Boosting email security amid recent Coinbase phishing attempts

In recent weeks, there have been reports of sophisticated phishing attacks disguised as official communication from the cryptocurrency platform, Coinbase. These phishing emails closely mimic Coinbase’s branding and language to build recipient trust and prompt clicks on malicious links. The subject lines of these emails generally follow a format: the sender’s address starts with either info@[domain], noreply@[ domain], or contact@[domain], followed by:

  1. Action Required: [string of text]. [date and time]
  2. Please complete your Coinbase verification
  3. Restricted account — You need to complete your Coinbase verification

Red Sift’s research indicates that the attackers are forwarding these emails from Google using Google Groups. The attacker will create a domain on Google Workspace, and then email the group that was set up from the spoofed domain. By using Google’s IP reputation, lack of guardrails in Google Groups, and use of ARC, they hope to bypass spam filters.

Notably, one bad actor’s email address, traced through a reverse search, was linked to 400 domains registered since September 2024.

What is phishing? 

Phishing emails rely on a technique known as email spoofing, which involves falsifying the sender’s address to make the email appear as though it’s coming from a legitimate source. This tactic effectively deceives recipients,, making it hard for even cautious users to distinguish fraudulent emails from real ones. Bad actors masking as Coinbase make the user more likely to fall for urgent or alarming messages given the financial implications of not taking action. 

Coinbase is just one of many high-profile brands exploited for its recognition, routinely imitated for use in phishing campaigns. This prevalence underscores the urgent need for companies to take proactive measures in securing email domains against unauthorized use, ensuring that their customers aren’t exposed to increasingly sophisticated phishing scams. A comprehensive approach to email security, including advanced authentication protocols like Domain-based Message Authentication, Reporting, and Conformance (DMARC) is essential to mitigate this risk.

Implementing a DMARC policy is the first step in combating email spoofing. DMARC allows organizations to define who is authorized to send emails from their domain and specifies how to handle messages that fail authentication checks.  This is how Red Sift was able to identify the attack, after a noticeable spike in DMARC rejections from emails sent via Google. Achieving a DMARC policy of p=reject is the most secure approach, as it ensures that any unauthenticated email that fails the verification process is automatically blocked, protecting the sender and receiver. 

How Red Sift’s OnDMARC can support financial services with email security

Red Sift’s OnDMARC solution is a powerful tool for companies aiming to achieve DMARC compliance with ease and confidence. OnDMARC guides businesses through the process of setting up and optimizing their DMARC policies, helping them transition from p=none or p=quarantine to p=reject. OnDMARC simplifies this complex process, helping authorize legitimate senders while blocking fraudulent emails. This level of protection is invaluable for companies like Coinbase, which face heightened impersonation risks.

OnDMARC also provides detailed reporting and forensics, allowing companies to monitor email authentication attempts and detect any unauthorized email activity early, thereby proactively mitigating potential risks. This visibility has played a vital role in protecting Red Sift customers from phishing attacks disguised as legitimate Coinbase emails. In addition, OnDMARC also offers support for organizations at all stages of DMARC implementation, whether they’re just starting or are looking to refine an existing policy. For high-traffic domains, this service is critical in providing assurance that their emails are authenticated and that any unauthorized attempts are promptly rejected.

Today, managing cybersecurity threats requires a robust and automated approach, designed to counter the increase in phishing and spoofing attacks. Having  strengthened DMARC protection through a service like OnDMARC can significantly enhance a company’s email security posture. For financial services looking to protect their customers and maintain their brand’s reputation, OnDMARC offers a reliable and scalable solution, empowering them to stay ahead of bad actors. 

PUBLISHED BY

Jack Lilley

31 Oct. 2024

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Red Sift now offered through GuidePoint Security in new partnership

Rahul Powar

Organizations seeking to elevate their cybersecurity posture can now benefit from Red Sift’s advanced innovations, supported by GuidePoint Security’s expertise in aligning the right solutions to each customer’s needs. BOSTON & LONDON, 08:00 ET/ 13:00 BST, 10 September 2025 – Red Sift today announced a strategic reseller partnership with GuidePoint Security, the leading U.S.…

Read more
Awards

From Europe to Asia Pacific: OnDMARC earns global recognition in G2’s Fall…

Francesca Rünger-Field

G2’s Fall 2025 Report is out, and Red Sift OnDMARC continues to earn recognition across the globe. This quarter, we were featured in 19 reports, including a new appearance in the Asia Pacific Regional Grid® Report for DMARC, reinforcing our position as a trusted solution for securing email and protecting brands worldwide. We also…

Read more
AI

AI supercharges airline phishing: Why email security must catch up

Rahul Powar

Executive summary: Only 1 in 5 airlines enforces DMARC at the highest level, leaving customers exposed to phishing attacks that are now supercharged by AI. With billions at stake and national security on the line, airlines must move fast by adopting strong email authentication, deploying AI to counter AI, and leading by example across…

Read more
DMARC

74% of US credit unions vulnerable to email spoofing: Is your organization…

Stuart Rogers

Email remains a heavy lifter for credit unions, whether it’s member notices, statements, loan workflows, or vendor coordination. That’s exactly why impersonation keeps paying, with the National Credit Union Association (NCUA) warning that all credit unions and vendors are active targets for phishing and social engineering, and urges rapid incident reporting when attacks hit.…

Read more