Phishing scams can target wallet users through emails, websites, phone calls, SMS messages, social media messages, or fake support conversations. Their goal is to create urgency and convince you to reveal sensitive information, install malicious software, connect your hardware wallet to an unsafe application, or enter your recovery words somewhere other than your hardware wallet.
This guide explains how to recognize phishing scams, how to verify whether a message or website is legitimate, what BitBox will never ask for, and what to do if you already interacted with a suspicious request.
The most important rule
If you remember only one thing, remember this:
Never enter your recovery words into a computer, smartphone, website, browser extension, password manager, cloud service, or AI chatbot. Anyone with access to your recovery words can control your funds. BitBox support will never ask for your recovery words.
If anyone asks for your recovery words, your wallet backup, your 24 words, a screenshot of your backup, or a typed copy of your backup, stop immediately. This is a scam.
Why “your BitBox account is compromised” is a scam
Scammers often claim that a “BitBox account” is compromised or must be secured. This wording is misleading because BitBox does not custody customer funds and has no access to your wallet.
BitBox does not manage customer funds like an exchange, broker, or online financial service. Your wallet is controlled by your BitBox02 and your recovery words. BitBox cannot freeze, unlock, move, or recover your funds.
BitBox support can help you use BitBox products, but BitBox support cannot access your wallet and will never ask you to transfer funds, reveal recovery words, install remote-access software, or confirm urgent wallet “security” actions.
Hardware wallets protect private keys by keeping them isolated from internet-connected devices. For more background, see why should I use a hardware wallet to keep my bitcoin safe? and Can a hardware wallet be hacked?.
Common phishing methods targeting wallet users
Fake security warnings
Scammers often claim that your funds are in danger, your wallet must be verified, your firmware is unsafe, or your account will be blocked. The message may pressure you to act immediately through a link, attachment, phone call, or chat.
Fake payment or exchange alerts
Some scams begin with a fake email that appears to come from a payment provider, broker, or exchange. The email may contain a confirmation code for a transaction you did not request and a phone number to call if the activity was not yours.
If you call the number in the message, the scammer may claim that there was unauthorized access from another country, that your account or wallet is under attack, or that your device password can be bypassed. This is meant to make the next step feel urgent and legitimate.
Contact form confirmation scam
We have observed scammers using a more complex flow that combines direct contact with legitimate automated emails from official services.
First, the scammer contacts the victim by phone, email, SMS, messaging app, or another channel. They may pretend to be from an exchange, broker, payment provider, wallet provider, or support team. They create urgency by claiming that funds are at risk, an account is compromised, a transaction was attempted, or a security check is required.
During the conversation, the scammer tries to learn more about the victim. They may ask whether the person uses a hardware wallet and which brand it is. If the victim mentions Ledger, Trezor, BitBox, or another wallet brand, the scammer can adapt the story and claim that the matching wallet support team needs to get involved.
Next, the scammer submits a real contact form on the official support page of that wallet provider or another service and enters the victim’s email address. The victim then receives a genuine automated confirmation email from the official domain saying that an inquiry was received.
The automated confirmation email may be legitimate, but the request was not created by the victim. The scammer uses that real confirmation email to build trust, then continues the scam through the original channel or through a new call, SMS, email, or chat message. They may also provide a ticket number, a direct extension, or the name of a supposed support employee.
A genuine confirmation email from an official BitBox or wallet provider domain does not prove that a caller, SMS message, email, or chat conversation is legitimate. If you did not create the support request yourself, treat follow-up contact as suspicious.
Fraudulent calls and messages
BitBox will not contact you first by phone, SMS, Telegram, WhatsApp, Discord, social media, or forum direct message to discuss your wallet security. Treat unexpected support contact as suspicious, especially if the sender creates urgency or asks you to keep the conversation private.
Fake websites and downloads
Fake websites may copy the design of a real wallet provider, use a similar domain, or offer a malicious app download. A fake app or website may ask you to restore, synchronize, verify, or unlock your wallet.
In one observed pattern, the victim was directed to a fake BitBox-branded “safety check” website. The site first asked for the BitBox model and email address, then claimed that the wallet was compromised and requested the 24 recovery words to generate a new backup. A website can never safely check or replace your recovery words.
