What is spoofing?
Spoofing involves hiding or disguising identity to enable malicious activity, literally spoofing the identity of the malicious party to make it believable and appear trustworthy.
Fraudsters often use this method in tandem with the closely related practice of phishing, through which they attempt to obtain personal information from you directly. Hand in hand, these two methods can easily deceive, and the sophistication of these hacks has grown in step with the popularity of crypto and digital assets, with ever more potential victims entering the Web3 space.
What could a spoofing attack look like?
A spoofing hack will target your Secret Recovery Phrase(also known as a seed phrase), as this can be used to restore your wallet and will provide a hacker with access to your private keys and the wallet's contents. MetaMask is a self-custodial wallet, meaning you are responsible for keeping your secret recovery phrase secure.
In practice, a classic spoofing attack on your MetaMask wallet could go something like this:
- You ask MetaMask a support question in reply to a tweet. (n.b. this is inadvisable — always use our official channels, found here.)
- A malicious account (potentially a bot, or at least using a bot to scope you out) identifies you as a target due to your requirement for MetaMask support, and will reply to your tweet or send a DM. The account will be configured to resemble an official MetaMask support channel and could include our fox logo, a vaguely convincing Twitter handle and content and replies which read professionally. Another approach could be for the attacker to pose as a MetaMask support engineer, even including a headshot and name.
- Using their spoofed identity, the bad actor will rely on you believing that they are an official MetaMask support channel/engineer and talk you into handing over your Secret Recovery Phrase or private key(s) to resolve your problem. For example, if your issue was a slow or pending transaction, they may offer to look into the issue but request your secret recovery phrase to do so.
- With their hands on your secret recovery phrase, the bad actor can access your private keys and drain your wallet of funds to their chosen address.
This scenario is just an example, and similar events could play out across any social media platform, messaging service, forum, or otherwise on which you share information publicly.
How can I protect myself from spoofing attacks?
Whilst using MetaMask to engage with Web3 ecosystems such as the world of DeFi can be rewarding and exciting, you need to maintain constant vigilance. Golden rules for preventing and identifying spoofing include:
- Remember: MetaMask will never contact you outside of our support channels, accessed through our help center. Anyone asking you for contact information, your secret recovery phrase or details of your support issue outside of these channels is a potential scammer and should be ignored and/or reported.
- Be vigilant. If it looks like it might be a scam, it probably is. Always be observant and keep a lookout for suspicious, telltale signs. These could include:
- Requesting personal information, including anything from your name, the value of your wallet's holdings, or even your private key, which you should never, ever give to anyone.
- Unofficial-looking Twitter handles using underscores, doubled-up letters, and numbers to mimic official accounts (i.e.@MetaMask).
- Requests to reach out for support, get in touch, or send a DM.
- Unprofessional language.
Most importantly, KEEP YOUR SECRET RECOVERY PHRASE SECURE, and do not hand it out regardless of how convincing the person/entity may be.