So first of all, let's start with a definition. What is phishing? NIST (the National Institute of Standards and Technology) defines it as:
Tricking individuals into disclosing sensitive personal information by claiming to be a trustworthy entity in an electronic communication (e.g., internet web sites).
Now, in the traditional finance world, recovering from phishing, although may be a pain, is often pretty straight forward. There are identity protection services, credit card companies refund fraudulent transactions, and losing personally identifiable information (PII), doesn't often result in the direct loss of the entire contents of your bank account in one fell swoop. Unfortunately, falling victim to phishing in web3, can have that effect, and is probably one of the biggest barriers standing between web3 and mass adoption today.
Image: Someone impersonating me to one of our community members in discord.
What Do The Scammers Want?
In Web3, scammers are trying to get you to do one of three things:
Sign a Malicious Transaction
Send them or leak your Seed Phrase
Get you to Download Malware (to help facilitate one of the former two)
High Level Tactics of Scammers
They want to earn your trust
They are going to do anything they can to shortcut relationship building. Do they see you aren't super tech savvy? “Neither are they”. Are you new to trading platforms? What a coincidence “So are they!”. They are going to look, talk, and maybe even impersonate someone trustworthy like an influencer or community manager/moderator.
They're gonna rush ya!
Remember the informercial tactics of the 90's and early 2000's? Even if you aren't old enough to remember them, you'd probably heard them referenced in pop-culture from time to time. “Act now and get two for the price of one” type things. When it comes time to do the deed, even if they've been patient with you up until that point, they will put the pressure on. This time pressure makes us make mistakes, not think clearly, and not give us time to ask for a second opinion.
Be extremely persistent over days and weeks
Do you have high value NFTs or assets from so called “blue chip” collections? Prepare to be a target to sophisticated social engineers in ways you have never been before. Someone pretending to be your friend for months just to take your assets? It has happened. Someone learning all about your project offering to help for weeks only to try and pull out their scammer tactics at the tail end of the deal? Yep, seen that too.
They're gonna bring in help
Maybe they will feign ignorance of how something works and bring their “friend” to help them figure out this trading platform. Maybe they want to prove trustworthiness and bring you to a discord with thousands of people (mostly fake bots)". Whatever the reason, always be suspect of someone bringing in a second person to convince you of something or to help escrow a trade. 99% of the time it means you are walking into a trap.
Exploit Inexperience (especially for non-frequently done events)
If you've been into a discord like opensea, major defi protocols, or other platforms, you'll notice a common theme. If you ever ask a question in their support channels without turning off your DMs in that server, you're going to be bombarded with support people asking to help you. They smell noobs like sharks smell blood in water. They see that easy target and they zone in on it.
So, Back To Phishing - The Scammer Playbook
Scammers looove to leverage the insecure nature of the social media platforms we use to further their agenda. Discord and Twitter weren't built with a security-first mindset, as with most products, they are built with a product-first mindset, and tack on security at the end. This means that since Security was never its focus from the start, it will never be as good as it could have been had Twitter and Discord been more cognizant of the Security implications of their design choices from day 1. In a space that is rife with FoMO (Fear of Missing out) its no wonder why scammers have been so successful in snagging expensive NFTs. But how do they apply those tactics in a practical sense?
Everything starts with getting you out of the walled gardens of the marketplaces and into the scammer's domain.
There are no big scams that we've seen that take place entirely in a walled garden ecosystem. That is to say, to date, no scammer has pulled off a scam without a user ever leaving the walled gardens of our sacred marketplaces. Because of this, many folks feel complacent when they think they are on these sites. Scammers know that they can't always lure you into some random website and to simultaneously have you keep your guard down. This is why Phishing is critical. Getting you to go to a site that you think is the correct site, is the holy grail of scammer tactics.
In Web3 this is even more important because it doesn't necessarily matter what site you think you are on and/or what you are doing, if you aren't paying attention, the phishing website can surface a transaction suggestion that, if you're not careful, can be the dreaded ‘SAFA’ transaction, as described in our approvals article.
Almost Everything ends with a Malicious Signature, a Transfer or Approval Transaction (but not always)
They got you on their site, so now what? Well the magic happens as soon as you connect your wallet to their site, a script runs. That script usually runs a script that checks the value of your wallet address that you connected, and sees where the biggest bang for their buck is. Described in the aforementioned approvals article, since approvals are by wallet address, by token, and by platform (or address), the hacker is going to want to get the most bang for their buck on the first approval, before you might catch on to what they are doing.
So let's say you have two Mutant Apes as your most valuable assets. One single Set Approval for All transaction will give the scammer the ability to pull both of those from your wallet, in one transaction no less! Maybe those assets already have approvals on them? Well, scammers know that signatures that doesn't require gas are less understood by end-users, so, they'll surface one off-chain order signature types as described in our signatures 101 article!
Have any questions or want to learn more about web3 security and stay up to date on the most current security information, scams, and tactics? Join us in our discord at https://discord.gg/boringsecurity .