Cybercrime Prevention: Best Practices To Secure Your Account

How can I keep my accounts and assets safe?

Cybercrime is an ever-growing threat and understanding how to protect yourself is essential. iTrustCapital implements institutional-grade security measures to protect your account and assets, but we also recognize that security is a shared responsibility. Please pay close attention to the information provided below to keep your account secure.

Critical Security Rules and Information

• Protect your iTrustCapital login credentials - Use a strong, unique password. Consider updating your password periodically.
• Take Multi-factor Authentication (2FA) seriously — SMS 2FA (text messages to your phone) can create additional vulnerabilities. Cybersecurity experts recommend using an authenticator app that is not linked to an email address for 2FA. If you would like to switch your 2FA security method from SMS to an authenticator, contact iTrustCapital for further assistance.
• Beware of fake websites - bookmark www.itrustcapital.com and other important websites you frequently access.
• Never share your private keys, seed phrase, passwords, or personal wallet information to ANY account with ANYONE.
• Verify communications - iTrustCapital will always verify your security questions when calling you, and will never ask for password information for any account.
  • Important: If you ever feel unsure whether it’s actually iTrustCapital calling you, even if it’s coming from a Caller ID that says “iTrustCapital” or from an iTrustCapital phone number, hang up and call the iTrustCapital phone number listed in the “Get Support” section of your dashboard and we will verify your identity as noted above.

• iTrustCapital Will NEVER:
  • Call or ask you to take any action in your account without first verifying your identity
  • Call you from our inbound-only phone numbers listed in the "Get Support" section of your dashboard
  • Call, email, or text to ask for your password, two-factor authentication codes, or private seed phrases or private keys to any wallet
  • Request that you send funds to an unfamiliar destination
  • Instruct you to grant remote access to your computer

• If Something Seems Off:
  • Hang up
  • Do not respond or click on any links
  • Contact us directly via the numbers listed in the “Get Support” section of your dashboard or our official website
  • Let our team know so we can look into it

Security Measures in Place

•  iTrustCapital requires all clients to set up Two-Factor Authentication
  • This helps prevent unauthorized access even when a password is compromised
     

• Distributions and Withdrawals are only processed after completing our security and identity verification steps.

  • A U.S. bank account in your name is required for all USD distributions and withdrawals.

   

• iTrustCapital utilizes proprietary technology to custody digital assets, working with some of the most respected names in crypto for digital asset institutional storage, including Coinbase Custody, Fidelity Digital Assets, and Fireblocks. Highlights include:
  • Multi-Party Computation (MPC)
  • Offline Cold Storage
  • Providers undergo regular security and financial audits by external firms and have been awarded SOC 2 Type II certifications

  • Commercial Crime Insurance Policies

     

• iTrustCapital has built a strong and dedicated Client Experience Team that is available to answer any questions or concerns regarding security measures. 

FAQs

• What should I do if my personal information has been compromised?
• Please contact us immediately at (562) 600-8399 or Submit a Support Request. We recommend taking similar precautions with all your financial platforms.

• How do I change my password?
• Select "Change Password" on your dashboard, or select "Forgot Password" on the login page to receive a rest link by email.

• How can I change/update my 2FA?
• For help with your 2FA, please contact us at (213) 558-4174. Our call center is open Monday-Friday 7AM-5PM PT. Please note that you're not able to update your 2FA without getting in touch with one of our representatives over the phone.

• My iTrustCapital account was breached, can the hacker withdraw my crypto? What should I do next?
• iTrustCapital products are built using a secure, closed-loop system. Client accounts are not linked to external wallets, and hot wallets are not used to store our clients' crypto. Withdrawals/distributions can only be completed after going through our verification steps, and a U.S. bank account in your name is required for all USD distributions and withdrawals. If you believe your account was breached, please contact us immediately.

• I’ve been a victim of a cybercrime and experienced a loss. What should I do?
• Please visit The FBI's Internet Crime Complaint Center (IC3) to report the crime to authorities. 

Additional Information - View Here

Common Threat Vectors:

Phishing and Social Engineering

Phishing remains one of the most prevalent threats facing crypto investors today. These attacks typically involve fraudulent communications designed to trick you into revealing sensitive information. Scammers may impersonate legitimate companies, customer support representatives, or even other investors to gain your trust.

Modern phishing attempts can be remarkably convincing. They often use official-looking logos, professional language, and create a sense of urgency to pressure you into acting quickly without thinking critically.

Here are some real-world examples of what these attacks might look like:

• Email Phishing: You might receive an email that appears to be from your crypto platform with a subject line like "URGENT: Account Verification Required" or "Suspicious Activity Detected on Your Account." The email looks professional, uses the company's branding, and includes a link asking you to "verify your account immediately."

• Text Message (SMS) Scams: A text message arrives claiming to be from customer support: "Security Alert: We've detected unusual login activity. Click here to secure your account" or "Your withdrawal has been initiated. If this wasn't you, verify here immediately."

• Phone Call Impersonation: Someone calls claiming to be from your platform's security team asking you to confirm your two-factor authentication code or other sensitive information. They sound professional and may have spoofed the company's phone number.

