Merge pull request #12390 from setgree/patch-5

Update security guidelines for Ethereum and cryptocurrency users page

Author: wackerow

public/content/security/index.md

@@ -6,15 +6,15 @@ lang: en
 
 # Ethereum security and scam prevention {#introduction}
 
-With interest in cryptocurrencies growing, learning best practices when using cryptocurrency is essential. Crypto can be fun and exciting, but there are also serious risks. If you put in this small amount of upfront work, you can mitigate these risks.
+Rising interest in cryptocurrency brings with it growing risk from scammers and hackers. This article lays out some best practices to mitigate these risks.
 
 <Divider />
 
 ## Crypto security 101 {#crypto-security}
 
 ### Level up your knowledge {#level-up-your-knowledge}
 
-One of the biggest reasons people get scammed in crypto generally is a lack of understanding. For example, if you don't understand that the Ethereum network is decentralized and owned by no one, then it's easy to fall prey to someone pretending to be a customer service agent that promises to return your lost ETH in exchange for your [private keys](/glossary/#private-key). Educating yourself on how Ethereum works is a worthwhile investment.
+Misunderstandings about how crypto works can lead to costly mistakes. For example, if someone pretends to be a customer service agent who can return lost ETH in exchange for your private keys, they are preying on people not understanding that Ethereum is a decentralized network lacking this kind of functionality. Educating yourself on how Ethereum works is a worthwhile investment.
 
 <DocLink to="/what-is-ethereum/">
   What is Ethereum?
@@ -27,19 +27,19 @@ One of the biggest reasons people get scammed in crypto generally is a lack of u
 
 ## Wallet security {#wallet-security}
 
-### Don't give out your recovery phrase {#protect-recovery-phrase}
+### Don't give out your private keys {#protect-private-keys}
 
-**Never, for any reason, share your recovery phrase!**
+**Never, for any reason, share your private keys!**
 
-The recovery phrase to your wallet acts as a password to your Ethereum wallet. It is the only thing stopping someone who knows your wallet address from draining your account of all of its assets!
+The private key to your wallet is a password to your Ethereum wallet. It is the only thing stopping someone who knows your wallet address from draining your account of all of its assets!
 
 <DocLink to="/wallets/">
   What's an Ethereum wallet?
 </DocLink>
 
-#### Don't take screenshots of your recovery phrase {#screenshot-recovery-phrase}
+#### Don't take screenshots of your seed phrases/private keys {#screenshot-private-keys}
 
-By screenshotting your recovery phrase, you risk syncing them to the cloud and potentially making them accessible to hackers. Obtaining the recovery phrase from the cloud is a common attack vector for hackers.
+Screenshotting your seed phrases or private keys might sync them to a cloud data provider, which could make them accessible to hackers. Obtaining private keys from the cloud is a common attack vector for hackers.
 
 ### Use a hardware wallet {#use-hardware-wallet}
 
@@ -54,10 +54,10 @@ Keeping private keys offline massively reduces the risk of being hacked, even if
 
 ### Double check transactions before sending {#double-check-transactions}
 
-Accidentally sending crypto to the wrong wallet address is a common mistake. **A transaction sent on Ethereum is irreversible.** Unless you know the address owner and can convince them to send you your fund back, there will be no way for you to retrieve your funds.
+Accidentally sending crypto to the wrong wallet address is a common mistake. **A transaction sent on Ethereum is irreversible.** Unless you know the address owner and can convince them to send you your fund back, you will not be able to retrieve your funds.
 
 Always make sure the address you are sending to exactly matches the desired recipient's address before sending a transaction.
-It is also recommended when interacting with a [smart contract](/glossary/#smart-contract) to read the transaction message before signing.
+It is good practice when interacting with a smart contract to read the transaction message before signing.
 
 ### Set smart contract spend limits {#spend-limits}
 
@@ -71,7 +71,7 @@ Many Ethereum wallets offer limits protection to safeguard against accounts bein
 
 ## Common scams {#common-scams}
 
-Scammers are always looking for ways to take your funds off you. It is impossible to stop scammers completely, but we can make them less effective by being aware of the most techniques used. There are many variations of these scams, but they generally follow the same high-level patterns. If nothing else, remember:
+It is impossible to stop scammers completely, but we can make them less effective by being aware of their most used techniques. There are many variations of these scams, but they generally follow the same high-level patterns. If nothing else, remember:
 
 - always be skeptical
 - no one is going to give you free or discounted ETH
@@ -89,9 +89,9 @@ Always check that you are on the right domain, especially after clicking a link.
 
