What is social engineering in the crypto space?

Explaining social engineering attacks

Social engineering refers to a manipulation technique that exploits human behaviour and error to obtain sensitive information, access or valuable assets. It is an umbrella term used to describe a wide range of malicious activities accomplished through human interactions. 

These human-hacking scams typically lure unsuspecting users into exposing private information such as personal or financial information, giving access to restricted systems or spreading malware infections. 

Such scams revolve around the way humans think and behave. In addition to manipulating human behaviour, perpetrators try to exploit users’ lack of knowledge and digital literacy. In most cases users aren’t aware of certain threats or don’t understand the value of personal data. 

Typically, social engineering attacks include one of two main goals; sabotage as a manner of disrupting data to cause harm or theft as obtaining valuable assets such as access, confidential data, digital assets or money.

What is social engineering in crypto?

In the context of crypto, hackers may use social engineering tactics to gain unauthorised access to the crypto wallets or accounts. Given that the digital assets of crypto users are stored in crypto wallets with private keys that must remain confidential, they are particularly vulnerable to social engineering scams. 

Instead of using brute force to gain access to crypto assets, perpetrators use a wide array of techniques that prey on human vulnerabilities. For example, attackers use schemes created to trick users into revealing private keys through simple methods such as phishing emails. A user could receive a phishing email that impersonates wallet services or support staff.  

If you are a frequent reader, you probably remember our ‘The most common crypto scams & how to avoid them’ article. Check it out to learn more about fake giveaways and other common scams that affect the crypto community. 

Common social engineering tactics can be used via email, social media platforms, text messages, online communities or malicious websites.

For example, in September 2023, an Ethereum-based decentralised protocol known as Balancer, stated that the platform regained control of its domain. Balancer further stated that a social engineering attack was responsible for the incident and warned its users to keep an eye on an illegitimate website. 

Potential targets of social engineering attacks

What makes social engineering scams specifically dangerous is the fact that it relies on human error. Given that social engineering is based on human behaviour and mistakes, it can be difficult to detect. Errors committed through the use of human interaction can be more unexpected than malware-based invasions.

Even though anyone can become a victim of a social engineering attack, potential victims are typically high-worth individuals, high-profile employees, popular online personalities, younger generations and individuals uninformed of cyber security threats.  

Social engineering attacks often happen in one or more steps. The malicious actor starts by investigating the potential victim to gather a substantial amount of background information such as weak security protocols or potential points of entry.  

After gathering enough necessary pieces of information, the perpetrator goes on to gain the victim’s trust which can be done in several manners. Social engineering can also include creating false urgency, impersonating an authority figure or offering rewards. 

Basically, social engineering attacks are simple. Using human vulnerabilities as their main weapon, perpetrators only need to convince a victim that is either trusting, unsuspecting or rushed, to follow their instructions.

Basic psychology and successful crimes

From a psychological point of view, social engineering is basically an immoral application of Cialdini’s 6 principles of persuasion. This psychological theory is typically harmless and commonly used in marketing strategies or social sciences. It highlights a number of human vulnerabilities that characterise each of us. To recognise social engineering attacks, it is important to be aware of these principles. 

These are reciprocity, scarcity, consistency, consensus, sympathy and authoritativeness. Let’s explain them briefly. 

Reciprocity means that humans are inclined to return a favour. By giving something in return we tend to believe that we are being helpful. On the other hand, the principle of scarcity preys on a sense of urgency. If something comes off as limited, we are likely to perceive it as important. 

Consistency refers to the inability to evade choices or commitments we have made due to the psychological need to show that we are in line with our decisions. Additionally, people are inclined to follow the opinion of the majority so a social proof that seems as the most common choice is often interpreted as a good one.  

That brings us also to authoritativeness which describes the likelihood of interpreting the statements of qualified people as true and secure. Last but not least, sometimes attackers use sympathy because we tend to trust people who are similar to us.

The Coinbase case study

Coinbase’s story provides an example of how sophisticated social engineering assaults can be. One day in early February 2023, several employees received text messages stating an urgency to log in via the provided link. While most employees disregarded this message, one unsuspecting employee clicked the link and entered in login credentials.  

The attacker tried several times to gain access to the platform. Since they were unable to provide the Multi-Factor Authentication (MFA) credentials, the perpetrators were blocked from gaining access. However, the attacker wasn’t discouraged and called the employee who clicked on the link.

The attacker claimed to be from the Coinbase corporate IT service and that they needed help. Again, the employee believed the attacker and followed their instructions. Impersonating co-workers is a common tactic of social engineers used for divulging sensitive information. However, due to another suspicious employee, no funds or confidential information were taken. 

This event teaches us a valuable lesson – under the right circumstances, anyone can become a falling victim of social engineering schemes. Most attacks are sophisticated and more importantly, they work.

Common social engineering attacks in the crypto space

Now that it is clear that anyone can become a victim of digital social engineering assaults and that scammers trick victims in many interesting manners, let's take a look at popular social engineering frauds that affect crypto users.

Phishing attacks

A phishing attack refers to malicious emails or messages created to mirror legitimate emails from reputable companies. The attacker wants to fool an unsuspected user into believing they are legitimate. 

When it comes to the crypto space, most phishing scams are aimed at misleading the user to give away their private key or authorise malicious transactions.  

The wide term of social engineering attack covers a broad range of scams such as spear phishing, fake browser extensions, ice phishing, malicious airdrops and DNS hijacking.

Quid pro quo attack

Remember the principle of reciprocity? Well, a quid pro quo attack refers to a type of baiting trial in which social engineers offer something to victims in exchange for sensitive information. The latin phrase translates directly to ‘something for something’.  

It functions like this – hackers provide something, either an item or service, as bait and then ask for sensitive data when the time comes. Malicious actors disguise their real intent under the mask of generosity.  

For example, scammers could impersonate employees from the IT department of your company or other technical service providers. By offering to install programs such as security tools or corporate tools, they can lead you to revealing sensitive information.

Baiting attacks

Baiting attacks prey on exploiting the victims’ greed and curiosity. They typically involve a false promise. For example, the most reviled form of baiting refers to sending employees e-mails containing salary increases, job offers or holiday calendar. Victims pick up the bait due to their curiosity which results in automatic malware installation. 

In some cases, malicious actors tend to leave USBs containing malicious software around public places such as offices with the idea of someone picking them up and plugging them into their computers. 

Pretexting

Pretexting is a common social engineering attack that involves creating a false narrative to gain a victim’s trust and coax them into disclosing sensitive information.  

The scammer typically establishes trust with the potential victim by impersonating co-workers, tax officials or other people with a so-called right-to-know authority. This is in line with the principle of authoritativeness and consensus.  

Once the pretexter has gained the victim’s trust, they ask questions required to confirm the victim’s identity through which they can successfully obtain confidential information.

Scareware

Scareware is all about fear and urgency; victims are frightened into believing they are under serious threat. It is a sort of malicious software that includes false alarms and notifications that display security warnings regarding a potential malware infection. 

However, the alleged removal tool is a malware itself, enabling the scammer to gain access to confidential information. Crypto users might encounter scareware scams claiming their crypto wallets have been compromised. 

How to prevent social engineering attacks?

To protect your crypto assets, it is significant to remain vigilant and proactive by using cold storage, enabling multi-factor authentication and strong passwords, along with educating yourself on contemporary security measures.  

Another way to remain cautious is to monitor suspicious emails or messages. The more you know about how social engineering and other crypto scams work, the better equipped you are in dealing with them. 

Keep in mind that social engineering schemes prey on human error and vulnerabilities rather than networks, operating systems or technologies.