Social Engineering Attacks – A Threat to Your Bitcoin

Hackers don't just manipulate computers to get what they want. They also try and hack you! By using human psychology you'd be be amazed what hackers can achieve with social engineering attacks.

Rick Messitt

Written By Rick Messitt: CMO and Bitcoin educator at The Bitcoin Way

It should come as no surprise that Bitcoin is once again the best performing asset of the year. Over the past decade the rise in Bitcoin’s value has surpassed everything else by a country mile. There has been no better place for you to store and grow your wealth. As Michael Saylor likes to put it, “There is no second best”.

And if Bitcoin does fulfil its promise, and results in a departure from debt-based fiat currency, then we are at the very start of witnessing the largest transfer of wealth in human history. When Bitcoin becomes the world’s reserve currency, you will no longer be comparing its ‘performance’ to anything. Instead, Bitcoin will become the new yardstick we use to measure value, and everything will be priced in Satoshis.

Now had you suggested this during Bitcoin’s early days, most people would have accused you of having a screw loose. But in 2024 and with 15 years of robust performance under its belt, people are beginning to take Bitcoin much more seriously. So much so in fact that instead of traditional financiers making fun of it, they are now calling it a ‘Flight to Safety’ against a backdrop of insurmountable global debt, in a legacy system that appears to be drawing its last breath.

The whole world then is starting to wake up to what Bitcoin truly represents, and as more people figure it out, the demand for Bitcoin is likely to continue increasing just as rapidly as it has done for the past 15 years. Sooner or later, everyone gets drawn into Bitcoin’s orbit.

Unfortunately, as Bitcoin becomes better understood and global demand continues to increase, it attracts not only the attention of governments, financiers and investors, but also criminals who plan to increase their Bitcoin stack via illicit means.

We already know that leaving your Bitcoin on an exchange or losing your private keys will result in you losing your stack. But we are also increasingly starting to see examples of criminals directly targeting Bitcoiners to try and scam them out of their coins.

One of the favourite tactics they use is known as ‘Social Engineering’. So this week let’s explore this topic in a bit more detail, so we can understand the best ways to remain vigilant and protect ourselves.

What is Social Engineering?

When we think about criminal hackers, we tend to picture something reminiscent of a Hollywood movie. We picture a technical genius who manages to outsmart even the most hardened IT systems by breaking through firewalls and exploiting software vulnerabilities to reach their victim.

The reality is however that most hacks aren’t really that glamorous at all. Most don’t even require sophisticated technical skills to perform. Hackers aren’t wasting time targeting weaknesses in technology. Instead, they focus their attention on exploiting flaws in human psychology. It’s far easier to hack a human by using simple manipulation than it is to hack a well-protected IT system.

This kind of attack, where cybercriminals exploit human psychology to gain access to confidential information, is what we refer to as a Social Engineering attack.

Attacks like this typically start when an attacker deceives their victim into thinking they are a trusted individual or entity. They may impersonate a colleague, a customer service representative or even a government agency in an attempt to establish trust with their victim.

Once the attacker has gained their victim’s trust, they will then lead them into taking actions that normally they wouldn’t, such as clicking on malicious links, downloading malware, or revealing critical information like passwords or financial details. In some cases, these attacks even convince people to make payments they wouldn’t otherwise make.

It sounds almost fanciful when you propose that someone would just blindly follow the instructions of a scammer and enable them to steal from them. But it happens much more often than you’d think. Criminals have become very sophisticated when using these techniques and like to prey on their victim’s emotions and create a false sense of urgency to stop them carefully thinking through their actions.

This is a big problem even for large companies with sophisticated cyber security systems. If one of your employees falls for a social engineering attack and actively invites an attacker in, then the protections you put in place might end up counting for nothing.  

Social Engineering – Common Techniques

Oneof the best ways to avoid falling victim to a social engineering attack is to know what to look out for. If you’re familiar with the tactics that criminals use, then you’re far less likely to fall for their tricks.

So, let’s explore some of the most common techniques used in social engineering:

Phishing

Phishing is by far the most prevalent form of social engineering attack and one you should always be on the lookout for. Attackers use fraudulent emails, SMS text messages or websites that mimic legitimate ones to trick you into entering sensitive information like usernames, passwords or God forbid, seed phrases.

Attackers might send fake messages to thousands of people at once to cast a wide net or might target specific high-net-worth individuals or CEOs at major companies.

Most of the time the goal of these messages or websites is to trick you into clicking a malicious link or opening a dodgy attachment. Once you do, you may find you have entered sensitive information into a fake website or inadvertently downloaded malware onto your device.

Pretexting

Pretexting is when an attacker creates a fabricated scenario (or “pretext”) for getting in touch with you. This can be a very effective technique because typically the scenario they create is designed to sound both plausible and urgent in order to extract the information they are looking for.

Let’s create a potential scenario so you get a sense of how that might work:

In 2020 the major Bitcoin hardware wallet manufacturer Ledger had their internal systems compromised. This led to the leak of over 272,000 customer details including full names, emails, phone numbers and home addresses.

Armed with this information an attacker could make a fair assumption that the people contained in the leak probably own some Bitcoin and store it in self-custody. The attacker can then proceed to use this information to call these people and make themselves appear legitimate. They might ask them to confirm the second half of their Zip code or by referencing information about their purchase history, fool their victim into thinking they were a legitimate Ledger employee.

If they do manage to convince the victim they are a customer service agent, then they could try and use this trust to trick them into thinking there was some kind of problem with their device, and that they are calling to walk them through a ‘solution’.

The problem is, more often than not this fake ‘solution’ will likely end with the victim’s funds being drained by the attacker.  