 ### Giveaway scam {#giveaway}
 
-One of the most common scams in cryptocurrency is the giveaway scam. The giveaway scam can take many forms, but the general premise is that if you send ETH to the provided wallet address, you will receive your ETH back but doubled. *For this reason, it is also known as the 2-for-1 scam.*
+One of the most common scams in cryptocurrency is the giveaway scam. The giveaway scam can take many forms, but the general idea is that if you send ETH to the provided wallet address, you will receive your ETH back but doubled. *For this reason, it is also known as the 2-for-1 scam.*
 
-These scams usually stipulate a limited time of opportunity to claim the giveaway to encourage poor decision-making and create a false sense of urgency.
+These scams usually stipulate a limited time of opportunity to claim the giveaway to create a false sense of urgency.
 
 ### Social media hacks {#social-media-hacks}
 
@@ -131,7 +131,7 @@ As a general rule, staff will never communicate with you through private, unoffi
 
 ### 'Eth2' token scam {#eth2-token-scam}
 
-In the run-up to [The Merge](/roadmap/merge/), scammers took advantage of the confusion around the term 'Eth2' to try and get users to redeem their ETH for an 'ETH2' token. There is no 'ETH2', and no other legitimate token was introduced with The Merge. The ETH that you owned before The Merge is the same ETH now. There is **no need to take any action related to your ETH to account for the switch from [proof-of-work](/glossary/#pow) to [proof-of-stake](/glossary/#pos)**.
+In the run-up to [The Merge](/roadmap/merge/), scammers took advantage of the confusion around the term 'Eth2' to try and get users to redeem their ETH for an 'ETH2' token. There is no 'ETH2', and no other legitimate token was introduced with The Merge. The ETH that you owned before The Merge is the same ETH now. There is **no need to take any action related to your ETH to account for the switch from proof-of-work to proof-of-stake**.
 
 Scammers may appear as "support", telling you that if you deposit your ETH, you will receive back 'ETH2'. There is no [official Ethereum support](/community/support/), and there is no new token. Never share your wallet seed phrase with anyone.
 
@@ -153,19 +153,19 @@ If you receive an email from an unknown sender, remember:
 
 ### Crypto trading broker scams {#broker-scams}
 
-Scam crypto trading brokers claim to be specialist cryptocurrency brokers who will offer to take your money and invest it on your behalf. The promises of unrealistic returns usually accompany this offer. After the scammer receives your funds, they may lead you on, asking that you send more funds, so you don't miss out on further investment gains, or they may disappear entirely.
+Scam crypto trading brokers claim to be specialist cryptocurrency brokers who will offer to take your money and invest on your behalf. After the scammer receives your funds, they may lead you on, asking that you send more funds, so you don't miss out on further investment gains, or they may disappear entirely.
 
-These fraudulent brokers find their targets by using fake accounts on YouTube to start seemingly natural conversations about the broker. These conversations are often highly upvoted to increase legitimacy, but the upvotes are all from bot accounts.
+These fraudsters often find targets by using fake accounts on YouTube to start seemingly natural conversations about the 'broker'. These conversations are often highly upvoted to increase legitimacy, but the upvotes are all from bot accounts.
 
 **Do not trust internet strangers to invest on your behalf. You will lose your crypto.**
 
 ![A trading broker scam on YouTube](./brokerScam.png)
 
