Safekeeping Your Crypto: 5 Common Security Risks and Prevention Strategies
With security still being a large concern in Web3, users must stay informed about how to best manage their funds. This article is going to discuss 5 common scams and hacks you may encounter if you are not careful. Use this article to learn about the common red flags of scams and implement protection mechanisms like setting up the right 2FA, keeping your private key secure, and protecting yourself from scammers.
Table of Contents
Phishing
Pig-butchering
SIM swapping
Rugpulls
Address poisoning attack
Phishing
Phishing scammers attempt to trick their victims into revealing sensitive information like private keys or login credentials, often by issuing links to fake websites through emails, text messages or social media platforms. These fake websites tend to impersonate well-known cryptocurrency exchanges or NFT platforms such as Coinbase and OpenSea to trick their victims into revealing their sensitive information.
If you’ve been around in the crypto space long enough, then you’ve likely already heard about phishing scams. Despite our awareness of the scam, phishing scams are not easily recognizable. Many users still fall victim to it, including major personalities in the crypto space. Last month, Nikhil Gopalani, the COO of RTFKT, lost approximately $173,000 to a phishing attack. Kevin Rose, creator of the famous NFT collection, Moonbirds, recently had over $1.09 million USD worth of his personal NFTs stolen in a phishing scam.
Prevention Strategies
At the end of the day, protecting yourself against phishing scams boils down to being extremely careful about where you share your sensitive information. As a general rule of thumb, always double check the URL, email sender or social media profile you are interacting with before submitting any sensitive information.
Be cautious of emails and text messages with links: Phishing emails and messages tend to look very legitimate. If they require you to click any link, always double check that the sender is authentic.
Double-check URLs: Phishing scammers will dupe their victims into entering phishing pages that pose as trustworthy websites. Always double-check the URL before you sign any transaction. In an Opensea phishing attack that occurred last year, scammers issued fake emails impersonating Opensea to trick users into entering a fake website that looked like OpenSea. Upon entering the fake website, victims were shown supposed “connection” problems, which required them to submit personal details in order to access their account (see image below). As soon as the victim gave up their private keys, the scammer got full access to the user's assets. This cost 17 users almost $20M worth of NFTs used phishing emails.
Example of an Opensea phishing website | Trend Micro
Enable multi-factor authentication when available: Attackers commonly attempt to steal passwords to access online crypto wallets and other digital accounts. Wherever possible, enable multi-factor authentication to make it more difficult for scammers to carry out their attack. However, refrain from using phone number based 2FA as much as you can as scammers can use a tactic known as SIM swapping to bypass your security mechanisms (read more below under 'SIM swapping). Instead, use 2FA apps like Authy and Google Authenticator.
Pig-Butchering
Pig butchering schemes involve scammers gaining the trust of their intended victim before tricking them into contributing to a fraudulent scheme that ultimately causes the victim to lose their money. In the beginning, the attacker reaches out to the victim and pretends to have made an error, such as sending a message to the wrong number. The scammer then builds a relationship with the victim to gain access to their personal information and gradually introduces the notion of investing in cryptocurrency. Through seemingly innocuous conversations, the scammer gradually manipulates the victim into making an investment through a platform that the scammer controls. When the victim invests significant sums of money on the fake investment platform, the scammer disappears with all the funds, resulting in substantial financial losses for the victim.
Starting correspondence of a Pig-butchering scheme | Tripwire
Prevention Strategies
Like most protection mechanisms against social engineering tactics, safeguarding your funds against pig-butchering is about staying alert and identifying the red flags of fraudsters.
Only invest in reputable platforms: Before investing, always conduct thorough research on the platform to ensure its legitimacy. By taking the time to investigate its credibility, you can reduce the risk of investing in a fake platform controlled by a scammer.
Be wary of unfamiliar contacts: As a general rule in the cryptocurrency world, be cautious if someone attempts to persuade you to invest in a platform by promising extravagant rewards. If the starting correspondence from the contact starts unexpectedly like in the image above, then they could be a scammer.
Common Pig-butchering lies | FTC
SIM Swapping
SIM swapping is a deceitful technique that scammers use to gain control of their victims' phone numbers and take over their accounts. Typically, a SIM swap attack is carried out remotely, where hackers take advantage of leaked personal information like email, phone number, and date of birth to impersonate the victim and convince their mobile carrier to assign the victim's number to a new SIM card. This essentially amounts to identity theft, as the scammers take over the victim's phone number and lock them out. If the victim uses text message-based authentication codes as a second factor, the hackers can steal their passwords and gain access to their financial accounts.
Prevention Strategies
Use non-SMS multi factor authentication: Authenticator apps like Authy or Google Authenticator are not susceptible to SIM swap vulnerabilities and do not rely on text messages. Such authenticator apps can only be compromised if the device where the app is installed is physically stolen - typically the user's phone. This makes authenticator apps significantly more secure than SMS-based 2FA that can be exploited remotely.
Beware of social engineering attacks: Typically, your personal information that is leaked and used for SIM swap attacks comes from data breaches or social engineering attacks. Scammers may attempt to deceive you into revealing personal information that they can either sell or use for a SIM swap. One common tactic involves impersonating a customer representative who needs to verify your personal details such as your name, address, and contact information. It is essential to be wary of such attempts and take appropriate precautions to protect your personal information.
Set up strong passwords: Choose strong, unique passwords. You can use a service like Avast to manage and generate you PINs and passwords. You can also add a PIN number to your SIM card so that even if hackers are able to impersonate you, they are still unable to access your SIM card.
Source: Yubico
Rug Pulls
A rug pull is a popular crypto scam in which the scammers attract a large pool of retail investors into buying into their project. As soon as the project gains traction, the team behind the project quickly runs away with the investors’ funds. Rug pull tokens are usually pumped up in price to their maximum by social media promotions and influencer marketing, after which the price crashes as soon as the project “pulls the rug” on the people who bought into the project. Many social media influencers have been accused of using the rug pull scheme on their impressionable audience.
One of the biggest rug pulls happened on the morning of 1 November 2022. The anonymous creators of the SQUID token (inspired by the acclaimed South Korean TV series 'Squid Game'), sold all of their holdings, which plummeted the price of SQUID from a high of $2,861 to virtually $0. As a result, resulting in more than $3M worth of the investors' funds being stolen.
Prevention Strategy
Recognize the red flags: Big promises with no roadmap to delivery is a key red flag of crypto scams and potential future rug pulls. If you find yourself investing into a project in a frenzy, out of your fear of missing out, then it is vital to slow down and do your own research.
Address poisoning attack
On-chain address poisoning is a newer type of scam that is becoming more common in the past few months. In this attack, the attacker creates an address that resembles the victim’s address in its shortened form. When the victim sends funds to another account, the attacker sends a low-value transaction to the victim from the lookalike address, essentially “poisoning” the user’s transaction history. If this user copies their address from their transaction history to send funds, then the victim would essentially be sending their crypto to the scammer.
Prevention Strategies
Double-check your addresses: Like many protection mechanisms, the key to preventing such scams is to be alert and double-check your transfer details.
Copy address directly from your wallet: Since this scam works by tricking users who copy their address from their transaction history, make sure you copy your address directly from your wallet instead.
Securing your funds are about staying informed and using the best practices to manage your cryptocurrency assets. To learn more about how to secure your private keys, check out our blog on wallet security.