What is social engineering? 10 attacks and how to prevent them

Cyber attackers don’t always need coding skills to exploit cryptocurrency networks; some use nontechnical, psychological tactics. These “social engineers” manipulate emotions – fear, greed, excitement, and trust, along with urgency and curiosity – to deceive traders and obtain their sensitive information, ultimately stealing their digital assets.

As the cryptocurrency market expands, these social engineering attacks have become more sophisticated and frequent, costing unsuspecting investors billions of dollars annually. In 2022 alone, social engineering attacks in crypto amounted to over $14 billion in losses globally.

In this guide, we’ll explain how social engineering works and offer practical tips for identifying the early warning signs of a scam.

What is social engineering? 

Social engineering is a psychological tactic attackers use to coax individuals into revealing confidential information or compromising security systems. In the crypto space, these malicious actors often trick users into surrendering private keys or login credentials, which they then use to steal funds from wallets or accounts.

Social engineering cybersecurity attacks vary in complexity but usually rely on two key strategies: deception and impersonation. For instance, attackers may send emails or messages that appear to come from trusted platforms like Coinbase, Ledger, or MetaMask. Using the perceived credibility of these brands, they generate a sense of urgency, warning victims that their account is at risk or urging them to act quickly to claim a limited-time crypto airdrop. This pressure often leads individuals to unwittingly compromise their security.

Examples of social engineering attacks

Scammers are constantly evolving their methods, incorporating technologies like artificial intelligence (AI) to refine their social engineering techniques and exploit vulnerabilities more effectively. Although the landscape of attack strategies is ever-changing, certain types of social engineering attacks have become standard in the crypto world. These attacks leverage common human emotions like fear, greed, and urgency, making users more susceptible. Here are some of the most common tactics used by cybercriminals:

Phishing attacks

Phishing is a common social engineering tactic where attackers send deceptive emails that appear to come from trusted sources like cryptocurrency exchanges, wallet providers, or decentralized finance (DeFi) platforms. These messages often create urgency, instructing recipients to verify account details, claim a limited-time offer, or secure their accounts. Despite looking legitimate, the embedded URLs lead to fake sites designed to steal login credentials or private keys, allowing attackers to access victims’ crypto assets.

Vishing

Vishing is a variation of phishing where fraudsters use voice calls or messages to execute social engineering attacks. They pose as legitimate cryptocurrency authorities and contact their victims by phone to manipulate them into revealing sensitive data, often relying on urgency or authority to pressure the victim into compliance.

Smishing

Another offshoot of phishing, smishing involves using SMS as the mode of communication. Scammers send messages that seem to be from trusted sources, containing a malicious link or a phone number to call. Again, the tactic often relies on creating fear or urgency to trick victims into providing sensitive information without realizing it’s a scam.

Spearphishing

Spearphishing uses the same fundamental tactics as phishing but focuses on specific individuals, making the approach more personalized and convincing. Rather than sending mass emails, a spearphisher thoroughly researches their target and customizes messages based on the person's background or recent crypto activities. These tailored details increase the likelihood that the victim will believe the message is legitimate and provide sensitive information. When this type of attack targets high-profile figures in the crypto world, such as CEOs or lead developers, it’s referred to as a “whaling attack.”

Water holes

Much like animals in the wild return to familiar water holes, people repeatedly visit the same websites. A "water hole" attack takes advantage of this predictability by identifying frequently visited sites and embedding malicious code into them. Once a target accesses the compromised site, the malware is automatically downloaded onto their device, allowing the attacker to steal personal data or gain unauthorized access.

Tailgating

In tailgating, also called piggybacking, an attacker gains unauthorized access to a restricted area by physically following someone with legitimate access. A tailgater might loiter near the entrance of a cryptocurrency exchange's offices and slip in behind an employee, allowing them to breach secure systems or install malware on internal networks without detection.

Baiting

Rather than using fear to extract personal information, in a baiting scheme, attackers entice victims with attractive rewards. For example, offers of free crypto prizes or airdrops that seem too good to be true may be baiting schemes orchestrated by social engineers. Baiting can also involve more deceptive methods, such as distributing infected hardware wallets under the guise of providing free cryptocurrency. When victims connect these compromised wallets to their computers, they may unknowingly install malware, compromising their security.

Quid pro quo

In quid pro quo attacks, social engineers promise something of value in exchange for sensitive information, making their requests appear more credible. Scammers might impersonate representatives from a cryptocurrency exchange, offering technical support in return for a user’s private key or login credentials. Once the user complies, attackers use the acquired data to gain unauthorized access to their accounts, often leading to the theft of digital assets.

Pretexting

In a pretexting attack, scammers focus on building trust before asking for sensitive information. They impersonate someone familiar to the victim, such as a friend, family member, or colleague, creating a false sense of security. Once they've established this trust, they make a seemingly innocent request for personal details, like passwords or account information, under the guise of needing help or completing a routine task.

Impersonation 

Impersonation is another social engineering tactic where attackers disguise themselves as trusted individuals or entities, both online and in person. By assuming a false identity, the attacker aims to appear credible and trustworthy, making it easier to deceive whomever they’re spoofing into divulging confidential information. 

Preventing social engineering attacks

The best defense against social engineering attacks is maintaining a skeptical mindset. If something feels off or too good to be true, it probably is.

Beyond skepticism, crypto users can take additional steps to protect themselves:

• Know what data is off-limits: Reputable crypto exchanges, DeFi protocols, and wallets will never ask for sensitive information like private keys, seed phrases, or login credentials. If a message, even from a seemingly credible source, asks for this, it’s almost always a scam.
• Use antivirus software: Strong antivirus programs can identify and block malware and phishing attempts, acting as a frontline defense against social engineering attacks. This software helps stop users from unintentionally downloading malicious files or visiting harmful sites.
• Install two-factor authentication (2FA): Similar to antivirus software, 2FA adds an extra layer of security. Even if an attacker gains access to your password, they won’t be able to access your account without the second authentication factor, such as a one-time code from an app or SMS.
• Double-check unusual requests: If you receive a suspicious message, resist the urge to react immediately. Inspect the sender’s email address or domain name carefully, and cross-reference it with official contact info. Always confirm through an exchange’s official support page or contact channels before clicking any links or sharing details.
• Be cautious with public wifi: Avoid accessing crypto wallets or making transactions over public networks, which are more vulnerable to hacking. Use a VPN for added privacy when working with sensitive information online.
• Update passwords regularly: Ensure passwords are long, unique, and changed regularly. A password manager can help generate and store them securely.

Take the next step to safe crypto with CoinTracker

CoinTracker takes our users’ security seriously. We understand that sharing data like public wallet addresses and exchange API keys can be concerning, which is why we protect these sensitive details with state-of-the-art cybersecurity measures. In addition to adhering to SOC 1 and SOC 2 compliance standards, CoinTracker works with a third-party security firm to conduct annual penetration tests to ensure our systems remain secure and efficient. CoinTracker users also have the ability to delete their account data at any time, ensuring full control over their information.

Get started for free and discover why millions of crypto traders trust CoinTracker’s seamless software for safe and compliant crypto tax reporting. 

Disclaimer: This post is informational only and is not intended as tax advice. For tax advice, please consult a tax professional.