparent, but only if you consistently take a few seconds to always check a few things beyond a quick glance.
Thumbnail Photo by Shubham DhageUnsplash.
