Can some expert here let us newbies know how something like this could have been avoided? Would it be to do a PGP check on every electrum download we make? Is that sufficient to prevent this from happening?
- Electrum is a low-security wallet in general. It focuses on bleeding-edge features and usability, not absolute security. Store only pocket change there (and on the same computer as Electrum). For storing large amounts, use a hardware wallet.
- The fact that this phishing message was prefixed by "error: error sending transaction" should make one immediately suspicious. If you feel any suspicion about anything,
stop and discuss it on the forum or elsewhere.
- When a new update comes out, wait a week or two before installing it. If it's listed as critical, look at various sites such as bitcointalk.org to figure out
why it's critical. If in doubt about whether a "critical" update is real, you can just
stop using Electrum for a few days and wait for further news.
- Navigate to the site using a bookmark if possible, and use HTTPS.
- Verify the PGP signature when you download it.
- When you run the executable on platforms that support digital signing, make sure that it's signed by "Electrum Technologies GmbH"