Social Engineering Scams: The Red Flags and Lessons Learned. Guest post by Richard Sanders from Energi

 · 6 mins read

Scamspeak, and many other more sophisticated social engineering scams, have many red flags. In the previous article I gave a review on a classic scan scenario in social media.  Let’s dissect what you read above into key points to remember.


Scamspeak members would often create burner Telegram accounts to discuss their allocations in major project Telegram groups. They would often join these groups as a team of 2–3 people. If you notice 2–3 people (whom often recently joined) seeming to talk to each other, with a similar script — that’s a red flag. The Scamspeak group would select random images and create profiles that may appear legitimate to the untrained eye:

Mysteriously, “Kayla” was never on the Teamspeak. And a brief reverse image search proved this to be a catfishing account. Scamspeak often used male profiles, but the counter-tactic of a reverse image search, or asking for a LinkedIn, is a strong counter-measure to being social engineered out of your cryptocurrency.

 

Scamspeak would often ask a lot of personal information about victims, such as location, occupation, and portfolio. All of these things are easy to lie about in reciprocation, however, Scamspeak would never provide LinkedIns for obvious reasons. I’ll take this a step further and say that even providing a LinkedIn is not a surefire way to prove the individual is not a scammer, since a new profile or aged account could be purchased — but it’s often a sign of confidence. Put simply, Scamspeak leveraged rapport-building by being extremely friendly and “getting to know” victims — often discussing miscellaneous topics for hours to build trust with victims. A few hours of discussing sports or kids is quite worth thousands, or dozens of thousands, of dollars to criminals. A voice chat seemed convincing enough for hundreds of victims, but a voice chat is still not enough alone to associate an identity to someone in the event of a soured deal — without extensive resources. Scamspeak knew the method of a voice chat would deceive almost every would-be victim, and leveraged this. Unless you’ve got something to hold “the other end of the deal” accountable, such as a verified LinkedIn or other social media with history, website, etc — steer clear.

 

Scamspeak would often create artificial scarcity by suggesting their group was extremely exclusive , as they’d like to say, “quality over quantity”— and “if” you were accepted, you were very fortunate. This created a psychological need to impress and comply that victims often fell for. Scamspeak would often take this pressure a step further and create FOMO for projects they needed to fill allocations for — and implying you were the “make or break” for them to push forward with these allocations. If you’re the new person in a group, and the determining factor of whether or not they can fill in allocation — I’d suggest suspicion.

 

Reputable projects don’t deviate from their public statements on bonus percentiles and allocations. Scamspeak would often claim to be negotiating higher bonus percents, faster distribution, or other exclusivity with their allocations. If a project says it’s a private sale for accredited investors only — and no pools are allowed — that is the policy. Many reputable projects have this policy on their website and Telegram pinned message, clearly stated, to avoid this type of social engineering on their community.


Scamspeak would never interview, or have multiple victims, in their server at once. Every reputable ICO investment pool/community has a public channel for community members to interact with each other. Victims were segregated from each other by Scamspeak for obvious reasons — no other voice of doubt in the room provides no room for doubt to be discussed. To combine this point with the point of anonymity/identifiable partners discussed above, I’ll use ICO Syndicate as a case study — while the team is partially anonymous/pseudonym-based, they have a strong and large public-facing community, and a strong history of investment in projects with no issues of distribution to clients. Bottom line: if you can’t identify the “other end of the deal,” interact with other clients, or see a clean record for the “other end of the deal” — don’t risk it.

 

Some Other Red Flags

  But wait, there’s more!

 

Outside of Scamspeak, there are still some red flags to be aware of.

As discussed above, if there is no community or way for the general public to interact with each other, be wary. I have observed a growing trend of Telegram announcement-only channels, where the only communication you’ll have might be with one of the team members — if even that. These ANN channels often have no associated website and only have a Telegram channel. As per the points above — you can’t identify “the other end of the deal” or see a track record. Avoid these.

 

Reputable projects have stringent and firm requirements for KYC/AML, and are in full compliance of GDPR. If you’re not asked for documentation for a project that requires this documentation, avoid the “investment.” Many social engineering scammers are aware of this red flag, and are attempting to circumvent suspicion by “whitelist forms” often hosted on Google Forms or Telegra.ph — and not the domain of the project itself. I’ll let you draw your own conclusions as to whether or not these platforms are in security compliance and a project would do that- protip, they wouldn’t.

 

A healthy level of objective due diligence and preparation through education and preventative measures should be the cornerstone of your strategy, regardless of whether you’re brand new to cryptocurrency or the CEO of a major ICO. It would be impossible to cover every cryptocurrency security topic due to the amount of topics to cover and my current case load, however, if you’d like an individual consult — whether you’re an investor or with a project, it can now be arranged.


Put simply — if you have doubts, ask! A negligible amount of time (or even money) to do your own research or get the opinion of someone with expertise is well worth it — this time (or capital) is likely a fraction of what you stand to lose. No legitimate investment opportunity is going to come up, spur of the moment, and rapidly vanish because you needed some time to make an informed decision.