Download the BitBoxApp only from the official BitBoxApp download page. If you want additional confirmation before opening a downloaded file, you can verify the BitBoxApp signature or verify the BitBoxApp checksum.
Exchange or broker escalation scam
After learning where a victim bought crypto, scammers may continue the attack by impersonating exchange or broker support. They may claim that the exchange account must be secured and instruct the victim to convert assets into Bitcoin and send them to the wallet.
This can be especially dangerous if the scammer already obtained the wallet recovery words. Funds sent to the wallet can then be moved out by the scammer shortly after they arrive.
Suspicious attachments
Do not open unexpected attachments that claim to contain security reports, account statements, wallet tools, update files, or recovery instructions. BitBox support will not send unsolicited wallet software or ask you to install remote-access tools.
Clear warning signs
Before clicking, replying, installing, or approving anything, check for these warning signs:
- Pressure, urgency, threats, or claims that your funds are already being stolen.
- Unexpected contact, especially by phone, SMS, messenger, or social media.
- A phone number in an email that asks you to call if you did not request a transaction.
- Claims about foreign logins, blocked devices, bypassed passwords, or urgent account locks.
- A real automated confirmation email for a support request you did not create.
- A supposed support handoff with a ticket code, direct extension, or named employee you did not contact through the official website.
- Requests for recovery words, wallet backups, PINs, passwords, screenshots, or remote access.
- Instructions to “verify”, “synchronize”, “secure”, “restore”, “migrate”, “cover”, or “check” your wallet through a website.
- Promises that a website can generate new recovery words for your existing wallet.
- Instructions to convert assets on an exchange and transfer them as part of a “security lock” or “account recovery”.
- Links that do not clearly lead to an official BitBox domain.
- Attachments or downloads that you did not request.
If you are unsure, do not use links, phone numbers, or contact details from the suspicious message. Open a new browser tab and type the official website address manually. For more background on common email tactics, see Staying secure: understanding and identifying scam emails.
What BitBox will never do
Knowing what BitBox will never do makes scams easier to spot:
- BitBox will never ask for your recovery words.
- BitBox will never ask for your PIN, passwords, passphrase, or two-factor authentication codes.
- BitBox will never ask you to transfer funds to a “safe” wallet.
- BitBox will never ask you to verify, synchronize, or restore your wallet on a website.
- BitBox will never provide a browser-based tool that checks whether your recovery words are safe.
- BitBox will never generate replacement recovery words for your existing wallet through a website.
- BitBox will never tell you to convert assets on an exchange and move them as part of a support case.
- BitBox will never send you unsolicited wallet software or remote-access tools.
- BitBox will never contact you first by phone, SMS, Telegram, WhatsApp, Discord, social media, or forum direct message.
Official BitBox domains
Domain checks are not the only phishing protection, but they are an important first step. Use these domains when verifying whether a website, email, or support contact is legitimate.
BitBox controls the following domains:
| Domain | Purpose |
|---|---|
bitbox.swiss |
Main website and downloads |
shop.bitbox.swiss |
Online shop |
support.bitbox.swiss |
Knowledge base |
blog.bitbox.swiss |
Official blog |
contact.bitbox.swiss |
Support contact form |
shiftcrypto.support |
Support system |
shiftcrypto.io |
Redirect |
digitalbitbox.com |
Redirect |
shiftcrypto.org |
Redirect |
shiftcryptosecurity.ch |
Redirect |
shiftcryptosecurity.com |
Redirect |
shiftdevices.com |
Redirect |
If a website looks like BitBox but uses a different domain, treat it as suspicious. Also check the full address carefully, not only the text of a link.
Why you may be targeted
Receiving a phishing message or call does not mean that your BitBox02, wallet, or funds are compromised. Most phishing campaigns are opportunistic and target large numbers of people. Being contacted does not necessarily indicate that your BitBox02, BitBoxApp, or wallet has been compromised.
Scammers often combine data from many sources, including public contact details, social media, unrelated third-party data leaks, leaked marketing lists, random dialing, and abused contact forms. For a broader explanation of scam email tactics, see Staying secure: understanding and identifying scam emails.
