5 Types of Social Engineering Attacks in Crypto and How to Prevent It

8 min readDec 28, 2022

With the boom in cryptocurrency, NFTs, and Web3 technologies, scammers continuously find new ways to exploit people’s trust and naiveté. Crypto users must stay vigilant and educated on the latest attack methods to protect themselves from financial losses.

Phishing is a social engineering attack used by malicious actors to try and steal confidential information or cryptocurrency holdings from users.

CertiK’s quarterly report revealed that phishing attacks had skyrocketed by 170% over the second quarter of 2022. Further corroborating this data, Cisco Talos’ intelligence group predicted that social engineering methods like phishing would dominate Web3 and metaverse in the upcoming years.

What is a Social Engineering attack?

Social engineering in crypto is a method of manipulating people into revealing information or taking actions that can compromise the security and privacy of cryptocurrency networks. It involves exploiting people’s trust, naiveté, and willingness to believe what they are told.

Social engineering attacks usually consist of two fundamental stages. First, the attacker investigates their target to gain essential background data like potential entry points and vulnerable security protocols required to continue with the attack.

Then, they work on winning over the victim’s trust before providing stimuli for actions that violate safety practices — including disclosing confidential details or granting access to vital resources.

Social engineering can also involve:

Impersonating an authority figure
Creating false urgency
Offering rewards
Using social media platforms to spread misinformation.

Social engineering is a particularly dangerous form of attack as it relies on human error rather than vulnerabilities in software or systems. As legitimate user mistakes are less frequent and difficult to spot than malware-based attacks, they can be harder to defend against and prevent.

How does Social Engineering work?

Social engineering attacks are surprisingly simple. All a hacker must do is convince an unsuspecting, rushed, or trusting individual to follow their instructions.

In one of the most notorious social engineering attacks, hackers convinced Twitter personnel to give them access to confidential processes. Subsequently, they hijacked prominent accounts such as Joe Biden's, Elon Musk's, Bill Gates and Kanye West's to trick their vast amount of followers into transferring Bitcoin funds directly to the hackers.

These malicious attacks are shockingly easy to execute and follow a similar pattern:

Preparing and investigating targets who have what they’re seeking.
Infiltrate by forming a relationship that starts by building trust.
Attack the victim once the trust is established.
Retreat once the user has taken the desired action.

This process could be a simple email exchange or even an extended series of conversations taking place over social media. In the end, however, it could lead to you taking some action — whether that be sharing your personal data with someone else or exposing yourself to malicious software.

Types of Social Engineering

Phishing Attack

These are malicious emails or text messages which are created to look like legitimate emails from reputable companies. The idea is for the hacker to fool you into believing that they’re actually a trusted source, convincing you to give away sensitive information such as passwords and credit card numbers.

Phishing attacks can be executed in two ways:

Spam Phishing: Mass emails or messages sent out to as many people as possible, hoping that someone will fall for it.
Spear Phishing: Targeted attacks where a hacker takes the time to learn as much about their potential victims as possible, allowing them to craft believable messages. These malicious strikes are strategically targeted at prominent individuals such as celebrities, top-level executives, and influential political figures.

Baiting Attacks

Baiting attacks are the least common type of social engineering. They rely on people’s curiosity, luring victims in with the offer of a freebie.

In these cases, hackers will often leave USBs or CDs around public places like offices and universities. The idea is that someone will find them, pick them up, and plug them into their computers. Unbeknownst to the victim, these storage devices contain malicious software which can be used to infect and compromise their system.

Also, be wary of email attachments with free offers or purported “free” software — they may be fraudulent or detrimental to your computer safety!

Quid Pro Quo

A Quid Pro Quo attack is a type of baiting trial in which malicious actors offer something to their victims in exchange for confidential data. The Latin phrase “Quid Pro Quo” translates to “Something for Something,” and that’s precisely how these attacks work.

Attackers provide an item or service as bait and then demand sensitive information when it comes time to fulfill the promise. By disguising their intent under the guise of generosity, cybercriminals can trick people out of vital details without arousing suspicion.

For example, a hacker could offer to fix a computer issue in exchange for the victim’s email address and password. The unsuspecting user would give away their personal information without realizing who they are giving it to.

By creating the illusion of a valuable reward that requires minimal investment on your part, attackers can easily take advantage of you. Unfortunately, there is no benefit to you in this case; all it leaves behind is stolen data.

Scareware

Scareware is a type of malicious software that generates false alarms and notifications. It will often display security warnings or popups telling the victim that their computer has been infected with malware, prompting them to download a virus removal program as a solution.

