Scams and phishing

Phishing and vishing (voice phishing) are ways that cyber attackers trick users into revealing sensitive information. Trezor users are often targeted with fake emails, websites, or phone calls that appear to be from Trezor. Attackers may ask users to enter their wallet backup, provide login credentials, or connect their device to a malicious website.

Scammers often use AI voice and video technology to impersonate customer support agents. Modern AI can be highly convincing and personalizes scams to deceive users.

As AI advances, identifying scams based on the quality of communication will become increasingly difficult. Therefore, it's essential to focus on the content of the communication. Requests for your wallet backup, passwords, 2FA codes, or any personal information are clear red flags of a scam.

Remember - if you self-custody your cryptocurrency, you are the only one that has control over it. This means that you will never be asked to provide Trezor or any other legitimate companies with information regarding your cryptocurrency and your wallet backup - you own it, and no one else can control it. This is exactly why scammers are so convincing in order to get their hands on your wallet backup - once they have it, they have access to your entire wallet.

The only circumstances under which you will have to do anything are updating your Trezor device's firmware and Trezor Suite, which are both done through the desktop app.

For more information about AI, scams and phishing, please watch the video below: 
 

  

Once attackers have access to a wallet backup, they can transfer all the funds to their accounts, leaving victims with nothing. To avoid falling victim to these scams, always double-check the authenticity of any communication or website and keep software and firmware up to date.

 

Here are some additional details and examples to help you identify phishing scams:

 

• Be wary of urgent or threatening language. Scammers may use urgent or threatening language to pressure you into taking immediate action. For example, they may claim that your account will be suspended or that you'll lose access to your funds if you don't act quickly.

 

• Watch out for suspicious email addresses. Scammers may use email addresses that are similar to the legitimate company's email address but with slight variations, such as a different domain name or a misspelling. For example, instead of @trezor.io, the scammer may use @trezorr.io.

  

• Be cautious of unsolicited messages. If you receive a message from someone you don't know or weren't expecting, be cautious. Scammers may use fake social media profiles, emails, or messages to contact you and try to steal your information.

 

• Don't click on links or download attachments from unknown sources. Scammers may send links or attachments that can infect your device with malware. Always verify the sender and the contents of the message before clicking on any links or downloading any attachments.

 

• Look for spelling and grammar mistakes. Legitimate companies take great care to ensure their communications are free of spelling and grammar errors. Mistakes in a message can be a red flag for phishing attempts. However, even error-free messages are not always legitimate—modern AI tools enable scammers to craft highly convincing and professional-looking messages. Always verify the content and source of any communication. 

​​​​

By keeping these additional tips in mind and following the original ones, you can protect yourself from phishing scams and keep your digital assets safe.

Please watch the video below to learn more about keeping yourself safe from phishing attempts: 
 

  

Things to Remember:

AI makes identfying scams even harder

Scammers often use AI to impersonate support agents, leveraging advanced text, voice and video technology to seem legitimate. Always scrutinize the content of any message you receive—if it asks for sensitive information like your wallet backup, password, or 2FA code, assume it’s a scam and stop engaging immediately. Protect your details and never share them with anyone.
 

Bookmark legitimate and trusted sites

One way to ensure that you are accessing a legitimate Trezor web wallet is to bookmark it in your browser. This will allow you to quickly access the site without having to type in the URL each time. Make sure to only bookmark web wallets that are known to be legitimate and trusted, such as https://suite.trezor.io/web. By doing so, you can reduce the risk of falling victim to a phishing scam and keep your digital assets safe.
 

Download Trezor Suite safely

To ensure that you download the genuine Trezor Suite application and avoid falling victim to phishing scams, it is crucial to only download it from the official Trezor website at https://trezor.io/trezor-suite.
 

A passphrase offers additional protection against phishing attacks

By creating a unique, strong passphrase, you make it harder for attackers to gain unauthorized access to your account even if they obtain your rwallet backup. Keep your passphrase confidential and separate from your wallet backup to enhance your security against phishing attempts. Never share it with anyone! For Trezor Model T, Safe 3 and Safe 5 users, we always recommend entering your passphrase on the Trezor itself using the touchscreen or buttons.
 

 

Trezor will never contact you via text messages or a phone call

If you receive a message claiming to be from Trezor via text message, WhatsApp, Telegram, phone call, or postal letter, treat it as a phishing attempt. Report the message as spam and block the sender immediately. Trezor will never contact you through these methods. Exercise caution with unsolicited communications and verify their sources. Report any suspicious activity to Trezor's official channels. Stay vigilant and safeguard your digital assets.
 

Never share or create digital copies of your wallet backup

Your wallet backup is the key to your digital assets and should be kept confidential at all times. Sharing it or making digital copies can put your assets at risk, as they may become accessible to hackers or unauthorized individuals. To ensure the security of your investments, store your wallet backup in a safe and secure location, away from prying eyes. Protect your digital wealth by keeping your wallet backup private.
 

 

Only interact with Trezor's official channels for your safety and security

Authentic SatoshiLabs domain names:
@trezor.io

@invity.io

@vexl.it

@tropicsquare.com

@satoshilabs.com

Our official social media channels are:
twitter.com/trezor
instagram.com/trezor.io

Our affiliate program also has unique links that help to identify them as partners, which include:

https://trezor.go2cloud.org/
https://affil.trezor.io/
 

Trezor cannot and will not deactivate your device

Some phishing attempts try to trick you into believing that your Trezor device will be 'deactivated' or 'blocked' due to KYC (Know Your Customer) reasons. However, Trezor is not able to 'block' or 'deactivate' your device. Any request asking you to do so is fraudulent.
 

How to report Phishing Scams

To report a phishing message, simply type “I want to report phishing” to Hal and follow the instructions. Hal will guide you through the process of reporting the message and provide you with any additional information you may need. By reporting phishing attempts, you can help protect other Trezor users and prevent cyber attackers from stealing digital assets.

Additionally, it's recommended to keep an eye on our official Trezor Forum for any news or updates concerning security.

By taking these precautions outlined in this article and staying informed, you can enjoy the security and peace of mind that comes with using your Trezor.
 

Want to learn more? 

If you want to dive deeper into phishing and scams and learn more about protecting yourself, watch our full podcast on the topic here: