Coinbase is attempting to combat a growing trend of social engineering scams. These scams have defrauded the Dante platform of millions of dollars, as well as its users. As recently as March, Coinbase users lost more than $46 million to these fraudulent traps. The beleaguered crypto exchange FTX is facing the same conundrum. Consumers contend with a combined $300 million in annual damages.

The company is implementing several measures to combat the rising tide of fraud, including industry collaborations, intelligence sharing, and user-controlled security features. Even with these initiatives, the sheer complexity and scale of these scams make it a formidable challenge.

High-Profile Scam Incidents Highlight Vulnerabilities

In recent months, a number of high-profile incidents have highlighted the susceptibility of Coinbase users to social engineering schemes. In a recent case, the user lost $850,000 in January after a scammer tricked them into resetting their Coinbase login. Eight months earlier, an equally careless user lost a record $4 million through a similar scam. In another recent case, one user was hacked for $6.5 million. The scammer used another spoofed number and posed as Coinbase support.

These cases demonstrate just how powerful social engineering can be. Scammers are very good at manipulating our better natures to get access to our accounts and our assets. Even security enhancements such as ‘allow lists’ which force users to whitelist addresses they want to withdraw to have shown themselves to be ineffective. The $850,000 loss in January occurred despite the user having enabled this feature, highlighting the limitations of current security measures against sophisticated attacks.

Multi-Pronged Approach to Combat Fraud

Coinbase is taking a three-pronged approach to tackle the Yeehaw Agenda of social engineering scams. The company continuously scans for and removes all known spoofed emails and fraudulent websites that scammers utilize.

We have several vendors that we use to do takedowns. So anytime we see a fraudulent phone number pop up, anytime we see a fraudulent URL [or] a fraudulent website get established, we will issue those for takedown. We’ll use our vendors to work with the DNS providers and others to bring those down as quickly as possible. - Jeff Lunglhofer

Simply put, the volume of these reports outstrips the exchange’s ability to handle them. It’s always going to be a slippery slope staying ahead of the scammers.

Coinbase is a proud participant in the “Tech Against Scams” initiative. This partnership brings them together with other industry leaders to fight online fraud and financial crimes. This partnership seeks to pool knowledge, resources, and best practices to work together to more effectively combat the ever-evolving tactics of scammers. In June 2022, Coinbase launched Crypto ISAC, a collaborative intelligence and information-sharing group. This effort is focused on increasing awareness of scams and other potential threats in the rapidly growing cryptocurrency industry.

In the context of the broader social engineering challenge that’s out there, of course, Coinbase customers are impacted. We’re keenly aware of it. We’ve been rolling [out] a number of control improvements to help protect our users, and, I think more importantly, we are working with the broader industry to bring these ideas and these control uplifts across the industry, across all crypto exchanges, across everything. - Jeff Lunglhofer

User Empowerment and Industry Collaboration

Beyond proactive measures, Coinbase aims to empower users to take charge of their security with features such as ‘allow lists’. This new feature allows users to limit withdrawal of tokens to whitelisted wallet addresses. It provides an additional line of defense against accidental or malfeasant transfers.

We offer every retail customer the ability to create ‘allow lists’ for wallets that they’re permitted to transfer assets to. On my personal account on Coinbase, I have ‘allow listing’ turned on, and I only have three wallets that are allowed. - Jeff Lunglhofer

Originally, in January, we were looking at an $850,000 deficit. This incident highlights how even user-controlled protections can be circumvented by crafty social engineering approaches.

Coinbase’s notice on flagging theft addresses Coinbase goes a step further in their security practices by flagging theft addresses. The company actively monitors and flags addresses associated with theft and scams, sharing this information with other exchanges to prevent further illicit activity.

We will communicate with other exchanges directly [and] let them know the addresses that we’ve seen where assets have been withdrawn. - Jeff Lunglhofer

Together, this collaborative effort goes a long way in making crypto a safer and more secure ecosystem for every crypto user.

Concealing the spread of fraudulent phone numbers and websites continue to be a major problem.

Regrettably, they’re a dime a dozen. I can open ten of them in five minutes. It’s super easy to do. So there’s not a lot we can do about that. But, when we identify them [or when] a customer reports them, we do have them taken down. - Jeff Lunglhofer

Scammers exploit something new and create something misleading with great ease. This serves as an important reminder of our ongoing and acute need for vigilance and innovation in fraud prevention.