 ### Crypto mining pool scams {#mining-pool-scams}
 
-As of September 2022, mining on Ethereum is no longer possible. However, mining pool scams still exist. Mining pool scams involve people contacting you unsolicited and claiming that you can make large returns by joining an Ethereum mining pool. The scammer will make claims and stay in contact with you for however long it takes. Essentially, the scammer will try and convince you that when you join an Ethereum mining pool, your cryptocurrency will be used to create ETH and that you will be paid dividends in the form of ETH. What will end up happening is, you will notice that your cryptocurrency is making small returns. This is simply to bait you into investing more. Eventually, all of your funds will be sent to an unknown address, and the scammer will either disappear or in some cases will continue to stay in touch as has happened in a recent case.
+As of September 2022, mining on Ethereum is no longer possible. However, mining pool scams still exist. Mining pool scams involve people contacting you unsolicited and claiming that you can make large returns by joining an Ethereum mining pool. The scammer will make claims and stay in contact with you for however long it takes. Essentially, the scammer will try to convince you that when you join an Ethereum mining pool, your cryptocurrency will be used to create ETH and that you will be paid ETH dividends. You will then see that your cryptocurrency is making small returns. This is simply to bait you into investing more. Eventually, all of your funds will be sent to an unknown address, and the scammer will either disappear or in some cases will continue to stay in touch as has happened in a recent case.
 
-Bottom line, be wary of people who contact you on social media asking for you to be part of a mining pool. Once you lose your crypto, it is gone.
+Bottom line: be wary of people who contact you on social media asking for you to be part of a mining pool. Once you lose your crypto, it is gone.
 
 Some things to remember:
 
@@ -177,7 +177,7 @@ Some things to remember:
 
 ### Airdrop scams {#airdrop-scams}
 
-Airdrop scams involve a scam project airdropping an asset ([NFT](/glossary/#nft), token) into your wallet and sending you to a scam website to claim the airdropped asset. You will get prompted to sign in with your Ethereum wallet and "approve" a transaction when attempting to claim. This transaction compromises your account by sending your public and private keys to the scammer. An alternative form of this scam may have you confirm a transaction that sends funds to the scammer's account.
+Airdrop scams involve a scam project airdropping an asset (NFT, token) into your wallet and sending you to a scam website to claim the airdropped asset. You will get prompted to sign in with your Ethereum wallet and "approve" a transaction when attempting to claim. This transaction compromises your account by sending your public and private keys to the scammer. An alternative form of this scam may have you confirm a transaction that sends funds to the scammer's account.
 
 [More on airdrop scams](https://www.youtube.com/watch?v=LLL_nQp1lGk)
 
@@ -187,30 +187,30 @@ Airdrop scams involve a scam project airdropping an asset ([NFT](/glossary/#nft)
 
 ### Use strong passwords {#use-strong-passwords}
 
-[Over 80% of account hacks are a result of weak or stolen passwords](https://cloudnine.com/ediscoverydaily/electronic-discovery/80-percent-hacking-related-breaches-related-password-issues-cybersecurity-trends/). A long combination of characters, numbers and symbols is best to keep your accounts secure.
+[Over 80% of account hacks are a result of weak or stolen passwords](https://cloudnine.com/ediscoverydaily/electronic-discovery/80-percent-hacking-related-breaches-related-password-issues-cybersecurity-trends/). A long combination of characters, numbers and symbols will help keep your accounts secure.
 
-A common mistake individuals make is using a combination of two to three common, related dictionary words. Passwords like this are insecure because they are prone to a simple hacking technique known as a dictionary attack.
+A common mistake is using a combination of a few common, related words. Passwords like this are insecure because they are prone to a hacking technique called dictionary attack.
 
 ```md
 Example of a weak password: CuteFluffyKittens!
 
 Example of a strong password: ymv\*azu.EAC8eyp8umf
 ```
 
-Another common mistake is using passwords that can be easily guessed or found out through [social engineering](<https://wikipedia.org/wiki/Social_engineering_(security)>). Including your mother's maiden name, the names of your children or pets, or dates of birth in your password is not secure and will increase the risk of your password getting hacked.
+Another common mistake is using passwords that can be easily guessed or discovered through [social engineering](<https://wikipedia.org/wiki/Social_engineering_(security)>). Including your mother's maiden name, the names of your children or pets, or dates of birth in your password will increase the risk of getting hacked.
 
