Prevention of account phishing

[George1971]

Your OP scatters unnecessary details like confetti & you seem not to grasp how scammers can put together enough information to compromise accounts!

If you want to discuss a new security system, do so on its own merits. Saying this happened to X & that happened to Y is not relevant without context.

Exactly from me too.

I too am wondering about this phishing. How did it happen? Was it the free gems scam? SuperCell could counter that in the chat by filtering, and I think maybe they do now.

What was the enticement to enter your password? Playing multiple accounts for years on end, I note that I never have to enter my password anywhere, so if suddenly something asked for it, I would be suspicious. Fixing phishing problems is largely the human component. So, tell us what happened, but while telling us, stop tossing around your private information.

[ziya645]

I'm very sorry for what happened, but at the same time I'm confused. I would never give my password or private information to anybody, even if it were going by the name of being SC employee. And I'm sure many feel the same way as I do. The main reason I am confused is because you made an account for some stranger (if it were family, a trusted friend I understand).
Btw, I wasn't so clever myself before (when I was younger, with an ER at the end). I went through things for free gems and oh boy! And by oh boy I mean that future me is releaved that nothing happened!
People don't get their account stolen out of the blue. The account holder does something to cause it to all go crashing down.

Point is, if you got phished, it's your fault. NOT Supercell's

[George1971]

I'm very sorry for what happened, but at the same time I'm confused. I would never give my password or private information to anybody, even if it were going by the name of being SC employee. And I'm sure many feel the same way as I do. The main reason I am confused is because you made an account for some stranger (if it were family, a trusted friend I understand).
Btw, I wasn't so clever myself before (when I was younger, with an ER at the end). I went through things for free gems and oh boy! And by oh boy I mean that future me is releaved that nothing happened!
People don't get their account stolen out of the blue. The account holder does something to cause it to all go crashing down.

Point is, if you got phished, it's your fault. NOT Supercell's

For fun, and curiosity, with no intention of falling for the free gems scam, I toyed with them. They wanted my COC account details so that they could deposit the gems. I could it was enticing, even if not sophisticated.

I think I read that you may even get some gems out of the scam. You pay them money, they deposit gems, using a stolen credit card. A money laundering process. Maybe they don't always take over your account, and use it to spam. Money laundering is very hard to combat.

[Kaptain Kat]

This post Darian made on a different thread just a few days ago is very applicable...

That's the thing about scammers/phishers. The good ones rarely make their intentions obvious until it's too late. There's a reason why scamming is a multi-billion dollar industry. Good scammers are charismatic, manipulative, and convincing. They are also relying on the fact you have no idea just how useful the information you gave them really is, especially when you think the information is banal or mundanely useless.

The fact they leave you blaming a lax in security instead of blaming yourself shows A) just how manipulative they are and B) how willing you are to deflect blame in order to admit to falling for a scam.

Admittedly, that second one is a tough pill to swallow. No one likes admitting they made a mistake, and that's especially so when you have to face severe consequences for those actions. But as I said before, we can tell the difference between someone's compromised account vs. someone who fell victim to a scam or gave/bought/sold their account. Usually if the account is compromised, Support is fairly quick at restoring access to those accounts. But because there's no reason to voice any complaints about it, you don't read about those thousands of success stories. What we do hear about on the forums are those examples where support was unable to restore the account because they can see suspicious or fraudulent activity on the account.

[chilepepper101]

The damage has been done, phishers are ruining the game for us. Taking active players left and right, we have nothing left but to ask for help urgently. Supercell, you need to do something urgently about your account recovery system and I mean urgently. This is probably the most important messge your ever going to receive from a player. And hopefully Darian or Eino sees this and makes a change.
Too many accounts are being phished and stolen all the time and I mean active players as well. In the last week/month:

A th9 player named [redacted by Forum Moderator] (level 290/free to play/#[redacted]/@[redacted]on Instagram) was phished and upgraded from th9 to th11 within 2 hours.

2 days ago, a guy named [redacted] (founder of the redacted] was phished. His th8/lvl 350 was upgraded from th8 to th11 yesterday. He also held the world record for most donations in a single season at th8: 1.37 million in December 2019! That’s insane for a th8.

An amazing friend of mine named [redacted] had his th10 phished and lost his clan about 1 month ago. Lucky for him, he got his clan back.

The infamous [redacted] got phished. Nothing happened.

