A cryptocurrency investor lost $3 million in a phishing scam after signing a malicious blockchain transaction without verifying the contract address, highlighting the risk posed by digital asset scams.

A single wrong click was all it took to drain $3 million worth of USDt (USDT) from an investor who failed to verify the contract address before signing the blockchain transaction.

“Someone fell victim to a phishing attack, signed a malicious transfer, and lost 3.05M $USDT,” according to a Wednesday X post from blockchain analytics platform Lookonchain. “Stay alert, stay safe. One wrong click can drain your wallet. Never sign a transaction you don’t fully understand.”

Crypto phishing attacks are social engineering schemes in which attackers share fraudulent links to steal victims’ sensitive information, such as private keys to cryptocurrency wallets.

Like most investors, the victim probably validated the wallet address by only matching the first and last few characters before transferring the $3 million to the malicious actor. The difference would have been noticeable in the middle characters, often hidden on platforms to improve visual appeal.

Related: Lazarus Group laundered over $200M in hacked crypto since 2020

Highlighting the need for more investor due diligence, another victim lost over $900,000 worth of digital assets to a sophisticated phishing attack on Sunday, 458 days after unknowingly signing a malicious approval transaction to a wallet-draining scam, Cointelegraph reported.

These amounts pale in comparison to the $71 million lost to a wallet poisoning scam in May 2024, which took a surprising turn when the scammer had a change of heart and returned the $71 million in two weeks after folding to the growing pressure from global blockchain investigators who revealed the attacker’s potential Hong Kong-based IP address.

Related: CrediX recovers $4.5M in crypto after successful exploit negotiation

Crypto phishing attacks top security concern of 2024

Hackers are gradually shifting their focus from code to exploiting vulnerabilities in human psychology, which may be easier to bypass than protocol guardrails. 

Phishing attacks were the most costly attack vector for the crypto industry in 2024, netting attackers over $1 billion worth of stolen digital assets across 296 incidents, according to CertiK’s annual Web3 security report

Out of the almost 300 phishing attacks in 2024, at least three resulted in over $100 million worth of losses.

“Phishing was the most costly attack vector last year,” a CertiK spokesperson told Cointelegraph. “Our figures are conservative; the actual figure is higher when you consider unreported incidents and other types of phishing scams like pig butchering.”

To counter this growing threat, the security team of Binance, the world’s largest exchange, developed an “antidote” against address poisoning scams, which launched an algorithm that detected nearly 15 million poisoned addresses, Cointelegraph reported in May 2024.

Magazine: $12.1M fraud suspect with ‘new face’ arrested, crypto scam boiler rooms busted: Asia Express