Crypto crimes: Direct message scams

Direct message (DM) scams are the modern version of a tactic that has existed for hundreds of years in different forms. Letters from imprisoned noblemen, emails from deposed African kings, and DMs from Adam Back all fall into the same category of social engineering, as a way to deploy various scam tactics.

A common format is to get the victim to send funds by promising large returns, but DM scams encompass a whole book of tricks designed to make you give up your money. While they may still take the form of an advance fee scam — pay now, be rewarded later — the instantaneous nature of DMs grants scammers much more flexibility in creating and selling a narrative, enhanced by close, real-time contact with the victim. Scammers can answer questions, assuage fears, and put pressure on their target to increase the likelihood of the scam working.

This article takes a look at some of the different ways scammers operate over direct message, and lays out some guidelines to help you avoid these scams in future. If you’ve been a victim of a direct message scam and would like to contribute your insight to this piece, please reach out using the comment section.

Problem: Direct messages from scammers appear on every platform

One of the places you are most vulnerable to a DM scam is on social media. Many of us have public profiles which anyone can reach out to by direct message, so scammers can glean personal information about their victim and tailor messages to be more personalized, making victims more likely to respond.

The problem with social media is that few people observe good practices for protecting their personal information. Public profiles should ideally be anonymous, or at least pseudonymous, to prevent strangers from finding out valuable information. People’s online accounts and public comments reveal a lot and allow anyone to build a personal profile that can be leveraged by scammers.

Public forums, message boards and social media feeds are often used to ask questions and seek help. In crypto, asking for help makes you a target for impersonators and other attackers. Of all the platforms, Reddit is among the worst, with users reporting scammers approaching through DMs any time a cryptocurrency-related question is posted. The huge number of ‘throwaway’ accounts run by scammers and bots are exacerbated by a lack of moderation, meaning victims need to identify the scam themselves or risk losing their funds.

In the next sections, we’ll cover why direct message scams are so effective and how they work, both from the social engineering side and in terms of the payload: some scammers will send you to phishing sites while others are interested in harvesting data to use in another form of attack, such as mailing victims compromised hardware wallets, offering exclusive access to fraudulent trading groups, tricking users into sharing their seed phrase, performing SIM swaps, or for carrying out identity fraud.

Why scam messages are so effective

Direct message scams depend on three factors to be successful:

1. Attacks are personalized: scammers will reach out to users who are part of a specific group and therefore likely to respond to the narrative the scammer has created. They can then tweak and personalize their conversation to each individual.

2. It’s cheap to hit and run: running a scam of this sort can be as simple as creating a new free account and sending some messages. Even at scale, automation using bots is simple and lets attackers filter for more suitable targets.

3. There are always more victims: the success rates for message scams are a tiny fraction of those targeted, but there is little stopping the scammer from simply moving on to another target. While security education is slowly improving, many people still do not treat DMs with proper caution.

All three of these point highlight that message scams are endemic to communications channels. While there is an argument for enforcing stricter moderation on platforms, it is unlikely to have much impact. The most effective thing that can be done is to raise awareness and continue to reduce the number of potential victims through education.

How direct message scams work

Messaging apps linked to social profiles create the perfect environment for scammers to be creative. There are hundreds of stories a scammer can tell, from wild fiction to perfectly plausible, but there certain frameworks that regularly appear.

Common tactics used by scammers

These are some common ways scams are presented which take place on messenger apps:

Helpers are scammers who will find people posting for help with crypto issues. This is an easy way to find desperate people who are more likely to trust the scammer. Helpers will either talk the victim into giving up access to their accounts or seeds, or link the victim to a phishing website that harvests seeds or contains malicious software. Helpers pretending to be Trezor support are common on Reddit, so always remember that Trezor support will never start a chat.

Service providers will present themselves as employees of desirable services such as trading groups, high-interest lending or staking, crypto miners, or other type of business. Promising high returns for modest investments, they can appear legitimate and even deliver some profits — in traditional ponzi style — before disappearing with the funds.

Impersonators are fake accounts designed to look like accounts of celebrities or influencers. They may even have a large following if they have access to hijacked or fake accounts. Impersonators can flatter the victim before asking for help or offer a special opportunity like free coins, trading courses or more. Impersonators are particularly common on Twitter.

Bots can serve different functions, from broad to very specific. They are rarely designed to be clever, rather they target many accounts at once to serve links to malicious sites or to test whether the target is likely to fall for one of the scams tactics above. Bots have a large attack surface and even experienced users can fall victim to them in a lapse of attention.

Remember that even if an online chat with a stranger seems innocent, they could be extracting information to use in another scheme. Simple questions can reveal a lot about you and your security model. Never provide any information that could reveal your address, finances, or any other sensitive information in DMs.

