imToken uncovered various new types of scams last year, including TRX multisig scams and addresses with the same last characters. These scams are not only crafty but also intricate, which makes it challenging for certain users to comprehend and avoid them. To assist users in preventing these scams and answering their common queries, the monthly wallet security report provides relevant prevention recommendations.
Q1: Can customer service help me return my assets if the tokens are transferred to the wrong address?
Before answering this question, let me ask you this: If you want to transfer to an address that has already been transferred to, do you just copy the address directly from the wallet transaction record and then transfer it?
If that’s the case, you should be cautious since scammers utilize this habit to generate fraudulent addresses with the same last characters and send small amounts of funds to users, making their address appear in the users' transaction records. If users don't carefully check the address, they might accidentally transfer their assets to the scammer's wallet, which is known as Addresses with the same last characters scam.
Some users mistakenly transfer their assets to scammers and then contact customer service to request a refund. However, once a transfer is successful on the blockchain, it is irreversible.
Therefore, it is crucial to verify the address's correctness before transferring funds, and the imToken wallet's address book feature can be used to ensure address accuracy. It records frequently used addresses and allows users to enter them with just one click when transferring funds.
Address Book feature
Q2: Why can't I transfer my assets even though I have the private key?
Owning a private key usually means having control over your wallet and the ability to transfer assets. However, in the event of encountering a TRX multisig scam where a criminal alters your owner permission, you may be unable to transfer your assets.
Multi-signature is intended to enhance account security by allowing multiple addresses to jointly manage an account and execute transactions after meeting certain signature thresholds. For instance, a 2/3 multi-signature wallet indicates that three individuals possess signature rights, and at least two signatures are required to access funds in that account.
Despite its usefulness, the technology can also be exploited by criminals to perpetrate fraudulent activities, which typically involve a two-step process.
- The scammers buy advertising space to lure users to download fake apps and steal their private keys.
- The scammers acquire the user’s private key and then utilize multi-signature technology to configure the user’s account as a 2/2 multi-signature wallet. This implies that when transferring funds, the account requires 2 signatures to execute a transaction: one from the user’s account and the other from the scammer’s account.
An account with modified permissions
The fraudsters can transfer the user's assets at their discretion since they have obtained the user's private key, while the user is unable to control their money as they don't possess the fraudster's account private key.
Even if you find customer service, you cannot modify account permissions in this case. This is because imToken is a non-custodial wallet, which means that users hold their private keys. Only those who have both the scammer’s and the user’s account private keys can modify account permissions and transfer funds.
This scam is currently popular and well-concealed. To prevent further users from falling prey to this scam,the imToken team reminds everyone that
- Please be sure to download imToken from the official channel:
- imToken's official website: https://token.im/
- If you encounter any issues with downloading, please send an email with the subject "Download" to email@example.com to get the latest version of imToken App.
- Check your TRX wallet account permissions regularly. Click here to get the tutorial.
imToken places a high priority on the safety of its users' assets and, in addition to implementing security measures, flagged 12 risky tokens, 50 risky DApp sites, and 130 risky addresses in February to assist users in identifying risky tokens and avoiding scams.
If you suspect that a token or DApp is risky, please inform us promptly at firstname.lastname@example.org.