How crypto companies can reduce the risk of phishing scams with an Extended Validation Certificate

Paul Walsh
4 min readSep 5, 2017


The problem

SSL Certificates do one thing and only one thing — they encrypt the data while it’s being transmitted between your website and your site visitors. This makes it virtually impossible for third-parties to hack the connection. If it wasn’t secure, hackers could steal their personal information as it’s typed into the browser.

This is what a browser displays when you have a basic SSL Certificate

Browsers can tell when your site has an SSL, allowing them to display the padlock in the address bar. When an imposter builds a website to look exactly like yours, they too can implement an SSL Certificate. In fact, they’re free!

Unfortunately, when visitors see the padlock they jump to the wrong conclusion. They assume the website can be trusted. This is wrong. The site is “secure”, but that doesn’t mean the site owner can be trusted. Visitors have no way to know if their information is going to the right website owner.

What to do

Buy an Extended Validation Certificate (EV Cert).

Browsers display the company name when an Extended Validation Certificated is detected

EV Certs are more expensive but well worth it for crypto websites specifically. I personally believe they’re way too expensive and come with an overly complicated process. But they are worth it — for crypto companies in particular.

To buy an EV Cert you must prove who you are and that you own your domain name. The Certificate Authority from whom you buy the cert, will then award you an EV Cert which proves to the browser, that you own your domain. The browser will then upgrade your basic padlock to display your company name. This cannot be hacked. Impersonators will not be able to buy a domain like yours and pretend to own your company.

This is by no means perfect. And you will need to educate your community to look out for your company name in the address bar at all times.

Take the extra step

This next tip is specifically for websites that require visitors to log in to buy, sell or store cryptocurrencies.

There is a little overhead in terms of design and development costs, but I believe it’s well worth the extra effort to reduce the risk of people having their wallets emptied. An investor who feels more safe when investing in your company, is an investor that will likely invest more money and tell more people about their experience.

MyEtherWallet has placed a message at the top of its website to tell users that they should always look out for the “fat MYETHERWALLET LLC Certificate up there.” Their approach actually inspired me to take this a step further.

Impersonators are constantly building websites that look exactly like MyEtherWallet. They even include the warning message that you can see with the red background. And for this reason, visitors assume it’s the real website because they don’t take the time to read the message. They see a secure lock, they see a legitimate warning message, login, and lose the contents of their wallet.

The extra step

I would like to encourage the inclusion of a banner that looks like the one I’ve designed below.

By placing a screen shot of what the address bar should look like, I think it should increase the likelihood of visitors noticing that the phishing sites aren’t real. I could be wrong. But I don’t think I am. The warning message doesn’t need to be permanent. You can design it with some slick animation and have it disappear after x-number of seconds.

If you decide to implement my recommendation please let me know how you get along.

MetaCert plans to build browser add-ons that turn the entire address bar red when it detects a known phishing website and a known phishing wallet address. It will also turn the entire address bar green for sites and wallets that have been whitelisted. Our COO and some of our engineers were responsible for building the official add-ons for digg, Delicious, Yahoo!, eBay, PayPal and Google. They will be well engineered, secure and fast. And we’ll be sure to open source the code too.

Please tap or click “👏” to let Paul and others know that you appreciated this post. The number of claps indicates how much you liked the post and support its content, so put those hands together as many times as you like. And please share it to help inform companies launching new Tokens, ICOs and wallets so they can keep their investors safe from cybercriminals. 🔒



Paul Walsh

MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.