A few tips to keep your digital assets safe by avoiding Social Engineering.
When RugZombie started, the DeFi world was plagued by security incidents, mostly of the rug-pull variety. Unfortunately, it seems the world has barely changed, with the recent attacks on OpenSea, Bored Ape, and attacks of top crypto assets (RIP Luna/UST), we wanted to put a friendly Horde Reminder on the most common attack vector and how to protect your assets.
Social Engineering — The #1 Threat to Your Wallet
Nearly all “scams” and exploits are traced back to human elements in what is called “social engineering”. For this reason, protecting yourself from these basic types of attack vectors can really help you to beef up your crypto security and prevent almost all threats. Obvious it doesn’t cover everything, but seeing as how 98% of all scams involve social engineering, it doesn’t hurt to address it.
But let’s focus on the common “crypto” forms of this threat.
OpenSea and Bored Ape both recently fell prey to social engineering attacks, from phishing emails to hacked social media accounts; this attack vector was exploited by a very simple yet devious strategy: convince a user (you) to hand over basic private information that allows the attacker to work. And seeing the notable projects being threatened, it is clear that even power users of DeFi need a good reminder every now and again.
You have probably seen the following:
- “Help desk support” messages masquerading as support. Typically, they send you unverified links to “login and connect your wallet” or give up your seed phrase. These often come through unrequested direct messages.
- Phishing in the form of hacked authority accounts (instagram, twitter, medium, etc.) that subsequently ask you to follow prompts to give them information, usually to un-safe sites.
- Public posts that include a seed phrase and a “balance” of a wallet; often a scammer posts this, pretending to take “revenge” on a ex by exposing their wallet, waiting for you to take the bait
- Straight up bonafide begging via discord or telegram, asking for just a few bucks because of whatever awful situation the scammer claims to be in.
- Dusting attacks that give you a large balance of a fake token that upon transfer rob your wallet of resources
A Few Rules of Thumb
While the list could go on, we wanted to name just a few social engineering attacks that are responsible for hoodwinking unsuspecting victims. All of these attempts boil down to one thing: the scammer is trying to play on your greed, curiosity, or generosity. Want to avoid such a fate? Here are 10 simple rules to live (and die) by.
- Never ever ever ever ever ever ever ever ever EVER EVER give out your seed phrase. To anyone. Ever. For any reason. Your seed phrase to your crypto wallet is the ONLY necessary password that anyone in the world needs to have complete unmitigated access to your assets. No one can help you by using your seed phrase. No one needs that information except you and you alone. Don’t give it out. No website or support member would ever need this.
- Do not store your seed phrase online. This may be controversial, but storing your seed phrase in a centralized database (even password managers) creates a possibility of attack. For example: if you use a pass manager for your password management needs, all an attacker needs is to get access to your password, and they can skim and download any seed phrases you may have stored. If you do intend to store your files online, password protect them individually and encrypt them for extra security.
- Use a hardware wallet. This one is kind of industry standard for crypto, but hardware wallets are generally better secured than mobile/hot wallets such as metamask. Maybe go the extra mile and get a dark/faraday bag to keep your digital wallets protected.
- Save contract addresses, token addresses, and URLs for sites you frequent. Saving contract addresses in metamask ensures that you won’t be duped the next time you browse Open Sea. If you don’t recognize the contract address you are interacting with, you can disapprove/disallow access and verify before you proceed.
- Never touch tokens that you did not personally add to your wallet. Don’t be fooled by mysterious airdrops. They are probably scams and even if they aren’t, they aren’t worth much.
- Use block explorers and other safe sites to remove approvals from contracts in your wallet. A trusted allowance checker many use is Unrekt. The author prefers to use the block explorer (bscscan.com for example). Periodically flushing your allowances can provide protection from unsuspecting malicious contract changes.
- If someone asks you for money, or gives you their seed phrase, don’t take the bait. They could be legitimately asking for money for gas fees, but it’s probable they have asked 50 people and are simply trying to scam a few hundred dollars from charitable and generous people. If someone offers their seed phrase, they are setting you up to get you to transfer funds to their wallet so they can immediately siphon them out.
- Use wallet trackers like Wallet Now to manage and monitor your assets in near real-time to make sure your balance is secure.
- Don’t respond to messages you don’t recognize. It can be tempting to “tell off” the scammer who reaches out via telegram, but honestly, the more we ignore these, the lower the batting average for scammers overall. Collectively, we may be able to render these messages completely pointless by ignoring them and sidestep most of the problems above. Personally, the author has set all messages in chat systems to automatically go to spam, and he sleeps great at night.
- Use a 2FA method that DOES NOT use your telephone number. SMS 2FA can be co-opted. Stick with a trusted authenticator app or use a hardware device like a yubikey.
Security State of Mind
While the above constitute a few common vectors and some general rules of thumb, it’s best to personally grow your knowledge of security related issues and always be on the alert when it comes to your own security and digital assets.
Take the time during the bear market to develop a “security state of mind”, by curating a list of resources you trust (such as auditing firms, research/educational sites, and more), and doing research to better understand the crypto risks.
We hope you stay safe out there Zombie Horde. Stay vigilant, as scammers are everywhere.