What Is Phishing? Tips To Avoid Social Engineering

Is Phishing Social Engineering?

Cryptocurrency users in particular should be on guard because phishing and other social engineering schemes that infiltrate crypto wallets to steal funds, as well as ransomware attacks that demand payment in cryptocurrency, are on the rise. A phishing attack is a common computer-based attack method used to obtain sensitive information like email addresses, private key addresses, mobile phone numbers, and credit card details from an unknowing victim. Phishing attacks most commonly take the form of misleading emails, text messages, or social media posts that can trick people into inadvertently responding with private information, transferring funds to an attacker’s cryptocurrency wallet, or clicking a malicious link that compromises passwords. Phishing attacks can also seek to gain access to systems to install malware.

Without using weaknesses in computer code and network faults to intrude into a system, malicious actors can still exploit human vulnerabilities via social engineering attacks — even with security software and protocols in place. In fact, most cybersecurity attacks involve some form of social engineering. Successful crypto attacks can present attractive rewards for malicious actors, and they are irrevocable.

What Does a Social Engineering Scam Look Like?

In general, social engineering attacks involve direct personal communication or interaction with a potential victim. An attacker might first gather information about an organization and then drill down to an employee with access to sensitive data and passwords. For example, a bad actor might get multiple employees’ schedules, then pose as a vacationing manager asking a subordinate for sensitive information via email. They might also target individuals by mining their social media information or by posing as a colleague requesting sensitive data.

Social engineering attacks rely on psychological tactics. In 2020, the COVID-19 pandemic benefitted attackers who — because of the panic, heightened emotional strain, and urgent need for correct information —  preyed upon people who might have had their guard down. The attackers sent emails that contained data about government programs, vaccine trials, and so on, which in effect installed malware on the victims’ computers as soon as they opened the email messages.  Another common social engineering tactic is to send an email requesting urgent action and specifying dire consequences if the action is not taken — another example of exploiting a human tendency to take rash, and ultimately compromising, actions under duress.

Why Is a Social Engineering Attack “Social?”

Most common social engineering techniques rely on human foibles, like gullibility, naivete, or insecurity. For example, criminals often pose as authority figures like bosses or IT experts, exploiting the tendency for individuals to obey orders. Scammers may also exploit human altruism by pretending to be a person or charity in need. Basic greed can play a central role, too. In some major social engineering scams, attackers have simply bribed employees with money or rewards to divulge sensitive information.

SIM Swap Attacks and Cryptocurrency Users

A SIM Swap attack is just one example of threats that use social engineering techniques — and one with heightened risks to cryptocurrency users. A typical SIM Swap attack involves taking control of a victim’s SIM card, which stores user data, to access a mobile network.

Attackers will first call a cell phone provider impersonating the victim seeking to gain the trust of a mobile carrier representative. They do so by providing information about a victim from online research, like social media accounts, or details divulged by the victim through phishing emails, which can help them bypass security questions such as a current address or mother’s maiden name.

The attacker will then request a new SIM card that allows them to gain control of the victim’s telephone number. Any sensitive data linked to that cell phone would then be available to the attacker, including password reset codes and bank details. Some SIM Swap hackers have tricked and bribed wireless carrier retail employees into running malware on their computers.

Such scams often exploit weaknesses in two-factor authentication (2FA) processes that rely on verification via a text message or a cell phone call. Cryptocurrency wallets that are linked to cell phones are increasingly targeted, as a fraudulent transfer of bitcoin is irreversible and difficult for law enforcement agencies to track and seize.

Though SIM card attacks continue to rise, lawmakers are urging stronger action from U.S. mobile carriers to better protect their consumers. A number of high profile SIM Swap attacks affecting cryptocurrency holders have also led to litigation against major mobile carriers. In response, personal security measures, like hardware wallet private key backups, can mitigate risks to cryptocurrency users posed by SIM Swap attacks.