Blockchain Blog

PSA: Phishing Defense

Dear Blockchain Users,

Don’t be a phish! Blockchain is a target for multiple phishing attacks. Phishing is where an attacker builds a replica website that looks identical to but is on a different domain. They depend on an unsuspecting user making a typo, or clicking on an email link, or a Google Ad that directs them to the phishing site. If you log on using your Blockchain credentials on that site, they will steal your login and password (and sometimes your two-factor code), which they will use to steal all your money.

We are coordinating with service providers and domain registrars to take down these sites as soon as we are aware of them, but they will keep changing domains and stealing funds even if they are only up for a few days.

Here’s what you can do to avoid phishing attacks. Try one or more of the suggestions below:

  • Use two-factor authentication. This is not sufficient, but makes it harder for attackers.

  • Use the secondary password (Under Account Settings/Security in the Blockchain wallet), which is required to send funds out of an address. This is also not entirely sufficient but again makes it harder for attackers.

  • ALWAYS check the site is protected by SSL certificate. This is not sufficient, but makes it harder for the attackers.

  • NEVER click on a login link in an email, Google Ad, or use Google Search to access Type it in yourself or use a bookmark.

  • ALWAYS type into the URL bar yourself, carefully checking for typing errors

  • BETTER: Use a bookmark to on your bookmark toolbar instead, this is the best and most foolproof way.

  • BETTER: Use the Blockchain extension (add-on) for Firefox or Chrome. This is an application that contains all the Javascript and is the most secure way to access the Blockchain wallet

  • Do not install extensions or add-ons you do not trust as these can hijack your browser or replace bitcoin addresses.

  • Use a different browser for every-day browsing than the one you use for access to For example: Use Chrome to browse, and Firefox without any add-ons (or with only the Blockchain add-on) to access Or the other way around, use Firefox for general browsing and Chrome for wallet access.

  • Do not use Internet Explorer. Just… don’t.

If you see a phishing site, please report it by using phishing-defense provider Netcraft’s online report tool. Netcraft will forward your report to Google and various ISPs, anti-virus vendors and browser vendors.