 #### Good password practices: {#good-password-practices}
 
 - Make passwords as long as allowed by either your password generator or the form you're filling out
 - Use a mixture of uppercase, lowercase, numbers and symbols
 - Don't use personal details, such as family names, in your password
-- Avoid common dictionary words
+- Avoid common words
 
 [More on creating strong passwords](https://terranovasecurity.com/how-to-create-a-strong-password-in-7-easy-steps/)
 
 ### Use unique passwords for everything {#use-unique-passwords}
 
-A strong password doesn't provide as much protection if the password is revealed in a data breach. The website [Have I Been Pwned](https://haveibeenpwned.com) allows you to check if your accounts were involved in any data breaches stored in their database. If they have, **you should change pwned passwords immediately**. Using unique passwords for every account lowers the risk of hackers getting access to all of your accounts when one of your passwords is compromised.
+A strong password that has been revealed in a data breach is no longer a strong password. The website [Have I Been Pwned](https://haveibeenpwned.com) allows you to check if your accounts were involved in any public data breaches. If they have, **change those passwords immediately**. Using unique passwords for every account lowers the risk of hackers getting access to all of your accounts if one of your passwords is compromised.
 
 ### Use a password manager {#use-password-manager}
 
@@ -233,13 +233,13 @@ Remembering strong, unique passwords for every account you have isn't ideal. A p
 
 ### Use Two-Factor Authentication {#two-factor-authentication}
 
-To prove you are actually you, there are different unique proofs that can be used for authentication. These are known as **factors** and the three main factors are:
+You may sometimes be asked to authenticate your identity through unique proofs. These are known as **factors**. The three main factors are:
 
 - Something you know (such as a password or security question)
 - Something you are (such as a fingerprint or iris/facial scanner)
 - Something you own (a security key or authentication app on your phone)
 
-Using **Two-Factor Authentication (2FA)** provides an additional *security factor* for your online accounts so that knowing your password alone (something you know) is not enough to access an account. Most commonly, the second factor is a randomized 6-digit code, known as a **time-based one-time password (TOTP)**, that you can access through an authenticator app such as Google Authenticator or Authy. These work as a "something you own" factor because the seed that generates the timed code is stored on your device.
+Using **Two-Factor Authentication (2FA)** provides an additional *security factor* for your online accounts. 2FA ensures that merely having your password is not enough to access an account. Most commonly, the second factor is a randomized 6-digit code, known as a **time-based one-time password (TOTP)**, that you can access through an authenticator app such as Google Authenticator or Authy. These work as a "something you own" factor because the seed that generates the timed code is stored on your device.
 
 <InfoBanner emoji=":lock:">
   <div>
@@ -257,15 +257,15 @@ Using **Two-Factor Authentication (2FA)** provides an additional *security fa
 
 #### Security keys {#security-keys}
 
-For those who want to take the next step in 2FA, consider using a security key. Security keys are physical hardware authentication devices that work in the same way as authenticator apps. Using a security key is the most secure way to 2FA. Many of these keys utilize the FIDO Universal 2nd Factor (U2F) standard. [Learn more about FIDO U2F](https://www.yubico.com/authentication-standards/fido-u2f/).
+A security key is a more advanced and secure type of 2FA. Security keys are physical hardware authentication devices that work like authenticator apps. Using a security key is the most secure way to 2FA. Many of these keys utilize the FIDO Universal 2nd Factor (U2F) standard. [Learn more about FIDO U2F](https://www.yubico.com/authentication-standards/fido-u2f/).
 
-Watch more on the 2FA:
+Watch more on 2FA:
 
 <YouTube id="m8jlnZuV1i4" start="3479" />
 
 ### Uninstall browser extensions {#uninstall-browser-extensions}
 
-Browser extensions like Chrome extensions or Add-ons for Firefox can augment useful browser functionality and improve user experience, but they come with risks. By default, most browser extensions ask for access to 'read and change site data', allowing them to do almost anything with your data. Chrome extensions are always automatically updated, so a previously safe extension may update later to include malicious code. Most browser extensions are not trying to steal your data, but you should be aware that they can.
+Browser extensions, like Chrome extensions or Add-ons for Firefox, can improve browser functionality but also come with risks. By default, most browser extensions ask for access to 'read and change site data', allowing them to do almost anything with your data. Chrome extensions are always automatically updated, so a previously safe extension may update later to include malicious code. Most browser extensions are not trying to steal your data, but you should be aware that they can.
 
 #### Stay safe by: {#browser-extension-safety}