Even though Web3 evangelists have long touted the native security features of blockchain, the torrent of money flowing into the industry makes it a tempting prospect for hackers, scammers and thieves.
When bad actors succeed in breaching Web3 cybersecurity, it’s often down to users overlooking the most common threats of human greed, FOMO, and ignorance, rather than because of flaws in the technology.
Many scams promise big payoffs, investments, or exclusive perks; the FTC calls these money-making opportunities and investment scams.
Types of Cyber Attacks
Security breaches can affect both companies and individuals. While not a complete list, cyberattacks targeting Web3 typically fall into the following categories:
Phishing: One of the oldest yet most common forms of cyberattack, phishing attacks commonly come in the form of email and include sending fraudulent communications like texts and messages on social media that appear to come from a reputable source. This cybercrime can also take the form of a compromised or maliciously coded website that can drain the crypto or NFT from an attached browser-based wallet once a crypto wallet is connected.
Malware: Short for malicious software, this umbrella term covers any program or code harmful to systems. Malware can enter a system through phishing emails, texts, and messages.
Compromised Websites: These legitimate websites are hijacked by criminals and used to store malware that unsuspecting users download once they click on a link, image, or file.
URL Spoofing: Unlink compromised websites; spoofed websites are malicious sites that are clones of legitimate websites. Also known as URL Phishing, these sites can harvest usernames, passwords, credit cards, cryptocurrency, and other personal information.
Fake Browser Extensions: As the name suggests, these exploits use fake browser extensions to dupe crypto-users into entering their credentials or keys into an extension that gives the cybercriminal access to the data.
How to protect yourself?
The best way to protect yourself from phishing is to never reply to an email, SMS text, Telegram, Discord, or WhatsApp message from an unknown person, company, or account.
Entering your credentials or personal information when using public or shared WiFi or networks. In addition, people should not have a false sense of security because they use a particular operating system or phone type.
Keep your asset safe
When possible, use hardware or air-gapped wallets to store digital assets. These devices, sometimes described as “cold storage,” remove your crypto from the internet until you are ready to use it. While it’s common and convenient to use browser-based wallets like MetaMask, remember, anything connected to the internet has the potential to be hacked.
If you use a mobile, browser, or desktop wallet, also known as a hot wallet, download them from official platforms like the Google Play Store, Apple’s App Store, or verified websites. Never download from links sent via text or email. Even though malicious apps can find their way into official stores, it’s more secure than using links.
After completing your transaction, disconnect the wallet from the website.
Be sure to keep your private keys, seed phrases, and passwords private. If you are asked to share this information to participate in an investment or minting, it’s a scam.
Only invest in projects you understand. If it’s unclear how the scheme works, stop and do more research.
Ignore high-pressure tactics and tight deadlines. Often, scammers will use this to try and invoke FOMO and get potential victims to not think about or do research into what they are being told.
Last but not least, if it sounds too good to be true, it probably is a scam.