And most importantly my good mate [[redacted] Last 24 hours, I have been trying to recover his th7 that had been attempted to be phished and stolen but instead It got locked. It’s lvl 323 and he can’t recover it because he needs the first receipt on the account. But over the last year, he has spent over $25000 on 100+ accounts making it impossible for him to recover his th7.

Even I have been phished and banned: back in December 2019, my th10/lvl 227 was phished as I was attempting to donate 1 million troops in a single season in the most famous donation clan(record holding clan for most donos in a single season: 21.7 million in November 2020! [Redacted]
Sadly my th10 was upgraded to th13 and then banned for some reason.
I wanna suggest an incredible idea that will stop everyone’s account being phished:
———————————————————
A security question to each account
———————————————————
If you think about it, only the real owner would know the answer to the security question which would likely make him like the real owner of the account. Players should either make up there own questions or either you could give us a question and we put an answer to it.
Examples:
What is your real name?
What year/month where you born?
When is your birthday?
And many more.

This would make the game are 100% better to play. Many Og clashers have retired/quit cause of this due to there:
1: high pb accounts stolen/upgraded
2: High XP lvl accounts stolen and upgraded (shooter and crafty)
3: There high war star account stolen and upgraded (1500+ war stars)
4: There old obstacle accounts stolen and upgraded/banned (2012 stone/tree-2014/15 tree)

Supercell, you really need to fix your recovery system ASAP. Adding a security question to every active persons account from the day the update comes out (if you can do that which would save your game entirely) will change everything. I guess this is it from me. Hopefully you read this all and add my idea into the game. It’ll change a lot and save a wonderful amount of people’s accounts being phished. Please supercell, save us.

If your friends whos accounts where phished are anything like you than the reason they were phished is crystal clear.

Not to be mean or anything but you are being extremely careless with your own and your friends personal information! every time you mention a player or clan you add all possible information like tag, name, and even out of game contact information! This is like 100x the information needed by phishers to access your account. You are saying phishers are stealing accounts left and right, and while that may be true, They are Focusing on those who give out information so carelessly, and it appears you and your friends are part of that group.

An account is as secure as the player that plays it. Your idea does nothing to help the security of an account. A phisher will just ask players for the answer to their security question, and players will be dumb enough to give it out. You can't fix player stupidity and that is the underlying cause of account scams.

My thoughts exactly. I posted something painfully similar in the "how secure is ID" thread:

"I also agree with the fingers on the hand statement, as supercells security is rather unique, as a large part of its integrity is up to the player, the more information you share, the less effective it becomes. so when i figured this out, it really makes you realize that losing your account to phishing without spilling any key information at all is next to impossible and can only be done by the best of hackers, and i doubt lex luthor or Lisbeth Salander wants to steal your clash of clans account. so you can truthfully say its all the players fault."

So the less info you give out, The More secure your ID gets. and because so many players are so careless with information, there ID's are at high risk. and the irony is that They come onto here afterwards and either beg supercell to increase account security or point an angry finger at supercell accusing them of cheap account security and poor customer service.

It’s not like that: a guy can simply ask someone to make an account for them, they get access to the account and then the receiver of the account can “instalink” all of the players accounts. This shop we to crafty. [Redacted] was just phished normally

and so after a moderator censored all the personal info of your friends in your original post you continue to add such information to your posts? idk if you realize this but every post on here is visible to anyone in the world with a device. so anyone on here could be a phisher, and you just led them into a candy shop.

[ziya645]

For fun, and curiosity, with no intention of falling for the free gems scam, I toyed with them. They wanted my COC account details so that they could deposit the gems. I could it was enticing, even if not sophisticated.

I think I read that you may even get some gems out of the scam. You pay them money, they deposit gems, using a stolen credit card. A money laundering process. Maybe they don't always take over your account, and use it to spam. Money laundering is very hard to combat.

My account always hovered over 0-100 gems back then. 100 if I was super lucky (Quick donation addiction). I've never been high on gems at the time so that is sufficient proof. Not anymore though soooo.
Also I don't have a Credit Card linked to my email that uses SCID. But I'm sure what you said is true and it may have happened to others.

[chilepepper101]

My account always hovered over 0-100 gems back then. 100 if I was super lucky (Quick donation addiction). I've never been high on gems at the time so that is sufficient proof. Not anymore though soooo.
Also I don't have a Credit Card linked to my email that uses SCID. But I'm sure what you said is true and it may have happened to others.

