There are many ways of tricking crypto wallet owners out of their seed phrases. Malicious actors could send them a fake email, create a fake version of a cryptocurrency services website, or plant malware on their devices. However, almost all of these schemes have one thing in common: social engineering.
In the context of information security, this refers to manipulating a victim to make them do the fraudster's bidding. Very often, social engineering is all that's required. So how does it work and why?
What is social engineering?
Social engineering is the art of manipulating individuals into revealing confidential information or performing certain actions that compromise security. In the crypto space, social engineering tactics are used to trick victims into revealing private keys, sending cryptocurrencies to fraudulent addresses, or installing malware.
Pretending to be an employee and gaining access to personal accounts is a common social engineering tactic cybercriminals use. Social engineering relies on human error and is difficult to detect despite other available exploitation techniques.
Legitimate human errors are more unpredictable than malware-based intrusions that rely on vulnerabilities in software and operating systems. Therefore, social engineering increases a hacker's chances of bypassing security measures since people can be tricked more easily.
How do social engineering attacks work?
Social engineering attacks have two main stages. In the first stage, the attacker investigates their target to gather essential background data such as entry points and security protocols that may be vulnerable.
Before carrying out their malicious activities, scammers try to gain their targets' trust. They do this by providing incentives for actions that go against safe practices, such as disclosing confidential information or granting access to important resources.
Social engineering attacks are surprisingly simple. All a hacker needs to do is convince someone who is busy, unsuspecting, or trusting to follow their instructions. One of the most notorious examples of this attack was when hackers tricked Twitter personnel into giving them access to confidential processes. They then used this access to take over high-profile accounts such as those of Joe Biden, Elon Musk, Bill Gates, and Kanye West and tricked their millions of followers into transferring Bitcoin funds directly to the hackers.
These harmful attacks are shockingly easy to execute, and they usually follow a similar pattern.
The first step is to identify and investigate targets with what the attacker seeks.
Then, they try to infiltrate by building trust and forming a relationship with the victim.
Once trust is established, the attacker will launch the actual attack.
Finally, they will retreat once the victim has taken the desired action.
These attacks can occur through a simple email exchange or a series of conversations on social media. In the end, these attacks can lead to sharing your personal data with someone else or exposing yourself to malicious software.
Types of social engineering attacks
Here's an overview of the common types of social engineering attacks in the crypto space.
1. Phishing attacks
Phishing attacks are harmful emails or text messages that pretend to be legitimate emails from trusted companies. They aim to trick you into thinking that they are real so they can steal sensitive info such as seed phrases and passwords.
Phishing attacks can happen in two ways:
Spam phishing: These are mass emails or messages sent to as many people as possible. The hacker hopes that someone will fall for it.
Spear phishing: These are targeted attacks. Hackers take time to learn as much as they can about their potential victims. They then create believable messages to trick them. They strategically target prominent individuals such as celebrities, top-level executives, and influential political figures.
Pretexting is a social engineering attack where someone creates a fake scenario to trick others into sharing sensitive information. Attackers using this method need to be more convincing to gain trust.
They might call a bank and pretend to be an employee, asking customers to verify their passwords or personal details. These calls are difficult to detect and often successful. While phishing emails or texts are easier to spot, it's essential to be aware of pretexting and how to protect yourself.
3. Baiting attacks
Social engineers use baiting attacks to trick people into infecting their computers with malicious software. These attacks are the least common type of social engineering. The bait is usually a freebie, like a USB or CD left in public places such as offices and universities.
If someone picks them up and plugs them into their computer, the system gets compromised without their knowledge. Be careful with email attachments that offer free software or other freebies. They may harm your computer, so always be cautious.
4. Scareware
Scareware is harmful software that tricks you into believing your computer is infected with malware. It achieves this by displaying false security warnings or pop-ups. These fake warnings encourage you to download a virus removal tool, but once downloaded, the tool turns out to be malware itself.
The criminal behind the scareware then gains access to your data. This software also aims to trick you into purchasing fake cybersecurity software or revealing confidential information, such as your login credentials.
5. Quid Pro Quo
A Quid Pro Quo attack is a social engineering scam where cybercriminals offer something in exchange for personal information. The attackers might use a fake offer to trick people into revealing sensitive details such as email addresses and passwords. They might pose as helpful individuals who claim they can fix a problem with your computer or offer you a service.
But the offer is just bait to get you to give up your private information. This is a dangerous scam because the attacker can use your data for identity theft, fraud, or other malicious activities. Be cautious, and don't give away your personal information to strangers.
Take the new Tangem safety quiz and test how safe you are from social engineering schemes.
Who do social engineering attacks target?
Social engineering attacks target individuals, organizations, and businesses. Individuals at risk of these attacks include high-profile executives, celebrities, or people with access to confidential information. Organizations and businesses may also be targeted if they have inadequate security measures.
