How my Coinbase account was almost stolen
Benito Aguilar | Twenty20
Jason Gewirtz, vice president of news at CNBC. Below is a personal account of her experience with a scammer.
Last week my cell phone rang. It was around 1:30 p.m. and the iPhone ID showed area code 650; I realized this was the San Francisco Bay Area. The caller ID listed the number as unknown but labeled it as coming from San Francisco.
Given San Francisco’s location at the heart of global innovation and technology, and the location of one of CNBC’s key bureaus, I called even though I didn’t know who was calling; This is something people rarely do anymore.
The voice on the other end introduced himself as Brian Miller. Coinbase security office. He immediately told me there was “suspicious activity” on my account and wanted to know if I was trying to log in with an iPhone from Frankfurt, Germany. I told him, “No, I haven’t been to Germany in 20 years and I’ve never used my cell phone to log into my Coinbase account.”
It told me that someone with the address “Mohamad25@gmail.com” was in my Coinbase account and was trying to make a transfer. The man claiming to be Miller then said: “I haven’t seen this before. He says he lost his phone on the conveyor belt at Frankfurt airport and needs access.” Miller paused for a moment and then said, “He’s trying to make another transfer right now.”
He continued: “I’m trying to figure out how he got access. He has your Social Security number, your phone, and your email address. He also gave us a photo that matches your Coinbase facial scan. Have you given anyone access to your information lately or noticed anything else suspicious on other accounts?”
“No” I said.
Looking back, it’s pretty clear even to me that the attempted scam used classic pressure tactics to make me feel like I was in danger, so I would have made a quick decision rather than a smart one.
“They’re trying to scare you by making you feel like you’re a victim and they’re calling for help,” Rick Wash, a professor of information science at the University of Wisconsin, said in a telephone interview. Wash is a computer scientist who researched the possibility of electronic breaches two decades ago. He then began to combine his vast technical knowledge to focus on the personal side of fraud.
“I began to realize that the human factor is often the most critical factor in computer frauds,” Wash said.
Something always seems out of place, but when Miller mentioned my photo, my suspicions grew.
“I never gave Coinbase my photo,” I told him.
“You had to do this in order to get an account. You may not remember doing this, but we are required to have this account due to know your customer rules,” he said. “He’s trying to make another transfer, but I’ve put it on hold so he can’t do it,” Miller told me later.
I asked him to send me an email so I would know he was actually calling from Coinbase. “I sent you a case number about 10 seconds ago, you should take it,” he said. Then he asked if I had anything to write and read me a six-digit number. I told him the email didn’t arrive.
“Let me send another one,” he said. “This will have a new case number.”
He read a second number and then said: “I’ll wait until I get the email. It may not arrive in your inbox because it’s trying to change your email address. Check your spam.”
Both messages were in the spam folder masquerading as a Coinbase email.
The messages contained the same confirmation codes he gave me on the phone. There were no typos, just the Coinbase logo and a text box with all the important information. The email address appeared to be from Coinbase, but I thought it was odd that it didn’t have Miller’s name on it. Then I noticed another sign that something wasn’t right: Two emails It came from slightly different addresses. One said “no-reply@mail-coinbase.com via sportuel.com” and the other said “support@info.coinbase via live-coinbase.com”.
“When was your last Coinbase transaction?” he asked. I thought about it for a few seconds and then remembered that I had purchased a very small amount of “Monad” that I had never heard of before a guest mentioned it on “Squawk Box” last month.
Then “What are your total assets?” he asked. “Shouldn’t you know this?” I replied.
“I can’t say anything for confidentiality reasons,” he said.
So I gave him a wide range, embarrassed about how little money I had, and began to realize something wasn’t right.
Miller then told me that I really needed a “Coinbase Hard Wallet” and asked if I knew about it. I said I wasn’t. He offered to help me with the setup.
“Should I change my Gmail password first?” I asked.
