Phishing in the Era of Web3.0 — Here’s What Every User Needs to Know

The Web3 ecosystem has continued to grow at an unfathomable pace over the last couple of years, with some studies suggesting that by the end of the coming year, this fast-evolving space will be worth $6 trillion, growing at a CAGR of 44.6% between 2023 to 2030. However, this enormous growth has not been without its fair share of problems, with security issues — particularly phishing attacks — rising dramatically in recent months.

In its most basic sense, a phishing attack is a type of online fraud that tricks unsuspecting users into revealing their sensitive private data — such as passwords, credit card numbers, etc. — to cybercriminals posing as trustworthy sources. These schemes can be facilitated via various avenues, including email, social media, or malicious websites.

In this regard, a report released by popular blockchain security firm Certik notes that in Q2 2022 alone, phishing attacks within the Web3 arena have surged by a whopping 170% compared to the previous quarter, with most hackers exploiting users’ social media platforms to facilitate their nefarious activities. Not only that, between April and June of this year, a total of 290 phishing campaigns were identified, which is substantially higher than the 106 attacks that took place just a few months earlier.

Lastly, the study states that over the first half of 2022, various hacks and exploits compromised over $2B. For perspective, this figure is already more than the total volume of funds lost during all of 2021. Researchers also believe this number will continue to rise in the near- to mid-term.

Phishing remains the most popular form of cyberattack

According to Web3 cybersecurity firm TRM Labs, crypto assets and non-fungible tokens (NFTs) continue to be the most popular targets for hackers — so much so that between June and July of this year alone, the NFT market witnessed phishing attacks/scams worth over $22M. One of the many victims of these attacks included actor Seth Green, who lost a total of four NFTs — including Bored Ape #8398 — suggesting that everyone is susceptible to these ploys.

Phishing remains the first vector of attack for most hackers because it is designed to psychologically manipulate users — especially individuals who are not well-versed in today’s pervading cybersecurity trends.

To this point, most phishing scams use social engineering tactics where hackers send messages to their potential victims. These typically involve letting them know about a lucrative token launch, potential account breach, moonshot projects that can allow them to maximize their capital within days, etc. Furthermore, a vast majority of these messages require users to act within a fixed time window, thus playing up the element of FOMO (fear of missing out) in victims’ minds.

Types of phishing scams permeating the market today

Airdrops (that appear too good to be true)

In essence, airdrops are promotional tools that many companies implement to get people to use their services. Because they provide signees with free money, they have become extremely popular among crypto enthusiasts over the past couple of years.

With that in mind, it’s no wonder why airdrops are prime avenues for carrying out phishing ploys. For instance, hackers can send out messages to unsuspecting individuals, telling them their wallets have been credited with a particular digital asset. Once the victim is lured in, they are redirected to a trading platform where they need to connect their wallets. However, as soon as this happens, the hackers can then steal their funds.

Social fraud + clone phishing

As pointed out earlier, the most common means of carrying out a phishing attack is using fake emails and URLs. Since the Web3 ecosystem is still relatively young, it is full of fraudulent yet realistic website fakes, copycat social media accounts, and more. Therefore, it is vital that users not respond to any unsolicited messages, no matter how tempting or real they may appear.

In this regard, it should be pointed out that late last year, an employee working for prominent crypto trading platform bZx opened a phishing mail that cost his firm a whopping $55M.

Clickjacking

Also referred to as ‘Ice Phishing’, this is an elaborate scheme where hackers need to make amendments to the smart contract UI of a platform, primarily by injecting it with a malicious script. As a result, users unknowingly send funds to the wrong wallet address.

Seed phrase phishing

As most crypto users may be aware, a seed phrase is a set of random words that serves as a sort of ‘master key’, allowing anyone possessing them to access a person’s assets. In recent months, more and more hackers have begun using novel means (such as copycat websites, fake browser extensions, etc.) to phish out users’ seed keys. Once obtained, they can immediately drain the victim’s wallet of its holdings.

Understanding how to protect yourself

To fortify from phishing attacks, users must not respond to emails, SMSs, or other third-party messages (received via Telegram, Whatsapp, etc.) from an unknown source. Moreover, users must never supply their credentials or personal information in response to these messages since most reputable crypto firms will never ask their clients for such details.

It is also in crypto owners’ best interest to avoid sharing their credentials or personal information when using a public or shared WiFi network. Another good practice is to avoid having a false sense of security because one may be using a particular OS or smartphone that has been touted as ‘unhackable’. Whether one uses an iPhone, Linux, Mac, or iOS, the problem is not the device or the operating system itself — but the website in question.

Looking ahead

Even if the Web3 ecosystem becomes more resilient to phishing attacks, hackers will still find novel ways to facilitate their nefarious deeds. Thus, it is in the best interest of crypto users to become wary of the various tactics employed by hackers, as well as the duty of cybersecurity firms to educate the masses to mitigate any potential issues.

Lead Image source.