I always make sure to have at least 50 gems in store.... and i save them specifically for donations(i usually get a gold pass, so everything costs one gem) and bertain magic items from trader.

but even though i have some patience, i dont have enough to save to over 1000

I first started playing clash of clans in 2015 when i was relatively young to play it (i was around 9-10) especially with global, but i had and still do have a pretty thick skin and its hard to insult me, so my parents allowed it with some hesitation. And boy was global harsh!
there was a lot of players dropping curses left and right, but wasnt usually directed towards anyone, so not many cared, but as a step-up then you had those who tried to use COC global chat as eHarmony, another step up you had about 30 town hall 5-7 players with there own little low level clans swarming town hall 9's and 10's with no clan, going "join me! join me!". so they'd have to leave. another step up you had those who made sex ref's, called everyone terrible things, and spammed the infamous "#clearchat" so no one could talk on global. no wonder why supercell decided to remove it!

but the final step up is all these websites who claim to program 1000000000000 gems into your account. now they looked legit in a 10 year olds eyes, and as a 10 year old, i had no doubts. i tried out a few but never got past the stage where they ask for you to download all these apps and play them for 30 seconds, some asked for credit cards, and most asked for player tag. That is where i started to smell something fishy and stopped right away.I feel lucky i never followed through because 1, i could have been perma banned, 2, i could have had my account stolen, or 3, i couldve gotten into legal trouble.

I have not so much as searched "free COC gem sites" in a good 3 years.

im very glad nothing like that happened. so if a child in 2015 could smell something off and not fall for those, so can all you 20+ 2020 adults can too!

I can see how deceptive the other phish methods are, and even now im sure i could unknowingly give such information to a phish.

[SharkyFinn]

To me, these comments stand out among the rest.

And most importantly my good mate [[redacted] Last 24 hours, I have been trying to recover his th7 that had been attempted to be phished and stolen but instead It got locked. It’s lvl 323 and he can’t recover it because he needs the first receipt on the account. But over the last year, he has spent over $25000 on 100+ accounts making it impossible for him to recover his th7.

First, you've admitted to attempting to gain control of someone else's account and you don't see any problem with this. You even seem to believe that Support should somehow help you in this endeavor. How is Support supposed to discern the difference between one player who has absolutely no rights to another player's account attempting to get control of it for what they believe is a noble reason and another player who has absolutely no rights to another player's account attempting to get control of it for nefarious reasons? All they can determined is that a player who has absolutely no rights to another player's account is attempting to get control of it. Do not do this. Do not contact Support and attempt to gain control of another player's account for any reason. In this case, you have become the phisher and will likely end up getting banned for phishing. Why on earth can't the player who owns the account contact Support on their own? Why do they need a third-party to represent them? Isn't that the exact kind of phishing scam you claim players are falling victim to? And isn't involving yourself in the account ownership process the exact kind of situation that you've highlighted as exposing yourself to getting ripped off?

It’s not like that: a guy can simply ask someone to make an account for them, they get access to the account and then the receiver of the account can “instalink” all of the players accounts. This shop we to crafty. [Redacted] was just phished normally

This is a bizarre choice to intentionally breach the terms of service and expose yourself to a problem. Since account sharing is prohibited, it's a violation of the terms of service for one player to create an account and give it to another player. It's also the exact situation you described where you are attempting to gain ownership of a TH7 account and give it to another player. It doesn't even make sense from a practical standpoint. It's not difficult to create an account, so why would there ever be a need for a player to create an account for another player? If someone asks you to do something for them that they can easily do themselves, you should first question why. To me, this falls in line with every other scam you should also avoid.

"Hey, I lost my key and can't get into my house. Can you climb through the window and unlock the door for me?"
"Hey, I don't have a bank account. Can you cash this check for me?"
"Hey, I found this jewelry but can't return it for the reward. Can you return it for me and advance me half the reward money?"
"Hey, I lost my account. Can you recover it for me and then give me the credentials?"

2 days ago, a guy named [redacted] (founder of the redacted] was phished. His th8/lvl 350 was upgraded from th8 to th11 yesterday. He also held the world record for most donations in a single season at th8: 1.37 million in December 2019! That’s insane for a th8.

....

Even I have been phished and banned: back in December 2019, my th10/lvl 227 was phished as I was attempting to donate 1 million troops in a single season in the most famous donation clan(record holding clan for most donos in a single season: 21.7 million in November 2020! [Redacted]
Sadly my th10 was upgraded to th13 and then banned for some reason.

