MailGuard 10 March 2023 15:36:22 AEDT 7 MIN READ

Crypto Users Told to “Verify Your Wallet” in New MetaMask Scam Email

Despite recent crypto crashes and uncertainty, the digital currency marketplace continues to expand globally, with more than 420 million individuals owning some form of the 12,000 cryptocurrencies available. With the crypto market valued at more than $1 trillion, it has become an attractive target for cybercriminals seeking profit. 

The MailGuard team is continuously blocking phishing attacks that impersonate well-known cryptocurrency wallet services with the motive of stealing funds. Today, they began blocking a new scam that mimics MetaMask, a crypto wallet software with more than 30 million users worldwide. The email lands in inboxes with the subject "Your wallet will soon be suspended.", and the sender name shows "Meta-Mask". The sender's email address is the only thing that may raise alarm bells, as it shows "info(at)plusone-home(dot)co(dot)jp", which appears to be a compromised account from a Japanese construction business. 

The email uses MetaMask branding and warns, "Our system shows that your wallet has not yet been verified", before alerting the recipient that their account will be suspended the next day. This tactic employs fear, uncertainty, and denial (FUD) to pressure the victim into hastily clicking a link or attachment without taking the time to scrutinise the email for typical warning signs of scams, such as generic greetings or grammatical errors. 

Here's an example of the email:  

image 1-Mar-10-2023-04-33-56-6502-AM

Clicking on the link to verify their wallet takes the recipient to a page that is almost an identical replica of the MetaMask website. The scammers have taken care to include MetaMask in the page's URL, helping to feign authenticity. However, you will notice that the bolded portion of the URL shows cprapid(dot)com, rather than, which is an easy way to identify if you're on a legitimate website. 

The site makes the user wait a few seconds in an attempt to mitigate against website scanners and anti-phishing technologies before redirecting to the actual phishing page.

image 2-Mar-10-2023-04-33-56-8334-AM

Finally, the recipient is taken to a page that asks them to enter their recovery phrase words, which are generally used to connect a user to their wallet when their password is forgotten. 

If the victim enters their phrase words and clicks the "Recover Wallet" button, they are redirected to the legitimate MetaMask website, none-the-wiser. The scammer will then be able to access the victim's wallet and will instantly transfer any crypto coins or tokens into their own account. 

image 3-Mar-10-2023-04-33-56-8438-AM

Phishing attacks aren’t the only way that cybercriminals are targeting crypto wallets though. Over the past couple of years, we've seen ransomware and malware created for this purpose. Most recently, in February 2023, researchers discovered the MortalKombat ransomware variant, which emails a victim a malicious file. After opening, malware infects the victim's device, which “monitors the computer’s clipboard for cryptocurrency wallet addresses. If one is found, it is sent to the attacker's server, where a Clipper bot creates a lookalike address owned by the hacker and then replaces the clipboard entry" which allows the hacker to receive any funds the user attempts to transfer into their own wallet.

Cryptocurrencies lack the safeguards that regular banks and credit cards use. This means that in the event of a hack or breach, the service provider will not be held responsible, and you may be unable to recover your lost funds. Therefore, it's crucial to take precautions to safeguard your crypto wallets and stay alert for possible scams or phishing attempts.  

In a recent tweet, MetaMask warned their customers that:

“MetaMask does not collect KYC info and will never email you about your account! Do not enter your Secret Recovery Phrase on a website EVER.” 

MailGuard advises all recipients of this email to delete it immediately without clicking on any links. Providing your personal details can result in your sensitive information being used for criminal activity and may have a severe negative impact on your business and its financial well-being.     

MailGuard urges users not to click links or open attachments within emails that:       

  • Are not addressed to you by name.       
  • Appear to be from a legitimate company but use poor English or omits personal details that a legitimate sender would include.       
  • Are from businesses that you were not expecting to hear from, and/or       
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.      

Many businesses turn to MailGuard after an incident or a near miss, often as a result of an email similar to the one shown above. If unwanted emails are a problem for your business, don’t wait until it’s too late.  

Reach out to our team for a confidential discussion by emailing or calling 1300 30 44 30.

One email is all that it takes     

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.     

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes.  

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.  

Keep Informed with Weekly Updates