“It’s probably a good idea,” he said.
Then “Shouldn’t I change my Coinbase password?” I asked.
At that point he hesitated and said, “We do not recommend this. I have suspended your account at this time. If you change your password, it will freeze it for up to two weeks.”
I told Miller I had a meeting in five minutes and asked how long it would take to get the Coinbase Hard Wallet. He told me 20 minutes. I said I had to go but asked if we could talk again at 3pm. He promised to call me back.
close call
When I hung up the phone, I tried to figure out what to do next. It didn’t look right, but a few details were in order. I checked my account. Nothing seemed abnormal.
I later received the email addresses he sent. I I copied them and asked Claude: Anthropic’s AI chatbot, if it were legitimate. “This is almost certainly a PHISHING scam,” came the response.
Many red flags were raised, including that the messages were coming from the wrong domain.
“The real Coinbase sends emails from @coinbase.com, not @live-coinbase.com. This hyphenated domain name is a classic phishing tactic,” according to the AI program’s notes. Claude also flagged the suspicious “via” address: “Legit companies do not route emails through third-party domains like this,” according to the AI program.
“Thank you, Claude,” I said to myself, and at the same time I was thinking, “That was close.”
I called a former contact in Coinbase’s PR department and she said, “I don’t work there anymore, but this is probably a scam. Coinbase doesn’t call people.”
He promised to send details about my situation to the existing team at Coinbase, who texted and called within minutes to confirm it was a scam.
The caller ID “Coinbase” was flashing on his phone, and since I was expecting the call, I was willing to trust him, although I was a little nervous at first. I told the Coinbase rep that I would transcribe the entire 15-minute conversation for him, hoping they could use it to warn others… then I decided it might make a good article for CNBC.com.
Coinbase agreed. A spokesperson who frequently deals with security issues said the company has ways to prevent people from being scammed, including monitoring large transfers or flash sales from accounts that don’t typically transfer or sell crypto, even if the victim is fooled.
This photo, taken on June 8, 2023, shows a smartphone with the Coinbase logo and cryptocurrency representation on the keyboard.
Dado Ruvic | Reuters
“We are heavily invested in prevention, detection and rapid response,” the spokesperson said in an email. The representative added that Coinbase would never tell a customer to transfer crypto to a secure wallet. “If someone tells you to transfer funds to protect them, it is a scam,” the spokesperson said.
Coinbase also acknowledged that AI is a multiplier in fraud attempts and the quality of scams.
“Attackers are using a variety of bots and AI automations to streamline workflows,” the company said, noting that AI voice agents are being used “to create more believable automated calls.”
According to ZeroShadow, a company that tries to return stolen crypto assets to their rightful owners, their system saw a 1,400% increase in “impersonation scams” last year.
“Attacks come from inside and outside the United States, but the people behind the scams often try to recruit and train less inhibited young men or teenagers,” said ZeroShadow CEO Casey G., who asked that his full last name remain private due to security threats. “They sell them scripts and sometimes voice modulation devices.”
The CEO said his firm has recovered nearly $200 million from victims over the past four years, but acknowledged it has been a difficult process.
“We can track the crypto once it leaves your account, but getting it back is not that easy,” he said. “We need help from local authorities. Cryptocurrency has less protection than the traditional banking system in the US” Casey G. also said that artificial intelligence is being used by fraud chiefs to increase their workforce.
One of the most successful techniques used by the fraudster was to create a sense of urgency. While we were talking on the phone, I was almost tricked into taking action or providing information by telling me that there was an initiative going on. I felt my pulse quicken and I had the instinct to stop whatever was happening.
Anti-fraud experts say it’s a common tactic as bad actors buy and sell successful “scam scripts” on the dark web. Coinbase said it advises people to “slow down, pace, verify things independently, and not act under pressure.”
Be careful out there.
WRISTWATCH: Alarming rise of AI ‘nudification’ apps
