How to Protect Against Common Crypto Scams and Threats
Security is a top priority for crypto investors as online attacks surge at unprecedented scale.
The average cost of a phishing-related data breach has soared to $4.88 million per incident. The FBI reported that email scams in 2024 alone caused $2.7 billion in losses. And phishing remains the #1 attack vector used by cybercriminals.
CoinList takes the security of its team, its customers, and its partners seriously. Providing clear guidance on how to self-protect from common threads and scams in this article is one part of our commitment. Below we outline some of the most prevalent attack types in crypto, including email phishing, ice-phishing, and voice phishing (vishing), and general best practices to defend against them.
1. Email Phishing
Phishing emails are one of the most common attacks attempted against crypto investors. These emails are designed to appear as though they come from a known, trusted sender. Attackers often copy exchange emails or other branding from other known companies, sometimes with extreme detail, to craft messages sent from look-alike domains. All of these visual tricks and cues are intended to lure victims into open and replying with the email to share personal information, login credentials for financial accounts, address recovery information, or to click malicious links.
How to protect against phishing emails:
- Personal information requests: No legitimate crypto company will ever ask for login credentials, passwords, or personal details via email.
- Sense of urgency: Scammers often pressure their targets with short deadlines to respond and claims of “account suspension,” “payment issues,” or “unauthorized logins.” Always pause to evaluate if an email is legitimate. Always verify through the company’s official support channels.
- Fake email addresses: Official CoinList emails come from the “@coinlist.co” domain. Scammers may use near-identical domains like “coin1ist.co” or “coinlist.io.” Always double-check the sender.
- Suspicious attachments: Never download or open files unless you are certain of their origin. Also, be especially cautious with .exe, .zip, or .scr files.
2. Voice Phishing (Vishing)
Advances in AI and deepfake technology have fueled alarming growth in vishing attacks over the last few years. CrowdStrike research shows that between the first and second halves of 2024, vishing attacks rose by 442%, and in the first quarter of 2025, AI-assisted deepfake vishing cases spiked 1,600%.
In these scams, attackers clone a voice of a relative, coworker, or senior executive and use it to convince victims to share sensitive data or even transfer money. Common vishing narratives include medical emergencies or hospitalization, travel emergencies (e.g., “stranded abroad”), urgent loan requests or temporary borrowing, and legal trouble or fake arrest notices.
Vishing attacks are executed in a few different ways.
- Reconnaissance is when vishing attackers collect voice samples from podcasts, webinars, or public recordings.
- Voice cloning uses modern AI tools to replicate speech tone, pitch, and personality almost flawlessly.
- Number spoofing is a technique to deliver calls that appear to come from legitimate or known contacts.
- Social engineering is a strategy that attackers use that involves impersonating people trusted by their target or to create urgency that pushes victims into quick decisions.
- Attackers also use multi-channel communication strategies whereby a scammer may follow up with fake confirmation texts or emails through other mediums to try to increase their credibility.
How to protect against vishing:
- Never share personal or financial information over the phone, even if the caller knows some of your details.
- Set up pre-agreed codewords with close relatives or colleagues that cannot be guessed solely from publicly available information.
- If a call seems suspicious, hang up and call back using the official number of the company or other contact information from your personal records.
- Listen for background noises or voice irregularities during a call.
- Be especially cautious with urgent requests.
3. Ice Phishing
Ice phishing is a unique digital threat in crypto. This type of attack does not aim to steal a user’s private keys, but instead it tries to deceive the victim into signing a transaction that grants the attacker control over the victim’s tokens. This attack method has become particularly dangerous as interest in DeFi continues to grow.
How to protect against ice phishing:
- Always verify smart contract addresses through trusted sources such as CoinMarketCap, CoinGecko, or Etherscan.
- Double-check wallet and contract addresses, not just the first and last digits of the contract but the entire string.
- When signing transactions, carefully review what actions the transaction will perform.
- Store long-term holdings in cold wallets and keep only a small amount in the wallets that you use frequently.
- Only interact with verified DeFi protocols and avoid unsolicited dApps or links.
4. General Best Practices
The following list includes some basic security best practices that can significantly reduce your risk of becoming a victim to any of the attacks mentioned above.
- Use strong, unique passwords (i.e., 12+ characters, mixed symbols, numbers, and letters).
- Enable Multi-Factor Authentication (MFA) with an authenticator app, not SMS.
- Avoid using cloud backup for authenticator codes, and store backup QR codes securely offline.
- Always verify official social media channels and communication methods on the company’s official website.
- Never click on any links (even if a friend sends it to you) unless you are 100% sure that the source is safe.
- Limit the personal information you share on social media (such as email addresses, phone numbers, or employer details), and review privacy settings to control who can view your content.
Staying informed and vigilant remains the first and most important line of defense for all crypto investors, especially as scams continue to evolve. Phishing and vishing will continue to grow in frequency as attackers adopt AI and social engineering at scale. By recognizing the warning signs and following best practices, you can protect both yourself and your digital assets.
Always remember that CoinList will never ask you to share personal credentials or transfer funds outside of our official platform. If you suspect you have been targeted by a phishing or vishing attempt that impersonates the CoinList brand, please report it immediately through our support portal.
Legal Notice
This blog post is being distributed by Amalgamated Token Services Inc., dba “CoinList,” or one of its subsidiaries. CoinList does not provide—and this post shall not be construed as—investment, legal or tax advice. This blog post and use of the CoinList website is subject to certain disclosures, restrictions and risks, available here.