Akankasha Dewan 17 March 2021 12:37:48 AEDT 4 MIN READ

Phishing email impersonating Trezor claims your ‘assets might be vulnerable’

MailGuard has intercepted a phishing email impersonating hardware cryptocurrency wallet, Trezor.

Masquerading as a security alert, the phishing email uses a display name of ‘Trezor’ and is titled ‘Your Trezor assets might be vulnerable’. The email body contains the Trezor logo. However, the domain used in the sender email address provided in the email’s ‘From:’ field doesn’t belong to the company – a red flag pointing to the email’s illegitimacy. The email actually originates from a compromised account belonging to Amazon SES.

The email body informs recipients that Trezor has experienced a security breach and that they have been affected. To stay protected, recipients are advised to update their ’12, 18 or 24-Word Phrase’ and set up a new PIN for their wallet. A link is provided for them to do so.

Here’s what the email looks like:


Unsuspecting recipients who click on the link to ‘Update’ are sent to what appears to be a login page asking for users’ existing wallet passphrases. This page is designed to look like a legitimate one belonging to Trezor, complete with the company’s logo and other branding elements. However, this is actually a phishing page registered on Namecheap, and uses Cloudflare to hide its original hosting destination. Here's what the page looks like:

Scam 0317_1

Once users enter their existing phrases, the attacker harvests them for later use, and the user is met with a confirmation saying that their phrase has been updated, and a new phrase is assigned to them, as per the below:

Scam 0317_2

The purpose of this phishing scam is to harvest the account phrases of Trezor customers so the criminals behind this scam can break into their accounts and access their cryptocurrency. Through this phishing email scam, cybercriminals are not only exploiting Trezor’s well-established reputation, but also the soaring value of cryptocurrency. At current valuation, 1 bitcoin, for example, is currently worth AUD72,940 – making the stakes huge for someone who is informed that their bitcoins might be ‘vulnerable’ to cybercriminals. It is this exact fear of losing vast amounts of money that cybercriminals prey on in order to trick recipients to submit their confidential details online. Bitcoin and cryptocurrency, in general, have become an attractive target for cybercriminals, because of their soaring value and the ease with which they can be laundered and sold. MailGuard regularly intercepts malicious email scams related to cryptocurrency, like this phishing email impersonating LocalBitcoins.

As you can see from all the screenshots above, cybercriminals have taken great pains to replicate official landing pages from Trezor – including incorporating the company’s branding and logo using high-quality graphical elements in the phishing pages. All this is done in an attempt to trick the users into thinking the scam is legitimate.

It is interesting to note that the body of the scam email ironically, uses a security alert to trick recipients into revealing their details, i.e. asking them to update their account ‘to protect’ their assets from a recent security breach. This only adds on to the sense of legitimacy evoked by the email as it is not uncommon for companies to notify customers affected by recent security breaches. In addition, the inclusion of a subject line like ‘Your Trezor assets might be vulnerable’ in the email aims to induce panic among recipients who, in their attempt to secure their assets as soon as possible, may click on the link in the email without pausing to check for its legitimacy.

Despite these techniques, eagle-eyed recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from, and
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 


One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates