Ice Phishing: How to Protect Yourself from Web3 Scams
Ice phishing is a cyber attack wherein fraudsters manipulate you into signing a transaction that triggers the transfer of funds from your cryptocurrency wallet to their own.
Unique to the Web3 sector, ice phishing is different from traditional phishing in that it doesn't coax out confidential information like passwords or private keys. In this kind of attack, malefactors need not create fake websites or company social media pages, posing them as official ones. They can simply orchestrate a new project to use as bait.
Ice phishing is quite prevalent. This can be partly attributed to the user interfaces of cryptocurrency wallets, which do not disclose full information about smart contracts that could expose them to potential risks. Meanwhile, many Web3 users often struggle to differentiate between a trustworthy cryptocurrency project and a scam, making them susceptible to deceit.
What are the mechanics behind ice phishing?
In order to carry out an ice phishing attack, the scammer needs to create a malicious smart contract and gain user approval for the transfer of tokens. Following this, a transaction is automatically facilitated, channeling the funds from the victim's address to the fraudster's.
The cybercriminal conceals the malicious smart contract behind websites that require wallet connectivity approval. People are usually enticed to such platforms with offers of free tokens and lucrative rewards.
For example, a scammer might circulate a link on social media to a so-called airdrop, in the hope that users will click on it and unwittingly fall prey to their scheme.
This strategy aims to draw in a large number of users. Hackers amass agreements over a considerable duration and then simultaneously siphon off digital assets from all the associated addresses.
Defending against ice phishing: How to protect yourself?
Before integrating your crypto wallet with a DeFi app or any other dApps, it's essential to undertake a thorough investigation of the project. Blockchain explorers, such as Etherscan, can assist in validating the security of a platform. They offer transaction histories, pieces of the platform's code, current status, audits, and more.
Additionally, use a block explorer to inspect the smart contract. Ensure your address is correctly recorded, and no unauthorized addresses are present. It's also important to verify that the smart contract has been audited by a reputable blockchain cybersecurity firm.
Carefully examine any Twitter accounts that offer airdrop links before clicking on them. There is a constant risk of accidentally engaging with a deceptive duplicate of a well-known project involved in ice phishing. Furthermore, the accounts of high-profile individuals and companies are frequently targeted and compromised to carry out these attacks. Therefore, wait for additional posts or news from the account before taking action.
In a nutshell, invest time in verifying the project's, website's, social media page's, and smart contract's legitimacy and reliability. Otherwise, you risk losing your accumulated tokens to haste and the allure of easy profits.