As crypto, NFT, and Web3 adoption grows, so do the number of scams occurring in these sectors. Bad actors are finding new ways to trick users into handing over their crypto holdings, NFTs or confidential login details; one of them is phishing, a kind of social engineering attack.
According to the quarterly report of security firm CertiK, the number of phishing attacks has shot up 170 percent in the second quarter of 2022. Another study by Cisco Talos, an intelligence group, predicts that social engineering attacks such as phishing will dominate Web3 and the metaverse in the coming years.
So, what is a social engineering attack?
Social engineering attacks refer to a range of malicious activities where bad actors trick users into making security mistakes or giving away sensitive information. Attackers use impersonation techniques, psychological manipulation and falsified human interactions to gain the trust of targets before making off with their crypto holdings, NFTs or other such assets.
Basically, whenever a human weakness, rather than the technical prowess of the system, is exploited to perpetrate an attack, it is called social engineering.
In the blockchain and crypto space, most of these attacks occur on social platforms such as Discord and Telegram. These platforms don’t have account verification options such as Twitter, making them more susceptible to such schemes. However, this is not to say that social engineering scams do not happen on other mainstream platforms.
For instance, earlier this month, the British Army’s Twitter and YouTube accounts were breached. The attackers used these profiles to promote fake NFT projects and crypto giveaway schemes to dupe unsuspecting users. In a separate incident, BAYC’s Instagram account was hacked in April 2022. The cybercriminals used the access to share phishing sites that led to the theft of dozens of NFTs worth millions of dollars.
Common types of social engineering attacks:
Bad actors have thought-up several different ways to trick users into doling out their digital assets over the internet. This is what makes it difficult to spot such schemes. Fortunately, it is easy to avoid falling for these gimmicks once you know how they work and the various tricks they use. With this in mind, we have rounded up some of the most common types of social engineering attacks prevalent today.
1. Job and investment-related schemes on LinkedIn: Earlier in June, the FBI announced that LinkedIn had emerged as a playground for miscreants carrying out social engineering schemes. Cybercriminals were luring individuals under the pretext of job and investment schemes, eventually draining their crypto wallets. Interestingly, these scammers would start with genuine investment advice to gain the victim’s trust before redirecting them to illicit websites that would wipe their accounts clean.
2. Romance scams on Tinder and other dating platforms: This is another type of social engineering attack that’s becoming popular these days. It’s like the LinkedIn scam; only it uses the romance angle to dupe victims instead of the professional approach. In some cases, the scammers even lend money to their victims, building trust over months of interaction before directing them towards fake crypto trading apps that clean out their wallets.
3. Phishing: A phishing attack tries to exploit human weaknesses for fear, urgency, and curiosity. It will most likely come via emails or text messages and push the victim into revealing sensitive personal or financial data. A phishing attack may also prompt the user to download a malware-infected attachment or open a malicious website. A typical phishing technique warns a user of a supposed policy violation and asks them to change their passwords by entering security credentials. These messages may appear genuine, but they are not!
For instance, last month, the biggest NFT marketplace OpenSea reported that its email database has been compromised after an employee of a third party turned rogue. It asked the customers to be wary of phishing attacks through their emails. Some customers already took to social media to report having received multiple emails that appeared like a phishing attack.
4. Baiting: In this type of social engineering scheme, the attacker exploits greed or curiosity to steal sensitive data, which can be used to inflict further damage. Baiting usually comes in the form of physical media, such as a flash drive with an automatic malware download. Once the curious finder plugs the device into their computer, the malware is installed, and the miscreants may be able to access crypto wallets and other confidential information.
5. Scareware: This is a social engineering technique that invokes a sense of fear in the victim. The scammers will bombard your device with notifications and pop-ups stating that your device is infected with malware. These alarms would come frequently and offer help by requesting the victims to download anti-malware software. However, clicking on these ads would release actual malware whose sole intention is to steal data from the victim’s system.
6. Pretexting: This is a vile kind of social engineering attack where sensitive personal or financial information is sought by someone impersonating an authoritative figure, such as a cop or a customer service executive of a crypto exchange. Their real objective is to gather the victims’ personal information such as an address, social security number, public and private keys, etc.
How to prevent social engineering attacks?
Social engineering attacks try to exploit human weaknesses such as unguarded curiosity, greed, and fear. Therefore, one can prevent most of these attacks by being alert and sensitive to anything even remotely unusual, especially when it comes to parting with one’s personal or sensitive information.
Here are a few other measures that can help prevent these attacks:
-Use updated anti-malware, anti-virus software
-Don’t open suspicious emails and attachments
-Use multifactor authentication for your application
-Don’t be tempted by offers that have no good reason
Once the scammer thinks up the scheme and decides to target you, the ball is in your court. If you ignore such attempts, no harm will come your way.
However, if you unknowingly fall victim to such attacks, 2 factor authentication along with a good anti-malware and anti-virus software could prevent these schemes from being successful.
