Hardware wallets offer the best form of security when it comes to safeguarding your private keys and funds. However, a phishing email could place all these at risk if you are not careful.
On 28th October 2020, we received an email that appears to have come from Ledger. See the following email.
Actual Text in the Ledger Phishing Email
View in Browser
We regret to inform you that Legder has experienced a security breach affecting approximately 86,000 of our customers and that the wallet associated with your e-mail address (your email address) is within those affected by the breach.
Namely, on Thursday, September 24th 2020, our forensics team has found several of the Legder Live administrative servers to be infected with malware.
At this moment, it’s technically impossible to conclusively assess the severity and the scope of the data breach. Due to these circumstances, we must assume that your cryptocurrency assets are at risk of being stolen.
If you’re receiving this e-mail, it’s because you’ve been affected by the breach. In order to protect your assets, please download the latest version of Legder Live and follow the instructions to set up a new PIN for your wallet.
The text in the email above had been found to match exactly with other known phishing emails from addresses that end in .io or other domain suffixes as reported on Reddit.
Before reading further, see if you can spot the con in the text above.
This time however, the phishing email had been made to look as legit as possible in order to fool even astute Internet users, as pointed out by the red arrows above:
- The sender’s email address firstname.lastname@example.org looks genuine…until upon closer inspection, it is actually legder.com and not ledger.com. A simple switch in place of the “d” and “g” in the word ledger can fool even the most cautious amongst us.
- Clicking on View in Browser on the top right of the email opens up the internet browser to what appears to be Ledger’s official website at ledger.com….only thing it’s not. It’s legder.com (note the spelling) which had been designed to look exactly like Ledger’s website.
As internet and cryptocurrency users become savvier at detecting scams (and there has certainly been plenty in this space), scammers have also taken the position to up their game by cleverly making their attempts appear as genuine as possible.
Other Suspicious Key Points
Let’s assume we had missed the two discoveries above. If we were to digest that email and search for clues that could point it out as a phishing email, these are some of the other clues:
- The text in the email is the most important red flag and an indicator that this is an email with malicious intent. It matches word-for-word with a similar phishing email from a different address going around just a few days before if you did a search online.
- The tone and language used in the email suggest a warning more dire than the usual nature of such warning emails. The urge to push for action is consistent with most phishing email scams. While this is not conclusive enough, it is a prompt to remain alert. Any email that strongly nudges you to click a link or download something should be treated with suspect.
- The use of “Dear client” suggests that the sender does not know the identity of the email recipient i.e. you. If your email address had been registered with the company through the proper channels, your name is often requested for and included. A legitimate email from the company would usually address you by your proper salutation and name. A generic term like “client”, “customer”, “sir” or the username at the front of your email address is sometimes a hint the sender does not know who you are. Again, this is not conclusive, but a clue to be more cautious.
- In this particular case, our email address was never registered with Ledger as we had purchased from an authorised reseller and not directly from Ledger. There is no way we would expect any email from Ledger – another big red flag!
- Another clue was this “update” was not shown in Ledger Live. Usually when a new version of Ledger Live is available for download, the link to download the new version will be shown at the top when Ledger Live is launched. In this particular instance, no update was shown. Another clue to be wary.
The latest official version is now 2.15.0. See the next section on how to avoid becoming a victim.
How to Avoid Becoming a Victim of Phishing Emails
Here are some safe-step suggestions to avoid becoming a victim of phishing email scams. This applies not just for the case with Ledger, but with most other similar phishing scams as well:
- Double-check the email address. Do not just check visibly. Hover your mouse over the email address and Copy Email Address and paste it on a text field or document. You may be surprised to sometimes find that what is pasted is entirely different from what is seen at the top of your email. In the case above, the misspelling of ledger was not apparent until we copied the sender’s email address, pasted it in a Word document and capitalised all alphabets. It’s easier to spot the misspelling in SUPPORT@LEGDER.COM than in email@example.com.
- Look out for the use of similar alphabets in email addresses and domain names, such as I (capital i) instead of l (small letter L), and umlauts such as é instead of plain e. Lédger.com (note the first “e”) is not the same as Ledger.com.
- Do not be fooled by logos and company banners in your email. Anyone can copy that from the official website and paste it into an HTML-based email to make it look like a legitimate official email.
- Look for spelling errors in the email. Scam emails often display spelling errors too rookie for a company-designated communications employee to make. Even for a French company writing in English.
- Read the content of the email observe for the tone and language. Scam emails usually capitalise on the fear of their victims. Phrases like “serious warning”, “your security has been breached”, “reset your password immediately”, “click here to do it now” and other similar “urgent” messages are placed in the content to get you to panic and take hasty action without much thought.
- Copy a unique phrase in the email and paste it in Google to do a search. Chances are you will come across posts online by others reporting about the scam. See image below.
- NEVER EVER click a link in an email that leads you to a website to reset your password or PIN. And in the case of today’s topic, you should never click any link in an email to download an app as well. Go to the official site by typing the URL in the browser (be careful with the spelling) or perform the updates from within the App instead (see Item 9 below).
- Before clicking on any link in a suspicious email, hover over the button or link with your mouse pointer. The destination of the link or button will be displayed at the bottom bar of most email client software.
- If you’re updating your Ledger Live, do so from within the program. This is usually shown at the top whenever a new update is made available by Ledger (see below). Clicking on a link in an email is dangerous and highly discouraged.
What If You Have Already Downloaded and Installed
If you have downloaded and installed the fake Ledger Live and have not connected your Ledger hardware wallet, you should uninstall it immediately. Use an anti-malware program to do a sweep of your computer. Download Ledger Live from the official site and reinstall.
The advantage of using a hardware wallet is that the private keys are encrypted by the embedded Secure Element and are never exposed at any time. The private keys never leave the hardware wallet.
If you have connected your Ledger hardware wallet or if you are concerned that your private keys may have been compromised, you can always send your funds to another Ledger hardware wallet which has been set up properly. You can then reset your existing hardware wallet with a new private key (a new set of 24-word passphrase) and reuse it.
Practise Safe Steps and Learn to Spot the Scam
Always practise safe steps and be cautious of emails no matter how innocent they may appear to be. Learn to spot the scam to protect yourself and your funds.
To be safe, assume every email and invitation on your smartphone to be a scam until satisfactorily proven otherwise.
For more information on the security of your Ledger hardware wallet, you may refer to the Ledger Academy: Something’s Phishy – How to Keep Your Crypto Safe Against Scams.