How to install and setup MetaCert to protect your Crypto community from phishing attacks on Slack 🎣 💣

Paul Walsh
5 min readOct 24, 2017

Until we update metacert.com, which is so out of date it’s embarrassing, this will be our goto page to explain how to configure MetaCert for optimal protection against phishing attacks inside Slack.

1. Install MetaCert

Go to slacksecurity.metacert.com and pick a plan — you get a 7 day free trial to test drive the service. It takes just 7 seconds to install. And if you tell us that you don’t like it within 90 days, let us know and we’ll give you a full refund.

Once installed, you get immediate phishing detection and protection for your Slack channels. But community members do not get automatic protection for Direct Messages. This must be configured separately.

2. Approve MetaCert for your community

a) After installing the app you must approve it within Slack. Select “APPS” on the left side of the window.

b) Search for MetaCert and select “View”.

c) Select the settings cog on the top of the window as shown in the screen shot to the left. Then select “Settings”.

d) The last step is to select “Approve for Team”. This will now allow users to authorize the app to protect their DMs.

3. Ask users to authorize MetaCert

As soon as you install MetaCert, you are taken to your personal dashboard where we recommend a message that you can post to your default channels. Below is a sample message that you can copy and paste.

Please go to https://slacksecurity.metacert.com/auth/users and authorize our security bot to protect you from private messages scams. It will remove slackbot phishing attacks and phishing DMs. If you don’t authorize the bot you might still get phishing messages. Thank you and stay safe.

Some communities post this message once per day to make sure members see it. Some post it more often. It’s entirely up to you.

4. Setup filter keywords

Most phishing attacks now come via DM. Some of them contain new phishing sites that haven’t yet been detected and labeled. Some contain legitimate websites and phishing wallet addresses. Either way, it’s next to impossible to stay on top of every new phishing scam before trigger-happy members looking for a special offer, become victims.

Go to Direct Messages on your dashboard. Create keywords that are typically used in phishing scams. For example, you should start with “ico security” “special announcement” and “hard fork”. You can add as many as you like. This isn’t restricted to phishing related keywords — you can add profanity if you wish.

DMs that contain one or more keyword will be automatically deleted so fast that members won’t even know they had a message to begin with. This is a killer feature.

This feature will soon be extended to channels.

5. Setup a dummy user account

Cybercriminals are good. They know how to avoid sending scams to admins and moderators. To see what members see, create a normal user account — and authorize MetaCert to protect it so you can catch the ones that slip through the net. You should be adding to your keyword list on a regular basis. The bad guys will eventually figure out that you are using keyword filtering and are likely to move onto a less secure community.

6. Create a #security channel

We find this works extremely well in many communities. Create a #security channel and pin the above message with the /auth/users link so it’s easy for new members to learn how to protect their DMs. Send me an invite and I’ll join — we will provide support to members and your team — think of us as your personal law enforcement agency — but friendly 👮

You can also encourage members to report suspicious links and suspicious people in here so your team and MetaCert can work together to keep your community safe.

Things to remember

  1. Only the person who installed MetaCert can log into the dashboard to add keywords. Make sure this person is the main Slack admin/moderator. Multi-user login is on our short-term roadmap.
  2. MetaCert’s software is not designed to read messages. It only listens for the keywords that you add to our security app. Your privacy and the privacy of your community is extremely important to us. Trust is our currency. Without trust we have nothing to offer.

We are members of quite a few communities as we want to feel the pain as felt by community members and moderators. We literally have a global perspective on phishing across the Crypto world. As soon as an attack takes place we can see it move across multiple communities around the world. We are building additional features that will see the automatic banning of bad actors as soon as they do something illegal inside one community — so all communities can benefit.

I have spoken to many people who have lost money and I’ve spoken to people who thank us daily for protecting them from scams. I know we/you are adding real utility. It’s not just an insurance certificate. If your Slack isn’t being targeted yet, it just means you haven’t attracted enough attention yet. It’s just a matter of time. ⏰

On behalf of your community and my team, I’d like to thank you for caring enough to protect your community members from phishing attacks. I’ve seen so many people lose their life’s savings. It’s sad. Very sad. But what gets me out of bed every day, is knowing that there are so many teams behind token launches and ICOs that care enough to implement better security to protect their community members.

Thank you! 😀

Please tap or click “👏” on the left side of the screen to let Paul and others know that you appreciated this post. The number of claps indicates how much you liked the post and support its content, so put those hands together as many times as you like. 🔒

Paul Walsh

MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.