Baiting

Another commonly employed social engineering tactic is known as ‘baiting’. This is where an attacker plays on their victim’s greed and offers them something tempting to lure them into clicking malicious links or downloading malware.

These types of scams are rampant in the ‘crypto industry’ because so many market participants are driven by greed. People who chase altcoins or get dragged into leverage trading are easy targets because they want to make money, and they want to do it fast. This mixture of greed and urgency can be a deadly cocktail.

Attackers prey on this behaviour by creating ‘get rich quick schemes’ that lure victims to malicious websites or dodgy software downloads. They will promote this ‘bait’ by creating fake celebrity or company accounts on social media or will simply use bots to spam comments sections. In some cases, even banner ads on websites you visit might be advertising something malicious.

Attackers are known to use all sorts of bait to lure in victims. They have even been known to simply leave infected USB sticks laying around in public places in the hope that a free USB stick is enough to lure you into making a grave mistake.

Endless Social Engineering Techniques

We’ve described some of the most common social engineering techniques you’re likely to come across, but the possibilities are truly endless, and the threats are always evolving. Hackers will continue to improve, innovate and find new ways to take advantage of the weakest link in the security chain, human psychology.

An attacker might try and trick you into thinking your PC has a virus, and they are contacting you to offer support. Or they might pose as a potential love interest on a dating app to get you to reveal personal information. In some cases, attackers have even been known to go dumpster diving for personal information or even use tactics as rudimentary as looking over your shoulder in a public place while you’re distracted.

The common theme to all social engineering attacks is that they leverage human emotion and behaviour to compromise their victims. They will often use fear, trust, greed, or even just the desire to help to trick their victims and inject urgency into a situation to give them little time to think critically about what they are doing.

Social Engineering – The Best Ways to Protect Yourself

Protecting yourself from social engineering attacks requires a combination of awareness, vigilance, and proactive security practices. Since these attacks exploit human behaviour, rather than technical weaknesses, the focus should be on building good habits, staying informed, and using security tools that help detect and prevent manipulation.

Be Sceptical of Unsolicited Requests

One of the most effective ways to protect yourself from social engineering attacks is to always be suspicious when receiving unsolicited requests. Even if it’s an email, phone call or message from what looks like a ‘trusted’ organisation, never assume it’s legitimate without verifying the source.

If someone contacts you claiming to be from your bank, a government agency or your Bitcoin exchange tell them you are happy to speak to them, but you will terminate this current conversation and reach out to them through official channels to confirm that everything is legitimate.

Any genuine company would completely understand you doing this and should actively encourage it.

Be Cautious of Urgency

Most social engineering attacks rely on creating a sense of urgency and fear. Attackers use this tactic to pressure you into making rash decisions without stopping to think what you are doing.

You should view it as an immediate red flag if a message or call you receive demands immediate action such as changing your password or making a transaction. If this does happen, make sure to take a step back and evaluate the situation. Perhaps even reach out to someone you trust to get their view on things. Getting the perspective of someone who isn’t in a panicked state can help you think more clearly.

Protect Your Privacy

You are far more susceptible to social engineering attacks if you don’t take measures to protect your privacy. Attackers gather personal information from social media, public records, or data breaches to learn as much as they can about you before they strike. It’s much easier to trick you if they can make themselves sound legitimate by already knowing a lot about your affairs.

The best way to reduce the risk of being targeted in the first place is to limit the personal information you share online. Any information you share about your work, your family, your address, or even your personal interests can all be used against you by scammers who want to gain your trust.

It also makes sense to develop a mindset that any information you submit to a third-party website or service might eventually end up in a data breach. When you start thinking like this it’s likely to start changing your behaviour online.

When signing up to new services try to avoid giving away more information than you absolutely need to. If it’s something trivial, why not sign up using a temporary disposable email address instead of linking it to one that you use for your important messages? That way if that email does end up in a breach it doesn’t trace back to your main account.

Taking your online privacy seriously is extremely important if you don’t want to make yourself a target. Unfortunately, it’s something a lot of people completely overlook.

Install Security Software

Another important step you can take to protect yourself from social engineering attacks is to install security software. Antivirus and anti-malware software can help protect against certain types of social engineering attacks by identifying and blocking phishing attacks before they reach you and detecting harmful attachments in emails. Some modern tools are even employing AI threat detection to identify and block new threats as soon as they become known.

If you are not using up to date security software, you are leaving yourself wide open to attack. Make sure that you use a reputable provider and always keep it up to date.

Always Use Two-Factor Authentication (2FA)

Finally, you should always implement two-factor authentication for all your accounts. By doing this you ensure that even if an attacker does manage to get their hands on any of your passwords, that you still have an extra layer of security preventing them from gaining access without a secondary verification code from your personal device.

Protect Yourself The Bitcoin Way

We couldn’t cover every single type of social engineering attack in just one article, and we also couldn’t cover every single mitigation you might put in place either. The landscape of threats we face is constantly evolving.

What we hope we have managed to achieve however is to help you understand the types of threats that are out there. Whilst the scammer’s techniques change all the time, there is a common strategy to all social engineering attacks that involves using human psychology to misdirect you. Being able to recognise these tactics will serve you well in avoiding these attacks whatever form they take.

Of course, recognising attacks is only half the battle. Being able to recognise social engineering attacks when you see them is great, but it’s much better to improve your privacy and cyber security to block them from reaching you entirely.

If that’s something you think you could use some help with then that’s exactly what we are here for. We can teach you how to improve your online privacy, secure your devices properly, and make sure that you are definitely not an easy target. If you wantto speak to one of our experts all you need to do is book a free 30 minute call.

Follow us on social media

Master Bitcoin security

Learn from our 25 years of cybersecurity expertise

Book a free consultation