• Social Media Scams: Fake customer support accounts on Twitter or Instagram send you direct messages asking you to "verify your account" through a link or provide login information to "check your account status."

• Fake Giveaways and Promotions: Messages promoting "exclusive opportunities" like "Send 1 ETH and receive 2 ETH back!" or requiring you to connect your wallet to claim rewards.

All of these messages create urgency, ask for sensitive information, and pressure you to act without verifying the source. Legitimate companies will never ask for your passwords, two-factor codes, or private keys through any of these channels.

Fake Websites and Apps

Cybercriminals create counterfeit websites and mobile applications that look nearly identical to legitimate platforms, designed to capture your credentials the moment you try to log in. 

These fake sites can be extremely convincing, copying everything from logos and color schemes to layout and functionality.

Watch out for URLs with slight misspellings like "itrustcapita1.com" (with a number 1 instead of the letter L) or additional words like "itrustcapital-secure.com." 

Be cautious of apps in app stores that use similar names and branding but come from unverified developers. Even sponsored search ads can lead to impostor sites; always double-check the URL before entering any login information.

Malware and Keyloggers

Malicious software installed on your device can monitor your activity, capture keystrokes, or take screenshots when you access accounts. Once installed, these programs run silently in the background, recording everything you type including passwords and private keys.

This often comes from downloading suspicious apps that promise to track your portfolio or offer trading signals, opening email attachments that claim to be account statements or tax documents, or clicking on ads offering "free crypto tools" or software updates.

Always download applications only from official sources and be extremely cautious about what you install on devices used to access your accounts.

SIM Swapping

Scammers convince your mobile carrier to transfer your phone number to their device, allowing them to intercept SMS-based authentication codes and potentially gain access to your accounts. 

They typically do this by impersonating you and providing personal information they've gathered from data breaches or social media.

Warning signs include your phone suddenly losing service or displaying "no SIM" or "SOS only" messages, followed shortly by notifications of password changes, login attempts, or unauthorized transactions. If you experience unexpected loss of mobile service, contact your carrier immediately and check your accounts for any suspicious activity.

Security Practices:

Protect Your Credentials

Your password is your first line of defense. Use strong, unique passwords for each of your accounts; never reuse passwords across different platforms. A strong password should be at least 12 characters long and include a mix of uppercase and lowercase letters, numbers, and special characters.

You can consider using a reputable password manager to generate and store complex passwords securely. This eliminates the need to remember multiple passwords while ensuring each account has strong, unique credentials.

Enable Two-Factor Authentication

Two-factor authentication (2FA) adds an essential additional layer of security beyond just your password. Even if someone obtains your password, they won't be able to access your account without the second factor.

For maximum security, use authenticator apps rather than SMS-based 2FA when possible. Authenticator apps generate time-based codes that are more secure than SMS messages, which can be intercepted through SIM swapping attacks.

Safeguard Your Private Keys and Seed Phrases

If you use self-custody wallets, your private keys and seed phrases are the ultimate keys to your assets. Never share these with anyone, and never enter them into websites or apps unless you're absolutely certain of their legitimacy.

Store your seed phrases offline in a secure location. You can consider using physical storage methods like writing them down and keeping them in a safe or safety deposit box. Never store them in digital formats like screenshots, cloud storage, or email.

Verify Communications

Before responding to any communication claiming to be from a crypto platform or service, take time to verify its authenticity. Legitimate companies will never ask you to provide your password, private keys, or two-factor authentication codes through email, text messages, or phone calls.

If you receive an unexpected message about your account, don't click any links in the message. Instead, navigate directly to the official website by typing the URL into your browser or using a trusted bookmark, and log in to check your account status. Be aware that scammers will even use caller IDs to match the company they want to impersonate, appearing like a legitimate call from your crypto platform or services provider.

Be Skeptical of Urgency

Scammers often create artificial urgency to prevent you from thinking critically. Messages claiming your account will be closed, you'll miss a limited opportunity, or immediate action is required are common red flags. Legitimate companies give you time to respond to important matters and don't pressure you into immediate action.

Keep Software Updated

Regularly update your devices, browsers, and applications. Software updates often include critical security patches that protect against newly discovered vulnerabilities. Enable automatic updates when possible to ensure you're always running the most secure versions.

Use Secure Networks

Avoid accessing your crypto accounts on public Wi-Fi networks, which can be easily compromised. If you must use public networks, use a reputable VPN service to encrypt your connection and protect your data from potential eavesdroppers.

Monitor Your Accounts Regularly

Regular account monitoring helps you detect unauthorized activity quickly. Review your transaction history frequently and set up notifications for account activity when available. The sooner you identify suspicious activity, the better your chances of minimizing potential damage.

Red Flags to Watch For

Learning to recognize warning signs can help you avoid scams before they succeed. Be suspicious of:

• Unsolicited contact about your accounts or investments
• Requests for sensitive information like passwords or private keys
• Pressure to act immediately without time to verify
• Offers that seem too good to be true
• Poor grammar or spelling in official-looking communications
• Mismatched or suspicious email addresses and URLs
• Requests to download software or grant remote access to your devices

Please feel free to contact us at (562) 600-8399 or Submit a Support Request if need assistance.