In a broader sense, any kind of manipulation linked to behavioral psychology can be considered social engineering. However, the concept is not always related to criminal or fraudulent activities. In fact, social engineering is being widely used and studied in a variety of contexts, in fields like social sciences, psychology, and marketing.
When it comes to cybersecurity, social engineering is performed with ulterior motives and refers to a set of malicious activities that attempt to manipulate people into making bad moves, such as giving up personal or confidential information that can be later used against them or their company. Identity fraud is a common consequence of these types of attacks and in many cases leads to significant financial losses.
Social engineering is often presented as a cyber threat, but the concept exists for a long time, and the term may also be used in relation to real-world fraudulent schemes, which usually involve impersonation of authorities or IT specialists. However, the emergence of the internet made it much easier for hackers to perform manipulative attacks on a wider scale and, unfortunately, these malicious activities are also taking place in the context of cryptocurrencies.
Phishing emails often mimic correspondence from a legitimate company, such as a national bank chain, a reputable online store, or an email provider. In some cases, these clone emails will warn users that their account either needs to be updated or has shown unusual activity, requiring them to provide personal information as a way to confirm their identity and regularize their accounts. Out of fear, some people promptly click the links and navigate to a fake website in order to provide the required data. At this point, the information will be in the hands of the hackers.
Social engineering techniques are also applied to spread the so-called Scareware. As the name suggests, scareware is a type of malware designed to scare and shock users. They typically involve the creation of false alarms that attempt to trick victims into installing a fraudulent software that looks legitimate, or into accessing a website that infects their system. Such a technique often relies on users’ fear of having their system compromised, convincing them to click on a web banner or popup. The messages usually say something like: “Your system is infected, click here to clean it.”
Baiting is another social engineering method that causes trouble for many inattentive users. It involves the use of baits to lure victims based on their greed or curiosity. For instance, scammers may create a website that offers something for free, like music files, videos, or books. But in order to access these files, users are required to create an account, providing their personal information. In some cases, there is no need for an account because the files are directly infected with malware that will penetrate the victim’s computer system and collect their sensitive data.
Baiting schemes may also occur in the real world through the use of USB sticks and external hard drives. Scammers may intentionally leave infected devices on a public place, so any curious person that grabs it to check the content ends up infecting their personal computer.
A greedy mentality can be quite dangerous when it comes to financial markets, making traders and investors particularly vulnerable to phishing attacks, Ponzi or pyramid schemes, and other types of scams. Within the blockchain industry, the excitement that cryptocurrencies generate attracts many newcomers to the space in a relatively short period of time (especially during bull markets).
Even though many people do not fully understand how cryptocurrency works, they often hear about the potential of these markets to generate profits and end up investing without doing appropriate research. Social engineering is particularly concerning for the rookies as they are frequently trapped by their own greed or fear.
On the one hand, the eager to make quick profits and earn easy money eventually leads newcomers to chase false promises of giveaways and airdrops. On the other hand, the fear of having their private files compromised may drive users to pay a ransom. In some cases, there is no real ransomware infection, and users are tricked by a false alarm or message created by hackers.
As mentioned, social engineering scams work because they appeal to human nature. They usually use fear as a motivator, urging people to act immediately in order to protect themselves (or their system) from an unreal threat. The attacks also rely on human greed, luring victims into various types of investment scams. So it is important to keep in mind that if an offer looks too good to be true, it probably is.
Although some scammers are sophisticated, other attackers make noticeable mistakes. Some phishing emails, and even scareware banners, often contain syntax mistakes or misspelled words and are only effective against those who don’t pay enough attention to grammar and spelling - so keep your eyes open.
In order to avoid becoming a victim of social engineering attacks, you should consider the following security measures:
Cybercriminals are constantly looking for new methods to deceive users, aiming to steal their funds and sensitive information, so it is very important to educate yourself and the ones around you. The internet provides a haven for these types of scams, and they are particularly frequent in the cryptocurrency space. Be cautious and stay alert to avoid falling for social engineering traps.
Furthermore, anyone that decides to trade or invest in cryptocurrency should do prior research and make sure to have a good understanding of both the markets and the working mechanisms of blockchain technology.