Protecting Your Crypto in Yoroi: Popular Wallet Scams - EMURGO (2024)

• Look for misspellings or slight variations in domain names

A website’s name is often purchased on a domain name service. This means the name is reserved for the person or organization who bought that particular word or combination of words. Attackers often use very similar names but with slight variations in the actual spelling of the domain.

Another common tactic is to buy the same domain name but use a different extension. For example, if the domain name is under an extension .com, attackers will buy the same name but with an extension .org, .io, .site, or any other valid extension on the market.

The official website for Yoroi Wallet is https://yoroi-wallet.com.

• Check for secure connections (https://)

Legitimate projects and products usually always buy the security certificate for their website. When you go to a site that uses HTTPS (connection security), the website’s server uses a certificate to prove the website’s identity to commonly used internet browsers such as Brave, Chrome, Opera, Edge, etc.

This gives some added measure of security that the site is the correct one.

Yet, an SSL certificate by itself is not enough to ensure the authenticity of a site.

It’s a good first line of defense, but other verification methods are also needed as all good scams use SSL certificates. If a website does not have an SSL certificate, that may be a cause for concern, but having an SSL certificate should not inspire confidence on its own.

• Be wary of unsolicited messages

Attackers often contact crypto users on popular social media applications such as X, Reddit, Telegram, Discord, and others with promotions to airdrops, giveaways, general investment opportunities, and other “too good to be true” campaigns. Any unsolicited message should be viewed with caution and suspicion. Never give any personal information to people who randomly message to engage and never click on any unverified link provided in those messages.

• Asks for a user’s private key, seed phrase, or other sensitive information

The seed phrase is the master key of any crypto wallet. A dApp will never ask for the seed phrase of a wallet to work, as it only needs the user’s signature on a transaction. Therefore, always leave any site asking for this information.

• Download wallets exclusively from official sources

The battle against such scams necessitates a dual approach, combining user vigilance with community-driven education.

For users, it is imperative to download wallets exclusively from verified, official sources. This cannot be overstated, acting as the first line of defense against fraudulent schemes.

Moreover, the open-source nature of projects like Yoroi Wallet offers an additional layer of security, allowing the community to inspect, audit, and verify the integrity of the software they’re entrusting with their assets. This culture of transparency and self-custody is emblematic of the broader Cardano ecosystem’s ethos, which champions decentralization and user empowerment.

As the crypto community continues to navigate these challenges, fostering an environment of awareness and skepticism towards unverified sources becomes crucial in safeguarding digital assets against the threat of fake wallets.

Some tips to avoid downloading a fake wallet:

• Always go directly to the developer’s official website for the proper download links/
• Double-check the App Store details.

Also, before installing the app, review the publication on the store and ask yourself:

• Does it have an adequate number of reviews?
• Who is the developer?
• Are there multiple versions of the same app?
• Are there spelling errors or poor grammar?

• Verifying website authenticity

As stated before, attackers use slightly different spelling or a different extension to lure victims to a fake website. For this reason, never click on a link provided on a message, tweet, post on a message board, email, or any sort of public forum.

If a crypto product or dApp has caught your attention, look for URLs found through official sources. Verify the URL with the project’s official channels (more than one), join the community, and read some of the messages to verify they are talking about the project as explained. There is no method to 100% proof check projects, especially if they are small or have been around for a short period.

Here, the best advice we can provide is to have a secondary wallet, one that holds minimal funds, or better yet, no funds. That way, when a site asks to sign a suspicious transaction, no crypto assets are at risk.

• A very strong sense of urgency

Stop and carefully review any transaction before it’s signed by your wallet. This is the last stop before any change is made to the balance of a crypto account so there is no need to rush. That is the main stopgap that prevents any sort of funds from being misallocated.

So, before signing a transaction always take your time to review the input required and the expected result. No one can move funds from a crypto wallet without the user’s signing on a transaction.

• Be wary of NFTs or tokens appearing in your wallet

If digital tokens or crypto magically pop up in your wallet’s balance that were not purchased directly, be very cautious with them. In some cases, projects do send tokens of NFTs to users for free to create buzz for a new service or platform.

Yet, this practice has been corrupted by attackers who instead use these assets to direct users to a scam website. If a token directs you to a website, don’t use the link provided. Instead, research the project, go through their socials, and see if the token is legitimate.