Top-7 Social Engineering Frauds in Crypto

Social engineering is something that no audit can prevent. Social engineering is hazardous. It relies on human error rather than software and operating systems vulnerabilities. So, what are the most common social engineering techniques hackers use in Web3? What can your project do about them?

Scams based on social engineering are built around how people think and act. As a project manager, you receive a corporate email asking for payment authorization, e.g., paying for the subscription. The email comes from the sales team lead. You authorize the transaction, but it turns out that the email was fake. The scammer got access to the corporate email, and you just sent money to a malicious address. You became a victim of the BEC social engineering attack.

The following are the seven most common forms of digital social engineering assaults.

Phishing

Phishing is the most widespread social engineering attack where scammers trick victims into actions they wouldn’t otherwise perform. In the case of crypto, most phishing attacks are aimed at misleading the user into giving away their private key or authorizing malicious transactions. Because it’s so widespread, there are dozens of phishing scams, including spear phishing, malicious airdrops, fake browser extensions, DNS Hijacking, ice phishing, evil twin attack, and SEO phishing. You can read more about each type in our comprehensive article dedicated to phishing.

Baiting

Baiting attacks use a false promise to exploit the greed and curiosity of the victim. The most reviled form of baiting is mass sending to company employees emails/messengers files “containing” salary increases, holiday calendar, suspicious job offers, etc. Victims pick up the bait out of curiosity and open the infected file, resulting in automatic malware installation.

Scareware

Scareware frightens victims into believing they’re under serious threat. For example, you could receive a message saying that your device has been infected with a critical virus. Mostly, it appears as pop-ups in your browser. Victims are supposed to click on a button to either remove the virus or download software that will deal with the virus. But doing so is what causes the actual malicious software to be installed

Quid Pro Quo (Tech Support Scams)

The most common version of a quid pro quo attack is when scammers pretend to be from the tech department of your organization or other technical service providers of the company. They call or message you with an offer to install programs like corporate time trackers, security tools, etc. Thus, you will install malicious software.

Pretexting

The scammer pretends to need sensitive information from a victim. The attacker usually establishes trust with their victim by impersonating co-workers, tax officials, or other persons with right-to-know authority. The pretexter asks questions that are ostensibly required to confirm the victim’s identity, through which they gather critical personal data.

Business Email Compromise

In a BEC attack, the attacker falsifies an email message to trick the victim into performing some action, such as crypto transfer. BEC attacks are particularly dangerous because they don’t contain malware, malicious links, dangerous email attachments, or other elements an email security filter might identify. Emails in a BEC attack typically have nothing but text, which helps attackers camouflage them within regular email traffic. Usually, an attacker will impersonate someone higher up in the organization to motivate the victim into carrying out the malicious request.

Watering Holes

Hackers try to place malicious code onto a legitimate website. As a result, the visitors of this website fall victim when downloading the code. 

Protecting Assets from Social Engineering Attacks

How can businesses protect their digital assets from the aforementioned social engineering attacks? There are two main approaches: preventive security measures and external professional expertise.

What can Web3 businesses do to themselves:

• Implement security policies inside the organization
• Educate employees on potential risks and due processes
• Monitor your social media channels to identify suspicious activity
• Periodically review and revoke token allowance

The most important rule is that employees never share sensitive information with outsiders. Most Web3 projects have NDA agreements with their employees. In theory, these NDAs would eliminate the risks of leakage, but they rarely have the means to ensure utmost compliance. After all, most crypto businesses are startups that focus all their energy on developing the best product. In this context, having a trusted security partner makes all the difference.

Scammers can target all Web3 businesses, regardless of their segment. Professional security companies like Hacken are here to help. We provide comprehensive anti-phishing service as part of our social engineering package for crypto projects. Our social engineering package includes:

• Social engineering test
• Assess employees’ adherence to corporate security standards
• Identify loopholes in the corporate security infrastructure
• Rapid identification and takedown of phishing domains and fake wallets
• Takedown of suspicious Google ads and malicious social media accounts
• Reporting phishing scams to IC3, Google Safe Browsing, Microsoft, and Google Ads
• Reconnaissance activities to detect flaws in your system

Look at these use cases from our experience, where our social engineering tests helped save clients from the ICO phishing scam and fake social media groups and domains.