This blog post serves as a notification for Bitvavo users regarding recent phishing risks. Please visit the following page for generic information regarding protection measures of your Bitvavo account, such as two-factor authentication (2FA), security notifications, device confirmation, anti-phishing codes, and whitelisting wallet addresses. This article will focus on phishing attempts which are currently targeting individual Bitvavo users, on how to recognize those attempts and how to prevent them.
Malicious advertisements
Currently, scammers are creating Google advertisements claiming to represent Bitvavo. These  advertisements are attempting to steal user credentials (of Bitvavo accounts and email accounts) using phishing attempts and installing malicious browser plugins. These advertisements are similar to Bitvavo in the Google search results, and redirect to websites and login pages which are identical to the Bitvavo website. Please see the images below for an example of a malicious Google advertisement and a malicious browser plugin:
Which additional protection measures does Bitvavo take to combat these malicious advertisements?
Although malware is quite hard to combat, as it gives a third party access to your device and all login details (not just your Bitvavo account, but also your email accounts), Bitvavo takes the following additional measures to protect your account against unauthorized access and transactions:
- Bitvavo is always improving and adjusting its transaction and security monitoring rules, in order to prevent unauthorized access to the accounts of Bitvavo users. Transactions which are deemed fraudulent by this monitoring system, will be manually checked before being processed.
- Bitvavo is continuously monitoring malicious ads and reporting those to the Google Adwords team.
- Bitvavo is in close contact with the Dutch virtual currencies investigation team to speed up the takedown of malicious Google ads and to ensure that the hackers can be investigated.
In addition, please note that Bitvavo will never force you to download any browser plugins in order to use the Bitvavo services.
Which measures can you to take to protect your Bitvavo account?
Bitvavo takes extensive security measures to ensure that your account is as safe as possible. Besides the regular security features such as device confirmation, failed login notifications and user log insights, Bitvavo offers various additional options in order to enhance the security of your Bitvavo account. The main additional steps you should consider as a user to protect your account are listed below:.
Measures to procect your Bitvavo account
- Use a unique and complex password
As a general rule you should create various strong passwords for each service you use on the internet. A strong password consists of at least 8 characters, including uppercase and lowercase letters and symbols. You should not use dictionary words.
We recommend using a completely random password because this is impossible to guess. You can come up with strong passwords yourself, or you can use a password generator or a password manager. - Set-up an anti-phishing code
Phising is the fraudulent attempt to obtain sensitive information, such as username and password, by impersonating Bitvavo or its employees. In order to reduce phising risk, we recommend to set an anti-phising code. After having your anti-phising code set, your anti-phising code will be included in every Bitvavo email you receive.
Our employees will never ask you for your anti-phishing code, password or two-factor authentication (2FA) information.
Click here for a step-by-step guide on how to enable your anti-phishing code. - Enable Two-Factor Authentication
Two-factor authentication, also known as 2-steps verification, is a security layer in addition to your username and password. With two-factor authentication enabled on your account, you will have to provide your password (first factor, something you know) and your two-factor authentication code (second factor, something you have physical access to) when signing in to your account. Two-factor authentication codes are associated with a specific device, such as your mobile phone.
Click here for a step-by-step guide on how to enable two-factor authentication. - Whitelist wallet addresses
The withdrawal address whitelist is another security feature offered by Bitvavo. If the withdrawal whitelist function is not enabled, your account is able to make withdrawals to any address. When this feature is enabled, your account will only be able to make withdrawals to the addresses that are whitelisted.
Click here for a step-by-step guide on how to whitelist wallet adresses.
This feature is also highly recommended for users using our API with withdrawal permissions. - Use a hardware wallet
One of the main benefits of digital assets is that you do not need to trust third parties likes banks or exchanges, such as Bitvavo. We always recommend to store your digital assets on your own hardware wallet. This ensures that you have full control over your own digital assets, without interference from third parties or malicious actors. Important: Do not share your private keys with third parties, Bitvavo will never ask for your private keys.
Click here for a step-by-step guide on how send digital assets to a hardware wallet.
Measures to protect your email account
- Use a unique and complex password
Besides using an unique and complex password for your Bitvavo account, it is also recommended to use an unique and complex password for your email account.
We recommend using a completely random password because this is impossible to guess. You can come up with a strong password yourself, you can use a password generator or a password manager. - Enable Two-Factor Authentication
Besidens enabling two-factor authentication for your Bitvavo account, it is also strongly recommended to enable this for your email account.
As the process of enabling two-factor authentication might vary per email provider, we recommend to check an online guide from your email provider how two enable two factor authentication in your specific case.
- Check if your email account has been part of a data breach
A data breach is a direct attack on private data by an unauthorized entity. There are numerous examples of data breaches. You can easily check on https://haveibeenpwned.com/ if your email account has been part of a data breach.
Measures to project your browser and/or device
- Install a virus scanner
A virus scanner is detects, neutralizes or eradicates malware (malicious software). This software not only will identify and destroy computer viruses, but it's also designed to fight off other kinds of threats such as phishing attacks, worms, Trojan horses, rootkits and more. - Keep your internet browser up to date
To make sure you're protected by the latest security updates, it is recommended to automatically update when a new version of your browser is available on your device. - Do not install malicious browser plugins
Bitvavo does not offer any browser plugins, and will never require browser plugins in order to use the Bitvavo services. Please contact us as soon as possible, if you suspect a malicious browser plugin might be installed on your desktop (our support agents are always ready to help, it's better to be safe than sorry).
Contact us for questions
If you have any questions regarding the security of your Bitvavo account, don't hesitate to contact our support team which is available 7 days a week to answer all your questions.