When it comes to high technology, the weak link from the point of view of fraudsters will not be the technical vulnerabilities that many programmers have worked to eliminate, but the people using these technologies. This kind of deception usually does not require deep technical knowledge, so it is not surprising that this type of fraud is very common.

What is social engineering

In the context of information security, social engineering is the psychological manipulation of people into performing certain actions or divulging confidential information. Thus, the average person can succumb to emotions such as greed, fear or curiosity, which force him to make decisions that are harmful to himself.

According to the threat overview for the first quarter of 2024 from the developers of the Avast antivirus program, 90% of threats are attacks using social engineering. Moreover, such attacks flourish everywhere: From PC to mobile to YouTube. In the world of cryptocurrencies, schemes based on social engineering are, of course, also abundant.

Phishing

The idea of ​​phishing is quite simple: attackers pretend to represent an organization, gain the trust of users and trick them into doing something. As a rule, attackers hide under the guise of real accounts and, under the guise of, for example, technical support, begin communicating with the user.

Let’s say an attacker wants to gain access to private keys or seed phrases from wallets. He sends an email in the name of Trust Wallet or MetaMask support and asks the unsuspecting victim to send him data under a convincing pretext. If she does this, the attacker will immediately gain access to the wallet.

Baiting

Baiting (from English: “bait”) uses false promises to play on the greed or curiosity of the victim. A typical example: mass mailing of emails to company employees that supposedly contain information about salary increases, a holiday calendar, job offers, and so on. Victims open an infected file, which automatically installs malware.

Quid Pro Quo

A Quid Pro Quo attack (from Latin: “quid pro quo”) is when scammers request private data in exchange for some kind of service. For example, an attacker may promise a reward or offer to participate in research in exchange for the data he needs. Fraudsters may also pose as technical support, expressing a willingness to help with a problem in exchange for personal information or other sensitive data. This differs from phishing in that the attacker appears to be offering some kind of service.

Pretexting

The name comes from the word “pretext”, which is translated from English as “preposition”. Accordingly, in this scheme, an attacker, under a plausible pretext, tries to steal data or cryptocurrency from the user. Fraudsters, as a rule, pretend to be a trusted person, for example, an employee of a bank, tax or law enforcement agency.

Scareware

Scareware, which can be roughly translated as “scare software,” is a scheme where a scammer scares victims into believing they are in serious danger. Victims are expected to click a button to either remove the virus, download “special” software that will deal with the virus, or contact someone who can help get rid of the problem. In any case, if the victim follows the “scaremongers”, nothing good will come of it.

How to protect yourself from such attacks

First, remember that the private key or seed phrase cannot be shared with anyone. Secondly, general knowledge about social engineering attacks will also help you be on guard. And in general, in the world of cryptocurrencies it is extremely important to understand what and how it works. General online safety rules will also help: do not open suspicious files, do not follow dubious links, use antivirus software.

Finally, more sophisticated attacks rely on a “personal” approach, where attackers collect information about the victim to make it easier to gain their trust. In this case, you should, firstly, take a more responsible approach to your digital footprint and not publicly disclose your data. Secondly, you should watch out for leaks – today, user data often becomes available due to leaks from various services.

Example of a successful attack

Axie Infinity, built on the Ronin Network’s Ethereum sidechain, was a fairly successful Play-to-Earn project. On March 23, 2022, hackers stole 173,600 ETH (about $591.2 million) from accounts associated with the game. It was all due to a fake job offer on LinkedIn. Hackers pulled off a heist by sending an infected PDF file to one of their employees. This man thought he was accepting a high-paying job at another company that didn’t actually exist. According to the US government, the North Korean hacker group Lazarus was behind the attack.

Conclusion

The world of cryptocurrencies has its own specifics, which make adjustments, including to schemes based on social engineering. Most attacks will likely be aimed at extorting cryptocurrency or gaining access to users’ private keys and emptying their crypto wallets. The situation is aggravated by the fact that transactions on the blockchain are anonymous and irreversible, and therefore it will be especially difficult for the victim of fraudsters to get their funds back.

On the other hand, much in the world of cryptocurrencies depends on the user himself, and this can be good: if he stores his keys securely and does not try to sacrifice security in pursuit of convenience, then he himself can act as a guarantor of his security. He doesn’t have to worry that, for example, his bank will leak his data. Yes, this imposes many difficulties, for example, you cannot trust exchanges and you need to store crypto in cold wallets, but it allows a person to have complete control over their funds. And in the modern world this is already a lot.