Once downloaded, the “removal tool” turns out to be malware itself, allowing the hacker to gain access to your personal data. It manipulates you into purchasing bogus cybersecurity software or revealing confidential details such as your login credentials.

Pretexting

Pretexting is another common type of social engineering attack. It involves creating a false scenario, or “pretext,” in order to coax someone into disclosing sensitive information.

With this method, the attacker needs to be much more active to get you to believe they are genuine. Once they have your trust, then the exploitation can begin. For example, an attacker may call up a bank and pretend to be an employee, asking customers to verify their passwords or other personal details. While it’s easy to spot a phishing email or text, these calls can be much harder to detect and are often successful in obtaining sensitive information.

Who are the main targets of Social Engineering attacks?

The main targets of social engineering attacks are individuals, organizations, and businesses. Individuals who are vulnerable to these attacks may include high-profile executives, celebrities, or people with access to classified information.

Organizations and businesses may also be targeted if they have weak security protocols in place. Additionally, social engineering attacks can extend to government agencies and services that may be vulnerable to exploitation. It is important for all individuals, businesses, and organizations to stay vigilant in order to protect themselves against social engineering attacks.

Younger generations and employees in entry-level positions may be more vulnerable to social engineering attacks because they are often less experienced and knowledgeable about cyber security. Companies should take extra precautions when training these employees to ensure they understand the risks of social engineering.

How to identify most types of Social Engineering attacks

When you receive a message from an unfamiliar sender, use caution and investigate their email address or social media profiles. It’s not uncommon to see suspicious emails using characters that imitate others — like “torn@example.com” instead of “tom@example.com.” Furthermore, watch out for fake social media accounts with the same profile picture as your friend and other details that look similar. The only way to protect yourself is by researching before engaging in online communication!
Is this message really from my friend? It’s essential to double-check the sender and have them confirm it was actually them who sent the message. Whether they are a coworker or somebody else, reach out to them either in person or over the phone and ask if they legitimately sent you this email or message. They may be unaware that their account has been hacked, or someone might be deceiving others by using their identity on social media accounts.
If you find yourself on a website that looks strange, take note of the URL(HTTP versus HTTPS), image quality, and company logos. Additionally, be aware of typos or outdated information; these could all indicate an illegitimate website. If this is the case, leave immediately to protect your security.
Does this offer seem too good to be true? It might appear like an attractive incentive, but offers have been strategically used as a way to execute social engineering attacks. Ask yourself why someone would give you something valuable for no obvious benefits on their part. Carefully consider the risks associated with it since even simple information, such as your email address, can easily be collected and sold to malicious advertisers. Therefore, remain watchful at all times!
If a link or file name looks peculiar in an email, be wary of the whole communication. Also, investigate any other red flags that may arise from the odd context or timing of when it was sent. Don’t risk opening attachments or links you’re suspicious about — take extra precautions to ensure authenticity and safety!

How to prevent Social engineering attacks

Social engineering attacks can be prevented by following certain steps. These include:

Never click on links in any emails or messages from unknown sources or even known sources if the content seems suspicious.
Use multi-factor authentication where available.
Use strong passwords (and a password manager) to protect your accounts.
Keep your software and operating system updated, as this can help patch security vulnerabilities.
Be mindful of what information you put out on social media and other public forums — it could be used for malicious purposes.
Do not share private information like the name of your schools, pets, place of birth, or other personal details.
Be very cautious about making friends on the internet.

Conclusion

In conclusion, social engineering schemes are a major threat to organizations and individuals alike. They can be used in many different ways to gain access to sensitive information or resources, with potentially devastating consequences.

Organizations can protect themselves from these malicious activities by implementing strong security policies and procedures, monitoring suspicious activity, and educating employees about the dangers of social engineering schemes.

Additionally, individuals should be aware of the indicators of a potential attack and should exercise caution when providing personal or financial information online. With awareness and good security practices in place, organizations and individuals can help protect themselves from social engineering schemes’ harmful effects.

About Lossless

Restoring trust in web3 security. Lossless incorporates a new layer of blockchain transaction security, protecting projects and their communities from malicious exploits and associated financial loss.

Lossless protocol implements an additional layer of blockchain transaction security for ERC-20 standard tokens, mitigating the financial impact of smart contract exploits and private key theft. Lossless protocol utilizes community-driven threat identification tools and a unique stake-based reporting system to identify suspicious transactions, providing real-time protection.