background image


Phishing in the News: Coinbase Attack


The biggest cryptocurrency business in the U.S, Coinbase Global Inc., admitted to getting hit by an explosive phishing attack that stole funds from over 6000 of its customers earlier this year. This large-scale email phishing attack which caused quite a dent in the business’s reputation and reliability, came under much public scrutiny, pushing companies worldwide to brace themselves by taking some precautionary measures of cybersecurity. 

Before we talk about the best measures to prevent such a mishap, let’s look into what a phishing attack is. Phishing is a more traditional, et still evidently effective cybersecurity attack method directed at individuals all at once. Respondents to these phishing attacks are trapped when they give away critical information or access to the spammers.

But the recent attack on Coinbase customers was more sophisticated than that. The attackers were able to bypass or at least take advantage of a vulnerability in the two-factor authentication using SMS to customers’ registered numbers. Coinbase assumes that the hackers could have obtained user credentials through a prior scheme to carry out the attack. Reportedly, the company’s account holders have been receiving many phishing emails from March to April of this year, which marked the start of the events.

How the phishing attack affected Coinbase

Admittedly, the company has suffered many losses in the wake of the recent cybersecurity attacks, both materially and otherwise.  Financial and reputation losses are quite common for companies that face security breaches, even when the clients are refunded the lost cash.

As phishing attacks become more and more pre-planned and sophisticated enough to fool even some of the most internet-educated folks, companies must be on a cautionary side while taking security measures to protect their web infrastructure. By 2024, organizations adopting a cybersecurity mesh architecture will reduce the financial impact of security incidents by an average of 90%, according to Gartner Inc. Ticking just the bare minimum of check-boxes when it comes to site security won’t cut the chase in this era.

Coinbase had to cancel its new cryptocurrency lending product after an SEC (Securities and Exchange Commission) lawsuit. The company faced a lot of criticism over the lack of proper security infrastructure, even though they have claimed that there wasn’t an infrastructure breach in the first place.

As speculations on what exactly went through are on the rise, Coinbase is just one of the few companies coming under the microscope of regulatory authorities. Regulatory authorities are now planning better frameworks to govern financial institutions, including the crypto space.

Companies need to be more aware of their cyber security standing to avoid such regulatory notices before unwelcome events such as phishing or spear-phishing occur.

What can your company do to prevent similar phishing attempts?

While phishing attacks are becoming more common, there is no reason to lose hope because companies can guard themselves by undertaking the right security measures. Even with frequent awareness campaigns, customers can be dismissive of certain security advice at times. Like the Coinbase event, scammers can expertly disguise emails with messages to take urgent actions for account safety, misleading users to divulge critical and private information. But forcing users to adopt better security measures is a valid form of defence, whether through two-factor authentications or frequent password changes. On top of that, companies should undergo a well-established cyber security maturity assessment to gauge where they stand in the cyber security space.

Hence, some of the best ways to prevent phishing attacks are:

  • Two-factor authentication through apps: Authentication through SMS and email can be bypassed through weak links in the infrastructure. Encourage users to switch to authentication apps.

  • Better awareness campaigns: Companies must run very frequent awareness campaigns to help users identify phishing and scamming attempts.

  • Keeping a sharp eye on the customer front: Sometimes, companies tend to avoid checking how customers are handling their accounts.

  • Application security testing: This form of testing simulates hacks to prevent web and mobile-based attacks.

Organizations can never fully be prepared for security breaches without continual security management. It is this awareness that can protect a company from compromising its security in the long run.