Phishing and Social Engineering
tag: [Engineer/Developer, Security Specialist]
In the dynamic and often nebulous realm of web3 and cryptocurrencies, understanding scams and phishing is critical for anyone venturing into this space. Both terms describe deceptive practices but manifest in distinct ways and require different prevention strategies.
Scams
Scams or Rug-Pulls in the context of web3 and cryptocurrencies typically involve fraudulent schemes designed to swindle individuals out of their digital assets. For example, an enticing new project may promise revolutionary technology and unprecedented returns. However, the project developers quickly vanish, leaving investors with worthless tokens and empty promises.
Phishing
Phishing involves masquerading as legitimate entities to deceive individuals. For example, Crypto Drainers are very common these days, where a threat actor will suggest to a user that they may take part of an airdrop by visiting a provided link. Unsuspecting users who click the link are directed to a counterfeit website, where they are asked to authenticate their wallet and sign a transaction in order to take part of the airdrop. Once signed, the threat actor has access to steal funds on the wallet that signed the transaction.
Recognizing and Preventing Phishing Attacks
-
Scrutinize URLs
- Always verify the authenticity of URLs before clicking on links.
-
Be Skeptical
- Be skeptical of offers that seem too good to be true. Never sign a transaction unless you are completely sure exactly what you are signing.
-
Safeguard Information
- Protect private keys, seed phrases, and sensitive information zealously.
-
Two-Factor Authentication (2FA)
- Employ two-factor authentication wherever possible to enhance security.
Check & Remove Token Approvals
There are services available that let you check which smart contracts have approvals to handle funds in your wallet. By regularly checking this and revoking unecessary approvals you can improve your security posture. Unrekt Etherscan Token Approval Checker