Can you explain social engineering?
Social engineering, as it pertains to data protection, is the practice of using psychological manipulation to coerce individuals into revealing sensitive information or carrying out predetermined actions. As a result, the typical individual is susceptible to giving in to destructive impulses driven by emotions like greed, fear, or curiosity.
The creators of the Avast antivirus software report that 90% of threats in the first quarter of 2024 are social engineering attacks. Worse yet, these kinds of attacks are commonplace across all platforms, including YouTube, mobile devices, and personal computers. Naturally, there is no shortage of social engineering-based schemes in the cryptocurrency industry either.
Spear Phishing
Phishing is based on a very simple principle: criminals pose as legitimate businesses in order to trick users into divulging sensitive information. Commonly, attackers will pose as legitimate accounts and initiate contact with the user, pretending to be someone from technical support or another similar department.
Imagine for a second that a hacker is trying to steal seed phrases or private keys from wallets. Under the guise of Trust Wallet or MetaMask support, he emails the unwary victim and requests sensitive information. As soon as she does this, the assailant will have full control of the wallet.
Using a bait
To prey on a victim’s greed or curiosity, baiters use empty promises (the word originates from the English word “bait”). As an example, consider the common practice of sending out mass emails to employees purporting to contain important company news, such as pay raises, holiday schedules, job openings, and more. When victims open malicious files, malware is automatically installed on their computers.
Just for fun
Scammers use a “quid pro quo” (meaning “quid plus quo”) attack when they ask for personal information in return for a service. In order to gain access to sensitive information, an attacker may use enticements like rewards or research participation. Criminals may also pretend to be technical support in order to trick victims into divulging sensitive information by offering to fix their problems. When an attacker pretends to be offering a service, it’s different from phishing.
Using a false name
The term “pretext”—meaning “preposition” in English—is the origin of the name. So, the gist of it is that an attacker tries to get user data or cryptocurrency using a convincing excuse. Typically, con artists will pose as a reliable official, such as a bank, tax, or law enforcement official.
Unsafe Software
The term “scareware,” which means “scare software” in a nutshell, refers to a scam in which the con artist tricks their victims into thinking they are in imminent danger. Clicking a button is supposed to remove the virus, download “special” software to deal with the virus, or get in touch with someone who can help. If the victim gives in to the “scaremongers,” they will only end up worse off.
Methods for avoiding these kinds of assaults
Never tell anyone else your private key or seed phrase. That’s the first rule. A second piece of advice for being vigilant is to familiarize yourself with the basics of social engineering attacks. Knowing what a cryptocurrency is and how it operates is crucial in the cryptocurrency industry. Do not open unknown files, do not click on unknown links, and use antivirus software; these are all general safety rules that can help you stay safe online.
The last kind of attack is the more sophisticated “personal” approach, in which the perpetrator learns as much as possible about the victim in order to win their trust. First and foremost, you need to be more cautious with your online presence and avoid making your data public. Second, keep an eye out for leaks; various services frequently release user data these days.
A case where an attack was successful
One Play-to-Earn initiative that did well was Axie Infinity, which used the Ethereum sidechain from the Ronin Network. Hackers stole 173,600 ETH, or approximately $591.2 million, from game accounts on March 23, 2022. The whole thing started with a LinkedIn scam offering a job. One of their employees was infected with a PDF file that the hackers used to pull off a heist. An imaginary company offered this man a high-paying job, and he foolishly accepted it. The United States government has blamed the attack on the North Korean hacking group Lazarus.
In summary
There are unique aspects to the cryptocurrency industry that necessitate adaptations, such as social engineering-based schemes. The majority of assaults will probably try to steal cryptocurrency by extorting users or by obtaining private keys and then stealing their cryptocurrency wallets. It will be extremely difficult for victims of fraud to get their money back because blockchain transactions are anonymous and irreversible, which makes the situation worse.
Conversely, the user plays a significant role in the cryptocurrency ecosystem, which can be both a blessing and a curse. The user can ensure his own security by keeping his keys in a safe place and refusing to compromise on security for the sake of convenience. Concerns about his bank, for instance, disclosing his information, are unfounded. While this does make many things more complicated—for instance, you can’t put your faith in exchanges and your crypto needs to be stored in cold wallets—it also gives you total control over your money. And this is considered a lot in today’s world.