Warning signs of scam messages

There are many ways to present a scam, from obvious to subtle. Warning signs like typos are often intentionally included in the scam message to filter out more cautious targets, but it’s not always the case.

Some of the red flags that can indicate a scam is taking place include:

Modified username: imposters often use celebrities’ usernames modified with special characters. If you are contacted by someone claiming to be a famous account, make sure you check the name is correct

Low follower count or young account age: followers can be a good sign that someone has a reputation. Low-follower accounts or new accounts can indicate that the account is run by scammers. Unfortunately, follower counts can be gamed using bots or compromised accounts, so always proceed with caution.

Links to tools and services: never click on an unknown link sent by a stranger. There are many ways a link can be malicious, and you could end up installing malware or giving critical data to a phishing portal.

Typos, poor grammar: as mentioned above, these can be used to identify people who are more likely to fall for the scam. In these cases some people are tempted to ‘mess’ with the scammer, but it is better to simply report and ignore such messages as you may inadvertently give them more information than you intend to, or give them a reason to double-down on trying to attack you.

Overly interested in your habits: questions about your trading or investment preferences and other personal information is often part of getting users to buy-in to the scam, but it can also reveal information that can later be used against you.

Promising financial return: often imposters of high-status accounts will promise unbelievable returns on small investments, or even to simply double your coins. Remember that crypto transactions are generally irreversible so any money you send can not be recovered.

Sense of urgency: scammers will often create stressful situations to force you to act quickly and overlook red flags. If you are ever told about a security risk, it is best to look for official communication from Trezor — it is very unlikely that an exploit has been discovered without it first being disclosed to security teams by researchers. Always remain calm and perform proper checks before thinking of responding to these kinds of messages.

It is best not to play with scammers because it can cause the situation to escalate. It is likely they are part of an organized crime group with multiple tools and resources at their disposal. Physical dangers are very real in the crypto space, as criminals know that self-custody assets like Bitcoin can not be recovered and will physically harm their victims to extract information. Do not share personally identifying information online and make a habit of reporting scammers without responding to them.

Even seemingly obvious scams can claim less diligent victims, so we as a community need to protect our most vulnerable members. Make sure to report and publicly share information about scams so we can better combat this growing problem.

How to protect yourself from direct message scams

Avoiding scams depends on a combination of knowing what warning signs to look out for, and protecting your private information as a matter of routine.

1. Be wary of anyone who contacts you. Trust has no place in crypto — always verify the legitimacy of any query that lands in your inbox before acting upon it, and avoid clicking on unfamiliar or unsolicited links. On sites like Twitter you can close your DMs to the public so only accounts you follow can contact you, minimizing your exposure to these sorts of scams.
2. Understand what data is critical to security. Your wallet backup is the master key to all your crypto addresses and private keys. Never enter it on a network-enabled device and never share it with anyone. Only use your seed if your Trezor shows instructions to do so on its display, and only enter your seed using the method specific to your device.
3. Don’t trust numbers alone. Follower counts, app ratings and other data can help identify scams, but they can be faked. Take extra steps to verify whether the person contacting you is actually who they claim to be. Official high-profile accounts have been hacked in the past, so be careful even if the account can be verified.
4. Use a hardware wallet. The safest place for your seed is offline. Trezor hardware wallets create and store your seed permanently offline. As long as you follow instructions and don’t voluntarily share your seed online, there is no way for a scammer to access your funds.
5. Don’t accept message requests without reason. Just because someone contacts you does not mean you need to engage with them. Only accept messages where you know the sender.
6. Be more private online. The only way to protect your data is to never give it out. Anonymize your social media accounts and do not share personal information anywhere. There is always an alternative, such as using a drop-off point for deliveries and having multiple email addresses for different purposes.
7. Be especially wary of discussing crypto online. Never discuss how much you hodl, even if it seems small. As bitcoin’s value increases, you will inevitably become a target for theft. As an asset designed for self-custody, you must take responsibility for security more seriously.

What to do if you are scammed over direct message

Native digital currencies can make digital crimes more efficient. Decentralization means that there’s no-one with the power to reverse a transaction, so criminals have a higher chance of getting away with any money they steal. Even cryptocurrencies which are not properly decentralized will likely not take steps to restore the funds unless the amount is significant and many users were affected.

Transparency of blockchain networks allow funds to be traced but organized scammers have tactics to cover their tracks. The reality is that once funds are stolen, they are likely lost forever. That said, it is still important to share information publicly to help others avoid the scam, and potentially receive support from the community to trace and even freeze the funds, should they be sent to any centralized exchanges.