This Coinbase Text Is a Scam
As a general rule, if you receive an unwanted SMS message, especially one with a security code, it’s likely part of a phishing scam. This was the case with the recent wave of unauthorized SMS messages purportedly sent by the cryptocurrency wallet service Coinbase. If you receive such a message, even if you have a Coinbase account, delete it. It’s likely an attempt to scam you.
Coinbase isn’t sending you messages
Here’s how the scam works: You receive an unsolicited text message that says, “Your Coinbase withdrawal code…” followed by a six-digit number. The message then reads, “Please do not share this code with anyone. If you did not request this code, please call the phone number and reference number.”
At first glance, this is a fairly standard two-factor authentication (2FA) code. Most companies include a similar warning in messages when sending your code, as hackers really want you to share these numbers. In many cases, the 2FA code is the only thing standing between them and your account, so companies want to be sure you won’t share your code with anyone else.
Unfortunately, this message is the opposite: a scammer is posing as a representative of a legitimate company to gain your trust. The scammer hopes you’ll receive this message and believe it’s genuine, but in reality, you’ll be worried, because you know you didn’t request a two-factor authentication code. Now that you’re sure the message is genuinely from Coinbase, you can use the contact number conveniently included in the message to clarify the details. Incidentally, they even included a number so the “Coinbase representative” you’re communicating with can track your issue. How thoughtful.
In reality, this is one big scam. If you call this number, the scammer will likely continue their scam, perhaps claiming to help secure your account. I suspect the scammer will ask you to “verify” your Coinbase credentials, which they will enter on their end, initiating a legitimate two-factor authentication (2FA) process. Once they have this code, they may ask you to provide it as part of the verification process. But once they have this code, they can log into your account for real, change your password, and lock you out. Goodbye, crypto!
If you’re a Coinbase user, this is definitely alarming, but don’t worry too much: I’ve received these scam messages myself, even though I don’t have a Coinbase account. While scammers may target Coinbase users whose data was stolen in data breaches, it’s more likely that they’re simply mass-sending these scam messages to phone numbers whose data was stolen. They’ll likely catch worried Coinbase users in their net, but I’m sure they’ll be happy to “chat” with anyone without a Coinbase account who randomly calls. “Oh, you don’t have a Coinbase account? No problem, we’ll clear that up. Could you just verify your Social Security number so we can make sure you’re really not in our system?”
What to do if you receive a suspicious message
It can be tempting to respond to these messages as soon as you realize it’s a scam, especially if the goal is simply to waste the scammer’s time . But no matter how amusing they may be, I advise ignoring these messages when you receive them. While the immediate risks are reduced when you know the “representative” is genuinely malicious, responding to these messages will let the scammer know your number is active, and in return, they may store it for future fraudulent attempts. Scammers can also be sneaky. If you’re not careful, you could reveal more information than you realize while “messing around” with them. Part of the phishing scheme is establishing contact: the scammer wants to lull you into providing personal information that could help them steal your data or hack your accounts.
The best thing you can do is delete these messages immediately after receiving them. If your messenger allows you to report spam, even better.