I'd like to know more about these particular phising incidents, how you fell victim to it, and what it has to do with the goal of donating a massive amount of troops in a single season. It feels like in order to attain this goal of non-stop donations, you and your friend may have allowed other players to play your accounts when you're not available, breaching everything we know about keeping a secure account and opening yourselves to security problems. Otherwise, I don't really understand how attaining a massive amount of donations fits into this topic or would make you more likely to losing your accounts than any other players.

[chilepepper101]

First, you've admitted to attempting to gain control of someone else's account and you don't see any problem with this. You even seem to believe that Support should somehow help you in this endeavor. How is Support supposed to discern the difference between one player who has absolutely no rights to another player's account attempting to get control of it for what they believe is a noble reason and another player who has absolutely no rights to another player's account attempting to get control of it for nefarious reasons? All they can determined is that a player who has absolutely no rights to another player's account is attempting to get control of it. Do not do this. Do not contact Support and attempt to gain control of another player's account for any reason. In this case, you have become the phisher and will likely end up getting banned for phishing. Why on earth can't the player who owns the account contact Support on their own? Why do they need a third-party to represent them? Isn't that the exact kind of phishing scam you claim players are falling victim to? And isn't involving yourself in the account ownership process the exact kind of situation that you've highlighted as exposing yourself to getting ripped off?



This is a bizarre choice to intentionally breach the terms of service and expose yourself to a problem. Since account sharing is prohibited, it's a violation of the terms of service for one player to create an account and give it to another player. It's also the exact situation you described where you are attempting to gain ownership of a TH7 account and give it to another player. It doesn't even make sense from a practical standpoint. It's not difficult to create an account, so why would there ever be a need for a player to create an account for another player? If someone asks you to do something for them that they can easily do themselves, you should first question why. To me, this falls in line with every other scam you should also avoid.

"Hey, I lost my key and can't get into my house. Can you climb through the window and unlock the door for me?"
"Hey, I don't have a bank account. Can you cash this check for me?"
"Hey, I found this jewelry but can't return it for the reward. Can you return it for me and advance me half the reward money?"
"Hey, I lost my account. Can you recover it for me and then give me the credentials?"

The "Trying to get my friends account back" Reason seems to be a very popular one on here when users make an account and complain about getting banned from the game.

since it is also a very popular way accounts are fished, it raises the question to how many of those that are banned trying to "recover" their "friends" accounts are actually phishers.

im sure most arent, but there are just too many for at least a handful to be scammers.

[ziya645]

I always make sure to have at least 50 gems in store.... and i save them specifically for donations(i usually get a gold pass, so everything costs one gem) and bertain magic items from trader.

but even though i have some patience, i dont have enough to save to over 1000

I first started playing clash of clans in 2015 when i was relatively young to play it (i was around 9-10) especially with global, but i had and still do have a pretty thick skin and its hard to insult me, so my parents allowed it with some hesitation. And boy was global harsh!
there was a lot of players dropping curses left and right, but wasnt usually directed towards anyone, so not many cared, but as a step-up then you had those who tried to use COC global chat as eHarmony, another step up you had about 30 town hall 5-7 players with there own little low level clans swarming town hall 9's and 10's with no clan, going "join me! join me!". so they'd have to leave. another step up you had those who made sex ref's, called everyone terrible things, and spammed the infamous "#clearchat" so no one could talk on global. no wonder why supercell decided to remove it!

but the final step up is all these websites who claim to program 1000000000000 gems into your account. now they looked legit in a 10 year olds eyes, and as a 10 year old, i had no doubts. i tried out a few but never got past the stage where they ask for you to download all these apps and play them for 30 seconds, some asked for credit cards, and most asked for player tag. That is where i started to smell something fishy and stopped right away.I feel lucky i never followed through because 1, i could have been perma banned, 2, i could have had my account stolen, or 3, i couldve gotten into legal trouble.

I have not so much as searched "free COC gem sites" in a good 3 years.

im very glad nothing like that happened. so if a child in 2015 could smell something off and not fall for those, so can all you 20+ 2020 adults can too!

I can see how deceptive the other phish methods are, and even now im sure i could unknowingly give such information to a phish.

Your life is so similar to mine.
Currently I am trying to get my 5th builder still as a TH11 almost max. So I have 1000 gems saved up right now.