That Coinbase Text Is a Scam
Generally, if you receive an unsolicited text message, especially one claiming to include a security code, it is likely part of a phishing scheme. Such is the case with a recent wave of spontaneous texts claiming to come from the crypto wallet service Coinbase. If you receive such a message, even if you have a Coinbase account, delete it. Someone is probably trying to scam you.
Coinbase doesn’t text you
Here’s how the scam works: You receive an unsolicited text message saying “Your Coinbase withdrawal code is…” followed by a six-digit number. The message continues: “Please do not share this code with anyone. If you have not requested it, please call:” followed by a telephone number and reference number.
At first glance, this looks like a fairly standard two-factor authentication (2FA) code. Most companies include a similar warning in their messages when sending your code, like hackers do. Really I want you to give them these numbers. In many cases, a 2FA code is the only thing separating them from your account, so companies want to make sure you’re not giving yours to someone else.
Unfortunately, this text is an example of the opposite: a scammer spoofing the language of a legitimate company in order to gain your trust. The scammer hopes you will receive this text and assume it is real, but worry because you know you did not request a 2FA code. Since you are now sure that the message is actually from Coinbase, you can turn to the contact number included in the message to follow up. Hey, they even included a reference number, so the “Coinbase representative” you speak with can track your issue. How thoughtful.
In reality, this is a big scam. If you called the number, the scammer will likely continue the charade, perhaps assuring you that they will help secure your account. My guess is that the scammer would ask you to “verify” your Coinbase login information, which they would enter on their end, triggering the legitimate 2FA process. Once you receive this code, the scammer may ask you to tell them what it is as part of the verification process. But once they have that code, they can actually log into your account, change the password, and lock you out. Goodbye cryptocurrencies.
If you’re a Coinbase user, this seems really concerning, but don’t worry too much: I received these scam text messages myself and I don’t have a Coinbase account. Although scammers are targeting Coinbase users whose information was leaked in data breaches, it’s more likely that they are simply sending these fraudulent bulk text messages to leaked phone numbers. They will likely attract anxious Coinbase users to their network, but I’m sure they would be happy to “chat with” anyone doesn’t have a Coinbase account that also calls. “Oh, you don’t have a Coinbase account? No problem, we’ll clear that up for you. Can you just confirm your social security number for us, so we can make sure you’re really not in our system?”
What to do when you receive suspicious text messages
It can be tempting to respond to these text messages once you know they are scams, especially when the goal is simply to waste the scammer’s time. But as fun as it may be, my advice is to ignore these texts whenever you receive them. Although the immediate risks decrease once you know the “representative” is truly malicious, responding to these text messages lets the scammer know your number is active and, in response, they might save it for a future scam attempt. Scammers can be smart too. If you’re not careful, you may reveal more information than you think while you’re “playing” with them. Part of a phishing scheme is building rapport: The scammer wants to lull you into a false sense of security so that you give them personal information that could help them steal your information or hack accounts.
The best thing to do is to delete these texts every time you receive them. If your email app of choice gives you the option to report text as spam, all the better.