Younger generations and newly employed staff may be more at risk of social engineering attacks as they are less experienced and may have less knowledge about cybersecurity. Companies should take extra precautions when training such employees to ensure they are aware of the potential risks of social engineering.
How to identify most types of social engineering attacks
Be cautious when receiving messages from unknown senders. Investigate their email or social media profiles to avoid being scammed by fake accounts. Always research before engaging in online communication.
Always double-check the sender of a message to confirm it was them who sent it. Contact them in person or over the phone to verify their identity. This is particularly important if you suspect their account has been hacked or if someone is pretending to be them on social media.
To ensure legitimacy when browsing a website, check the URL, image quality, and company logos. Typos or outdated information can be red flags. If you suspect a website is illegitimate, leave immediately to protect your security.
Beware of offers that seem too good to be true. They can be a way to execute social engineering attacks. Think twice before giving away your personal information; even your email address can be collected and sold.
Be cautious of suspicious links or file names in emails. Investigate the odd context or timing of the email. Don't risk opening attachments or links you're unsure about. Take extra precautions to ensure safety and authenticity.
Tips for Avoiding Social Engineering Attacks
You can avoid being a victim of social engineering attacks by following these steps:
Do not click links in emails or messages from unknown sources if the content seems suspicious.
Use strong passwords to protect your accounts.
Use multi-factor authentication where available.
Keep your apps and operating systems updated to help patch security vulnerabilities.
Don't share too much information on social media and other public forums.
Do not answer Twitter quizzes asking for private information like the name of your first game, mother's maiden name, pet's name, place of birth, or other personal details.
Social engineering scams that target crypto users
Some social engineering schemes target crypto users, both amateurs and experts.
The Coinbase reset fraud
In February 2024, crypto investigator ZachXBT noticed a social engineering scam dubbed the Coinbase reset scheme. Attackers gathered personal information to trick victims into resetting their Coinbase login details. In one case, a victim lost over 1,400 ETH worth around $4 million. To avoid falling victim to scams, it is recommended to use an extra security key like 2FA, avoid reusing passwords or emails, and be wary of suspicious login requests.
One type of scam which has been lucrative for scammers is Coinbase reset fraud.
Basically scammers gather all of your personal info before spoofing a phone number and calling you in an attempt to social engineer you into resetting your Coinbase login.
Some community members have speculated that the attackers may have insider knowledge of the cryptocurrency exchange, while others believe they may be impersonating Coinbase staff. Interestingly, one scammer reportedly took advantage of another, further demonstrating the vague nature of these criminal activities.
Email scams
Victims of cryptocurrency fraud often receive a letter from the support service of a crypto exchange, wallet, or DeFi project. The letter usually contains one of several boilerplate stories, such as claiming that the victim's account has been hacked and needs urgent restoration.
The fraudster may pose as a "tech support person" and offer to generate a new seed phrase on the victim's behalf. However, the victim is asked to provide the old seed phrase, which is a trap. This type of scam is conducted solely through correspondence and doesn't require the victim to visit any website or location.
Convenient service scam
It is important to note that people's fear of losing their assets is a significant point that fraudsters can exploit. However, it is not the only leverage point. Scammers can take advantage of people's desire to simplify tasks. One of our users recently encountered an aggregator site during their search for a platform that promised to connect to any DeX or NFT platform via WalletConnect.
Although the service was very convenient, it didn't seem to work. After several attempts to scan a QR code, the service reported a problem on the user's side, and to resolve it, the user was asked to enter their private key or seed phrase. Fortunately, in this case, Tangem Wallet saved the user from a potentially grave error since there was no seed phrase.
The expert scam
Another way to gain favor with people is through social media. Scammers may create fake accounts and pose as experts to deceive individuals. They may post content, share photos, attempt to add their targets as friends, and join cryptocurrency communities.
The aim is to create the impression that a real person is running the account. When they reach the required number of subscribers, the scammer makes an extremely "profitable" offer to their subscribers. This could involve installing a wallet, registering for a project, or participating in an airdrop.
Most scammers ignore the details when working out their stories. Depending on the quality, they often purchase "real" social media accounts for as little as $5 to join relevant groups and start messaging users. These accounts are often fundamental, with hardly any information and few posts.
How to protect yourself and your funds
Psychologists have explained that money is the basis of existence, and its loss is even associated with death. All rationality is thrown out of the window, giving way to pure survival instincts. When you receive a message telling you your funds are at risk, you should take a break and think critically about the situation.
We probably aren't saying anything new here, but it always bears repeating: never give anybody your private key or seed phrase. You should also store your funds in a cold wallet that doesn't require one, such as Tangem Wallet.
