How to Avoid Telegram Scams?
Recently, Telegram, a cross-platform instant messaging (IM) application, has seen a spate of account thefts through illegal means and hackers used these compromised accounts to commit fraud.
In response to recent Telegram account thefts, Beosin's security research department lists Telegram's common scams and shares guidance on how to avoid them.
Join us in showcasing the cryptocurrency revolution, one newsletter at a time. Subscribe now to get daily news and market updates right to your inbox, along with our millions of other subscribers (that’s right, millions love us!) — what are you waiting for?
Obtain your phone screens with the Telegram Login code
Recently, there is a relatively new type of scam, where scammers pretend to be friends and take screenshots of Telegram chats for various reasons. It seems that there is no danger, but at the moment, scammers are trying to log in to Telegram using your mobile phone number. When a screenshot is sent with a login code, it will be used by scammers to successfully log into your Telegram account. Details of the scam process are as follows:
1. get the phone number for your Telegram account.
If your Telegram account is set to be visible to anyone, your phone number will be seen by anyone including scammers, or they will first get your friend's account and then look up your phone number.
2. Cheat the login code.
Scammers always tell you that there is a problem with your account and cheat your screenshots. Meanwhile, they try to log in your account by entering your phone number on a new device.
Take the following verbal tricks for example:
(1) There are two identical contacts in the interface: when an encrypted chat is created for a contact, two identical contacts appear in the chat list. The encrypted chat communication shown below has a lock icon in front of the name.
(2) Need friends to help unlock his/her account: Scammers will say that his/her account was officially restricted and need friends to send a verification code to help unlock his/her account.
3. log in to your account to continue the fraud
When you inadvertently send screenshots with a login code to scammers, if your account does not open two-factor authentication, scammers can use the login code to log into your account. Then scammers will delete all the devices, change the password, and then continue to cheat other people in your contact list.
Scam messages sent by fake Telegram Official account
Scammers will pretend to be TG's official account to send you a message which claims that your TG account violates the usage rules and will be restricted. You need to access a website that they provide for you. If you click the phishing link, your account will probably be compromised.
Third-party applications with a backdoor
Since there is no Chinese version installation package, users often use search engines to find a Chinese one. Thus, scammers use SEO optimization to direct their Telegram download site and induce users to download their malicious applications.
When users download TG with a backdoor, their chats will be scanned. If there is any crypto wallet address in the chats, the address will be replaced by the scammers’ address and users are cheated to transfer their funds to scammers.
In this example, a user downloaded a Chinese-version telegram client on the website http://www.telegram-china.org (right now unaccessible) and sent a trx address:
At that time, the address was TNpEa9PoqWsoPcTdTqUUdrYJbqhVLoSVFh. Then it was replaced by another address when the app was reopened.
Malicious Telegram Chinese language packs
Our security experts have analyzed the language pack file and found that it would escape the detection of security software and avoid analysis of the sandbox by detecting the movement of the mouse.
Telegram bot to cheat your password
Foreign security researchers have found that some criminal organizations use Telegram bots to steal users' OTP tokens and SMS authentication codes to complete 2FA (two-factor authentication). The attackers use Telegram bots to access account information, including calling victims, and impersonating banks and legitimate services. Through social engineering, the attackers also trick people into providing them with OTP or other authentication codes via mobile devices. Then, the scammers use the codes to defraud users of their money, passwords, session cookies, login credentials, and credit card details.
scammers pretend to be cryptocurrency experts on Telegram to promote promises of a good return on investment in cryptocurrency. Scammers will either comment on Twitter or contact you directly on Telegram, claiming to be able to provide you with a high return on your investment.
If you believe their verbal tricks, scammers will ask you to open an account on their special cryptocurrency exchange. At that point, they'll show you a chart showing that your investment is increasing, but when you try to withdraw your funds, scammers will disappear with your funds.
Beosin Security Advice
We pose the following advice to help users avoid scams and loss on Telegram.
Open two-factor authentication
For your account safety, you are encouraged to set your password for two-factor authentication. This password is only required when your account tries to log in a new Telegram client.
Open Setting > Privacy and Security > Two-step Verification and set your password. You are also encouraged to set your recovery email in case that you forget your password.
Be careful to use a third-party client
Check the way you downloaded the Telegram client. If you downloaded TG by using an installation package that was found on some websites, please uninstall it and reinstall TG by downloading the package on TG's official website. The third-party clients probably can control your account, read your entire chats and collect your device information. Thus, please download TG on its official website for safety.
Do not send your personal information to Telegram bots
Use Telegram bots with caution and do not disclose personal data, including names, user names, phone numbers, e-mail addresses, passwords, or any information that can be used to identify you.
Be careful when you receive DMs from strangers
Do not easily believe strangers' DMs to avoid financial loss or information disclosure. If disturbed, you can choose to block them. When you receive unfamiliar files and links, do not click them without further careful checking.
Check wallet address
If you want to send the wallet address to someone, check the address with multiple verifications. It is better to take a screenshot of the wallet QR code and send the screenshot to others.
Regularly check the devices that log in Telegram
Check the status of devices’ IP addresses which log in Telegram periodically, and force the devices with abnormal IPs to be offline.
Do not share your phone number when you add contacts
There is only a concept of Contacts instead of Friends on Telegram. When you add or delete some contact, your account will not be removed from his/her contact list. When you add a contact, you can uncheck the Share My Phone Number option which is checked by default.
Hide your phone number and add restrictions on joining groups
You can hide your phone number, status, profile, and forwarded messages if you go to Setting > Privacy and Security. You can set that you can not be added to a group if the adder is not in your contact list to reduce the risks of being cheated. Also, do not use the function “Add People Nearby”.
Channel Verification function on the Beosin website
To avoid scams where scammers try to pretend to be Beosin employees, Beosin has added a Channel Verification function on our website.
You can input the related information of the Beosin employees who try to contact you. If the information passes the verification, the employees are official and the contact is safe.
If not, the employees are probably scammers who pretend to be Beosin employees. You should be careful and avoid scams.
That’s our sharing on security today and see you in the next sharing session!
Beosin is a leading global blockchain security company co-founded by several professors from world-renowned universities and there are 40+ PhDs on the team. It has offices in Singapore, Korea, Japan and other 10+ countries. With the mission of "Securing Blockchain Ecosystem", Beosin provides "All-in-one" blockchain security solution covering Smart Contract Audit, Risk Monitoring & Alert, KYT/AML, and Crypto Tracing. Beosin has already audited more than 3000 smart contracts and protected more than $500 billion funds of our clients. You are welcome to contact us by visiting the links below.
If you have need any blockchain security services, please contact us: