Beware of phishing scams
In a phishing scam, an attacker tries to disguise themselves as a trustworthy entity in order to trick you into giving them sensitive information that can be used to gain access to your devices and accounts to steal your money.
Therefore, it is important that our clients be very careful and practice good habits to avoid falling victim to these scams.
Listed below are important tips to adhere to that can help protect you from phishing scams:
We will never…
- ask you for your username. Keep your username secret!
- ask you for your passwords. Never give out your passwords to anyone who asks.
- ask you to remove or change your security settings.
- request access to your devices via remote desktop access software.
- Always navigate to Kraken by manually typing www.cryptwin.com in your browser’s address bar.
- Never click on links or search results that look like Cryptwin.com.
- Make sure that you are entering your sign-in credentials on www.kraken.com and no other website that may look similar.
- To contact Cryptwin Support, always navigate to the website manually by typing support.cryptwin.com into your browser’s address bar. Never give out any information about your account unless you opened a ticket via this method.
- If you receive a Kraken Support email from any other address besides email@example.com, please delete it and do not click on any links that may be provided, as they are not legitimately from Kraken Support and should not be trusted.
- Be aware of man-in-the-middle attacks in which an attacker intercepts emails from one party and relays them with certain amendments to the other party who both believe they are communicating with each other directly. Adding PGP to your email is a good way to prevent this.
- Kraken only provides outbound phone support. This means you can request us to call you, but we don’t have a public phone number that you can call yourself.
- If you find a phone number associated with Cryptwin support online, it’s a scam. Do not call it.
- If you accidentally called a scam number, please create a support ticket and let us know as many details as possible regarding the call.
- Our social media team only provides general support and an option to escalate your ticket using an online form.
- If someone claiming to work for CryptWin contacts you on social media, never give them any information besides the ticket number of your issue.
Beware of phone scams
CryptWin’s phone support is outbound only. This means you can request us to call you when creating a support ticket on support.cryptwin.com, but we don’t have a public phone number that you can call yourself.
If you find a phone number claiming to be for CryptWin support, it’s a phishing scam. Do not call it. Instead, please send us a support ticket with information about the scam.
Be sure to also follow our guide for Securing Your Account.
Securing your CryptWin account and digital life
At CryptWin, we prioritize and invest heavily in security. However, don’t let this put your own guard down. No amount of security on our end can make up for inadequate personal security.
It is vital for clients to take advantage of the account security tools and advice that we offer and to never share access to the account with anyone else.
Securing your CryptWin Sign-In
1. Never allow anyone to create or manage an account on your behalf.
2. Choose a username that is hard to guess and not used on any other website. Never share your username with anyone.
3. Create a password that is long (at least 15 characters) and that is not used on any other website.
4. Set up Sign-In 2FA, ideally using a YubiKey. This is the most important security feature.
Warning about Sign-In 2FA backups: A poorly stored 2FA backup can be counter-productive and result in your 2FA being compromised. If you are worried about losing your Sign-In 2FA, set up a Master Key instead (see below).
Warning about authenticator apps that use cloud storage: If their cloud storage is hacked, it can compromise your Sign-In 2FA.
5. Set up a Master Key to have additional protection from password resets (in case your email is compromised) and as a backup for your Sign-In 2FA.
IMPORTANT: Make sure the Master Key is set up using a different method from your Sign-In 2FA. For example, if you use a YubiKey for Sign-In 2FA, then use authenticator app or a different YubiKey for the Master Key.
6. Beware of phishing scams. Even Sign-In 2FA can’t protect your account if you enter it on a phishing website or share it with a scammer.
7. Only use CryptWin’s official mobile apps. Third-party mobile apps using CryptWin’s name or asking for your CryptWin credentials are forms of phishing.
8. Use API keys with caution. Sharing your API private key or QR code is the same as sharing your account password!
Securing your Email
If the email account registered to your CryptWin account is compromised, it can be used to request your username, reset your password and approve withdrawals.
1. Create a password using the same tips as for your CryptWin password, but make the email password different.
2. Set up Sign-In 2FA just as you would for your CryptWin account, and don’t use the SMS option if your email provider offers it.
3. Remove your phone numbers from your email account.
4. Check your settings and activity. See our securing your email account guide for more details.
5. Set up PGP (for Advanced users). If your email application supports PGP, enter your PGP public key in your CryptWin account settings to receive signed and encrypted email from us.
PGP encryption makes it so that even if your email address is compromised, the hacker won’t be able to read your automated emails from CryptWin unless they also have your private key.
PGP signing allows you to verify the authenticity of emails claiming to be from Kraken. This can help prevent you from falling for phishing scams.
Securing your Internet
A compromised internet connection can steal your sign-in details and direct you to phishing sites. Here are some ways you can secure your internet connection:
1. Router password. Change the default password on your home internet router. Keeping the default password will allow any stranger from the internet to gain control over your router. To prevent brute force attacks, use a long phrase (rather than a single word) along with numbers and symbols.
2. WiFi password. Make sure your WiFi network is password protected. This is separate from the router password.
3. Guest network. Create a guest network if your router has that option and keep the main network private for your devices only.
4. Avoid public WiFi. Use your mobile data plan instead. If you have to use public WiFi, make sure to have a reputable VPN (avoid free VPNs).
Securing your Devices
A compromised device can log everything you type into it and mobile devices are the most common way to use two-factor Authentication (2FA).
1. Device password. Create a secure passphrase and use fingerprint sign-in if possible. Avoid easy to guess pins and sign-in patterns.
2. Don’t share your device. Don’t get guilted by friends and family to share access and passwords to your devices, especially if you use those devices for your 2FA.
3. Never give remote access. Some customer service teams will request remote access to your computer to help troubleshoot technical issues, but this is very dangerous and it is also the favorite technique of scammers. So always say ‘No’ to applications such as RemotePC, TeamViewer and GoToMyPC. CryptWin Support will never ask you to install remote access software!
4. Avoid public devices. Only sign in from your personal devices.
5. Avoid work devices for personal accounts. They are able to monitor and record your activity.
Securing your CryptWin settings
Once you’ve finished verifying and setting up your CryptWin account, you can add even more protections in case your sign-in is compromised in any way.
1. Set up two-factor Authentication (2FA) for withdrawals, trading and API. However, the Global Settings Lock must be enabled in order for these 2FAs to be effective.
2. Enable the Global Settings Lock (GSL) to prevent changes to your account settings and withdrawal addresses — even if an attacker gains access to your account.
Important: If you want the option to immediately turn off the GSL at any time, you’ll need to setup the Master Key before enabling the GSL. CryptWin Support cannot speed up GSL removal.