There are many ways of tricking crypto wallet owners out of their seed phrases. Malicious actors could send them a fake email, create a fake version of a cryptocurrency services website, or plant malware on their devices. However, almost all of these schemes have one thing in common: social engineering.
In the context of information security, this refers to manipulating a victim to make them do the fraudster's bidding. Very often, social engineering is all that's required. So how does it work and why?
No unnecessary complications
Social engineering is often deployed as part of complex multi-stage attacks. Sometimes, however, nothing else is needed, and the schemes are so simple that a fraudster of any skill level could use them. The main thing is the ability to pull the wool over the victim's eyes deftly. Below are a couple of approaches where the attacker barely even has to think about the technical side of the scam.
No fake websites are created, and nobody is required to go anywhere. Everything is done through correspondence. The victim receives a letter from the support service of a crypto exchange, wallet, or DeFi project, which describes one of several boilerplate stories. For example, the account has been hacked, and something needs to be done urgently to restore it, such as generating a new seed phrase. The "tech support person" will be very kind and offer to generate it on the victim's behalf, and all they need is the old seed phrase.
People's fear of losing their assets is a crucial point of leverage, but not the only one. Fraudsters can play on people's desire to simplify the execution of various tasks. One of our users came across an aggregator site in a search, which promised to connect to any DeX or NFT platform via WalletConnect. It turned out that while the service was very convenient, it didn't seem to work. After several attempts to scan a QR code, the service reports a problem on the user's side, and to solve it, the user needs to enter their private key or seed phrase. In this case, only the fact that no seed phrase in Tangem Wallet saved the user from a grave error.
You shouldn't trust everything that comes up in search engine results. Unfamiliar services must at least be checked using the WHOIS database. If the domain was registered recently and the registration period is short, it's more likely than not that the resource is fraudulent.
In addition to simple scams that require no extraordinary outlay or skills, attackers deploy social engineering in rather complex schemes. They don't scare or threaten their victims; instead, they rely on somebody else's authority to draw attention to their services. Victims who then use them can lose their money or cryptocurrency or be cheated out of their seed phrase. Anything is possible.
Pressure from an authority figure
A popular way of building trust is by using an influencer's persona. The attacker chooses a well-known personality to serve as bait and starts praising some successful project on their behalf. They run ads on popular social networks and video hosting sites. Moderators try to remove this content, but their efforts are insufficient.
In 2020, Steve Wozniak tried to sue YouTube. The co-founder of Apple was outraged that his image was used in fraudulent advertising. He lost, by the way. Little has changed since then, and three years later, adverts depicting Elon Musk encouraging investments in various cryptocurrency projects are still popping up on YouTube.
There is a more expensive way of riding on somebody else's fame – commissioning integrated adverts from famous bloggers. Attackers purchase adverts for non-existent projects, and the bloggers don't even realize they are becoming parties to a scam. The scammers then wait for visitors to flow to their project's website.
The bad friend
There is another way of ingratiating yourself with people using social media. Fraudsters create accounts and run them in the guise of fake experts. They make posts, publish photos, try to add their intended victims as friends and join crypto communities.
The aim is to create the impression that a real person is running the account. When they reach the required number of subscribers, the scammer makes an extremely "profitable" offer to their subscribers. This could involve installing a wallet, registering for a project, or participating in an airdrop.
Most scammers ignore the details when working out their stories. Depending on the quality, they often purchase "real" social media accounts – for $2–20 – to join relevant groups and start messaging users. These accounts are often fundamental, with hardly any information and few posts.
There is always the old-fashioned option of hacking accounts, of course. Fraudsters acquire hacked accounts on instant messengers or social media – or hack them themselves – and start communicating with the people in the contact list while impersonating the actual account owner.
How to protect yourself and your funds
In most instances, the most effective tool scammers use is fear. Regarding money, rational fear turns into genuine existential horror, plain and simple.
Psychologists have explained this by pointing out that money is the basis of existence, and its loss is even associated with death. All rationality is thrown out of the window, giving way to pure survival instincts. When you receive a message telling you your funds are at risk, you should take a break and think critically about the situation.
We probably aren't saying anything new here, but it always bears repeating: never give anybody your private key or seed phrase. You should also store your funds in a cold wallet that doesn't require one, such as Tangem Wallet.