BitBox has also transparently disclosed past data incidents that may help explain why some people receive targeted phishing:
- ActiveCampaign data leak: In July 2022, BitBox was affected by a data breach at ActiveCampaign, a third-party service used for marketing emails. The exposed data included email addresses, mostly newsletter subscribers, a few business contacts, and limited related data. Read the BitBox blog post about the ActiveCampaign data breach.
- Twitter/X data leak: A separate Twitter/X leak exposed email addresses associated with Twitter accounts. This was not a BitBox system breach, but such external leaks can help scammers connect an email address with public crypto-related activity or interests. Read the BitBox statement about the Twitter/X leak.
BitBox has since reduced the amount of contact data stored and deletes support contact information after a defined period. Learn more in why BitBox deletes your contact information and how we handle your data.
What to do if you encounter a phishing attempt
If you only received a message or call
- Do not click links or open attachments.
- Do not reply with personal information.
- Block the sender or caller.
- If you want to verify the situation, contact BitBox Support through the official Support contact form.
If you received an unexpected confirmation email
- Do not assume that later contact is legitimate just because the automated email came from an official domain.
- Do not use contact details, links, or case references provided by the person who contacts you separately.
- If you did not submit the request yourself, contact the official service through its website and ask whether the request should be closed.
- If the confirmation came from BitBox, contact BitBox Support through the official Support contact form and mention that you did not create the inquiry.
If you clicked a link but entered no information
- Close the page.
- Do not download or install anything from the page.
- Clear your browser history if you want to avoid opening the page again by accident.
- Open the official BitBox website manually in a new browser tab if you need to continue.
If you connected your BitBox02 to a suspicious website or application
- Disconnect your BitBox02.
- Close the suspicious website or application.
- Do not approve any action you do not understand on your BitBox02.
- Check your wallet only with the official BitBoxApp.
If you entered recovery words
If you entered your recovery words into a website, app, computer, phone, chat, form, or any other online service, assume that the wallet is compromised.
If recovery words are exposed, anyone with access to them can control the wallet. Move funds to a new secure wallet immediately if you can still access them.
Use a separate, trusted device and a newly created wallet backup. If you are unsure what to do next, contact BitBox Support through the official Support contact form, but do not send recovery words, screenshots of recovery words, or private keys.
How to verify a BitBox website or download
If you are unsure whether a BitBox website, email, or download is genuine, use the following verification methods before taking any action.
If a message asks you to open a website, install software, or check your wallet, verify the source before continuing.
- Use official BitBox domains when checking whether a website, email, or support contact is legitimate.
- Download the BitBoxApp only from the official BitBox download page.
- When possible, verify the BitBoxApp signature to confirm that the downloaded file was signed by Shift Crypto.
- When possible, verify the BitBoxApp file checksum (SHA-256) to confirm that the downloaded file matches the file published by BitBox.
Frequently asked questions
Should I call the phone number in an unexpected transaction or security email?
No. Do not call phone numbers from unexpected transaction, login, or security emails. Open the official website manually and use the contact options published there.
Can BitBox support verify whether a message, email, or website is legitimate?
Yes. If you are unsure whether a message, website, email, or support request is legitimate, contact BitBox support through the official BitBox support contact form before taking any action.
BitBox support can help determine whether a communication is genuine and whether a website belongs to BitBox.
Does a real automated confirmation email prove that the follow-up contact is legitimate?
No. A scammer can abuse a contact form by entering your email address after they already contacted you. The automated confirmation may be real, but a later call, SMS, email, or chat message can still be a scam.
How did scammers get my email address or phone number?
Receiving a phishing message does not mean your BitBox02 or wallet is compromised. Scammers may use public contact data, unrelated third-party data breaches, leaked marketing lists, random dialing, social media information, or contact-form abuse.
Have there been past data incidents related to BitBox?
Yes. BitBox was affected by the ActiveCampaign data leak in July 2022, which exposed email addresses and limited related data from a third-party marketing email provider. Separately, the Twitter/X data leak exposed email addresses associated with Twitter accounts; this was not a BitBox breach, but it can still help scammers build target lists. BitBox infrastructure and products were not breached in either case. BitBox has since reduced stored contact data and deletes support contact information after a defined period.
How can I report a phishing website, message, or call?
You can report phishing attempts to BitBox Support through the official Support contact form. Include the sender address, phone number, website link, screenshots, and a short description, but never include recovery words, private keys, or passwords.