Introduction: Phishing and Scams in Web3 Wallets
In Web2, phishing is a common scam. Criminals deceive people into parting with their funds or sharing sensitive information, among other desired outcomes. They do this by masquerading as people the victims know or as reputable organisations. Despite Web3 incorporating the concept of trustlessness, phishing is still prevalent.
The authorities in Singapore even went on record to caution cryptocurrency holders against such scams. Web3 wallets and centralised exchange accounts are ideal targets because the assets can be transferred easily and rendered untraceable.
We’ll share some common phishing tactics in Web3, and more importantly, how to prevent your cryptocurrencies and NFTs from being stolen.
Understanding Phishing in Web3 Wallets
Deception lies at the core of phishing in Web2 and Web3. A well-designed copycat landing page (Web2) and phony call-to-action button in a Web3 wallet will – ideally for the criminal – lead to the same result.
However, the method of deception in Web2 and Web3 is a little different. Here’s how:
{{web3-phishing}}
8 Common Web3 Phishing Tactics
1. Fake Website Redirects
Also known as malicious redirects, this refers to snippets of code injected into a website’s files to lead visitors to an unrelated page. There, bad actors can trick visitors into installing harmful browser extensions or software.
2. Malicious Pop-Up Windows
As its name suggests, these are pop-up windows that appear to be innocuous, but cause harm the moment you perform the desired action. For example, installing an ‘antivirus’ program because your PC has been ‘infected’.
3. Smart Contract Vulnerabilities
Because smart contracts are relatively new, they have several vulnerabilities which aren’t completely stamped out yet. Criminals use these to their advantage, setting up harmful smart contracts and tricking Web3 users into interacting with them.
4. Social Engineering
This method involves the criminal impersonating someone Web3 and crypto users would listen to, such as a key opinion leader or relative. They’d then convince the user to part with their digital assets or interact with a malicious smart contract.
5. Malware-Based Phishing
Criminals bundle malware with innocent-looking websites, emails, or other ‘vehicles’. Once the victim downloads the malware, it’s easy for the criminal to access whatever they need to on their device, be it private keys or personal details.
6. Permit and Permit2 Signature Phishing
Signature phishing involves using phishing links or websites to trick users into signing a fake transaction with their Web3 crypto wallet. Permit2 signature phishing is especially harmful because it grants attackers access to your full balance for a particular token.
7. Using Similar Addresses
This is perhaps the most classic Web3 phishing method. By sharing a wallet address which looks identical to one belonging to an influencer, celebrity, or organisation, bad actors can trick careless Web3 users into sending their crypto and other digital assets to the wrong address.
8. Malicious Account Owner Change
This is commonly known as account takeover fraud (ATO). In the Web3 world, what criminals would take over is an individual’s software wallet. For example, using the TRON Network’s ‘UpdateAccountPermission’ flaw to gain control of Web3 wallets stealthily.
4 Ways to Prevent Web3 Wallet Phishing Attacks
1. Adopt Security Best Practices
It's a broad range, but for one, if you’re planning to hold a large amount of cryptocurrency for a long time, use a hardware wallet. Next up, enable multi-factor authentication – not just two-factor authentication – for accounts which need it the most, such as your centralised exchange one.
2. Safeguard Your Transactions
Double and triple-check everything you do in Web3 before committing to it. Even something as simple as signing a transaction can be exploited. On that note, always ensure the Web3 wallet address you’re keying in is indeed the intended one. Also, make sure the dApp you’re interacting with isn’t a spoofed website.
3. Avoid Social Engineering Traps
Received a message from a loved one saying they need money urgently? Before rushing to support them, verify their request. If you can, ask to meet up in person. At this point, the attacker would normally fold. Additionally, do not click on any suspicious links, even if they’re posted by celebrities, Web3 business leaders, or other influential figures.
4. Utilise Secure Computing Practices
Do this hand in hand with prevention method #1 above and you have a solid security foundation. These practices include not accessing sensitive websites using public Wi-Fi networks, not just your Web3 wallet but TradFi portals too. And for all online accounts you own, create strong and unique passwords or them.
Portkey: A Web3 Wallet With Security at the Heart of Its Design
Portkey is the Web3 wallet powered by aelf’s high-performance and AI-enhanced infrastructure. It’s designed for maximum ease of use, serving as your simplified gateway into Web3 with a seamless Web2 experience. Furthermore, Portkey is secure and completely free to use.
How secure, you ask? It excelled in an end-2024 smart contract audit by blockchain security pioneer Certik. This is a clear indicator of how committed the Portkey team is to adhering to industry standards and providing users with the safest way to store their digital assets.
And with its social recovery mechanism, Portkey maintains its user-friendliness while having an unparalleled level of security. Transact on your favourite dSpps without constantly worrying about security, but keep our tips above in mind too.
In Conclusion
Phishing in Web3 doesn’t look too different from its Web2 counterpart. After all, deception lies at the heart of phishing, no matter the era. You’ll still need to rely on the same principles when you tackle Web3 phishing – vigilance and carefulness.
The extra time taken to strengthen your Web3 wallet’s security and check every transaction you make can appear tedious at times, but it’ll save you a lifetime of heartache. Protecting yourself from phishing attacks is straightforward, and there’s no need to learn any lessons the hard way.
*Disclaimer: The information provided on this blog does not constitute investment advice, financial advice, trading advice, or any other form of professional advice. aelf makes no guarantees or warranties about the accuracy, completeness, or timeliness of the information on this blog. You should not make any investment decisions based solely on the information provided on this blog. You should always consult with a qualified financial or legal advisor before making any investment decisions.
About Portkey
Portkey: Zero-Barrier Entry Into Web3Portkey simplifies your connection to the Web3 world with its cutting-edge ZK social logins and ZK social recovery, offering a zero-barrier entry for users. Integrating into the Telegram ecosystem, Portkey seamlessly bridges Web2 users to Web3 through blockchain, leveraging advanced zero-knowledge technologies for privacy and security without compromising convenience.
Built on the high-performance AI layer 1 blockchain platform aelf, Portkey provides a smooth transition and an enhanced user experience, setting new standards in the realm of Web3 digital wallets.
Stay connected with the Portkey community at:
Website | X | Telegram | YouTube
