🕵️ How to spot phishing attempts

🕵️ How to spot phishing attempts

Phishing attempts are deceptive tricks bad actors use to try to fool you into sharing sensitive information or your account credentials.

Like chameleons, phishing attempts often change their appearance to try to blend in with legitimate communications, and the consequences of falling for a phishing scam can be serious.

This is why being cautious is key, even if you think you’re too clever to be fooled (or maybe especially if you think you’re too clever to be fooled). 

Here’s a quick guide we’ve created to help you recognize phishing attempts and impostors trying to pose as Shakepay.

Keep reading to know what to look for, and what to avoid. 👇

How we get in touch

We only communicate with you via in-app chat (Settings > Help > Support chat) or email, or through our official blog or social media channels. These are:

We’ll never contact you via WhatsApp or Telegram

If someone ever attempts to contact you through a platform we don’t support pretending to be a member of our team, you can assume that this is a phishing attempt. Don’t take the bait! Instead, report the message as spam and block the sender.

Tips for communicating with us via email

Bad actors sometimes register fake domain names designed to look almost like ours, but with subtle differences in spelling (Example: “Shakeppay”, “Shake-pay”, “Shakeqay”, etc).

To email you, we always use one of these two domain names:

  • @shakepay.com
  • @shakepay.co

We own both .com and .co, so you can consider any email communication coming from either domain name to be legitimate.

Also, we’ll never ask you to:

  • Send or move crypto to an external wallet
  • Share your password or 2FA code
  • Share your screen using a remote desktop application
  • Connect your wallet to an external platform

If you’re getting requests like these, they’re not coming from us.

Anti-phishing codes

We also recently introduced anti-phishing codes at the bottom of any account activity email we send you.

An anti-phishing code is a unique sequence of characters that helps you distinguish authentic communications sent by our team from phishing attempts.

Here’s what to look for: 

You can copy your anti-phishing code and verify it in the app – it’s easy. Just:

  1. Open any account activity email you received from us and copy the anti-phishing code that appears at the bottom.
  2. Go to “Settings” in the app and select “Security and privacy”, then “Anti-phishing code”.
  3. Enter your anti-phishing code in the text field, then press “Verify code”. If your code matches our records, you’ll know right away. You’ll also be able to check to see if the email title and timestamps match.

SMS (Text messages)

We only use SMS to send you a two-factor authentication (2FA) code so you can securely sign in to your account. We’ll never send you a link to sign into your account by SMS.

If you receive any other communication via text message from someone claiming to be from Shakepay, contact us via in-app chat and let us know what happened.

Phone calls

We don’t currently offer phone calls for customers. If you receive a call from someone claiming to be from Shakepay, hang up and reach out to our team via in-app chat to explain the situation.

Fake websites posing as Shakepay

A popular phishing tactic is to create a fake website meticulously designed to look like the official site or communications of a legitimate company, like Shakepay. 

The goal of the bad actor operating this fake site is to try to deceive you into entering your account credentials, personal information, or even transferring your Bitcoin to a different address under the guise of a legitimate transaction.

Here are a few tips to help you protect yourself:

  • Double-check the URL: Make sure the website's address is the correct one (https://shakepay.com/). Look out for subtle misspellings or unusual characters.
  • Use official links: Always use the official links provided in our app or through our verified communications.

Fake accounts posing as members of our team

Bad actors sometimes create fake accounts to try to pose as the CEO of a company (or other high-ranking people, or even employees).

If you receive a message on social media or via email from someone claiming to be our CEO, Jean Amiouny, or anyone working at Shakepay, make sure the message is coming from a legitimate source. 

Watch out for:

  • Urgency and pressure: The message is pressuring you to act quickly, with threats or warnings of serious consequences.
  • Requests for sensitive information: No one at Shakepay would ask you to share sensitive information via social media.
  • Suspicious email addresses: The sender's email address looks similar to our official shakepay.com but with subtle differences, like an extra letter.

If you believe you’ve come into contact with someone pretending to be someone they’re not or acting suspiciously, take a moment to report this to our team through our in-app support chat so that we can investigate.

Recap: What to do, what to avoid

✅ Do

  • If someone reaches out to you via email pretending to be a member of our team, double-check with us by contacting us via in-app chat.
  • Install an Authenticator app and consider adding a passkey to make your account even more secure.
  • If you receive an email that seems to be coming from Shakepay, please double-check the email domain name to make sure there are no subtle spelling errors and look for an anti-phishing code.
  • If someone reaches out to you via social media, report the account, block it immediately, and contact us via in-app chat to report the incident.
  • If you’ve received a phishing attempt or you’re aware of a suspicious website, you can report it to Google Safe Browsing.
  • Stay alert for any communication that feels out of place or requests unusual actions.

❌ Don't

  • Don’t send crypto to a Bitcoin or Ethereum wallet address if you don’t know the recipient and don’t have control over the wallet.
  • Make sure a message is really coming from a member of our team before following any instructions provided to you.
  • Avoid sharing credentials or financial information on social media or messaging platforms.
  • Don’t reuse passwords across multiple accounts. If a bad actor were to gain access to one account, they might be able to access others.
  • Don’t let urgency or fear cloud your judgment. Bad actors often create a false sense of urgency to force you to act quickly. Take your time and verify the authenticity of a communication.
  • Remember: We’ll never ask you to move your crypto or send crypto outside of Shakepay.

Wrapping up

Remember: Staying alert and keeping watchful eyes is your best defense against phishing. 🦉

Question the authenticity of suspicious communications, stay informed, and enable security measures on your account like passkeys (which are highly resistant to phishing) or 2FA with an authenticator app (TOTP)

Again, if you come across any suspicious activity or communications or if you’re not sure, contact our team via in-app chat, just to be safe. We’re here to help.