The worst scenario for any MetaMask user is to lose their funds. And yet, phishing for Secret Recovery Phrases (SRPs) in order to steal funds is a persistent and, unfortunately, successful threat within the ecosystem. From within MetaMask, we’ve established the reduction of Funds Loss Incidents, or FLIs, as one of our primary goals.
Based on data gathered from customer support tickets, the primary cause of FLIs relating to SRP problems is when users get hooked into phishing scams:
As MetaMask works to improve the fidelity of insight into the figures around FLIs due to phishing scams, the present study seeks to understand where, how, and why users leave the safe path and end up getting tricked by these phishing scams. Our fundamental findings could be summarized as follows:
MetaMask’s users are utilizing Web2 trust signals to assess whether a web3 entity is trustworthy or not. These Web2 trust signals (verified, follower count, profile picture, etc) do not adequately map to how much trust an individual can place in a given Web3 entity, project, or token. The stakes in Web3 are different, and in many cases, higher.
Research Performed: User interviews
An analysis was performed on 70 Customer Support tickets, and 7 users were interviewed following a standardized question guide. These questions included general questions establishing the user’s area of interaction within the Web3 space, some limited qualitative questions about the user’s journey into Web3, and a series of questions specifically focused on the user’s understanding of, and experience with, SRPs, phishing, and the support process. The questions which yielded most of the key insights were:
When your SRP phishing incident took place, could you walk us through exactly what happened?
How do you now know which projects or tokens to trust?
What was compelling about the phisher?
User Quotes Pertinent to SRP Phishing
“I got a message on Instagram from a person claiming to know a lot about crypto who sent me this YouTube video with advice on coins, tokens, what to buy…”
“Well, the website actually looked fairly nice. That's the thing, like it was well designed, it looked good, and also on their social media and Discord.”
“So I asked the community manager of the Twitter Nickelodeon NFT page to help me to resolve it, and he sent me this link to resolve… on this page I've written my private key... I think the problem starts here…”
How are our users getting SRP phished?
With MetaMask being the gateway to a whole world of dapp interactions, our interviews confirmed the fact that users sign up and use MetaMask for greatly varied purposes. To name a few, our interviewees are interested in buying and selling cryptocurrencies, staking, NFT drops, exploring Web3, swaps, using MetaMask as a transfer wallet, and holding gaming tokens. While the breadth of our interviewees’ activities provided valuable insights into behavior, the variety of interactions mentioned by our users speaks to the complexity involved in ensuring that they have the right tools and mental models around keeping themselves safe.
Users get tripped up and scammed in a variety of ways. Some examples include gamers listening to popular Twitch streamers pointing them to a bogus project, NFT enthusiasts actively engaging with projects on Twitter that request “KYC” information via their SRPs, and Discord servers that lead users to scam project websites with lots of engagement on social media platforms such as Instagram and YouTube.
This information led us to ask ourselves: “What is the common thread across all of these user journeys: at what point do they get fooled, and what might they be thinking at the time?”
The first obvious insight is that education needs to play a larger role within the app and extension’s onboarding process. This insight correlates to user research previously performed by the MetaMask UX team. Interestingly, all interviewed users claimed to have had a seamless and easy onboarding experience all the way from download through wallet creation -- yet they still managed to give their SRPs to phishing scammers.
Web2.0 Trust Signals Applied to Web3.0
Looking at each of these scam scenarios further upstream in their respective user journeys, we noticed that these phished users were using Web2.0 trust signals to attempt to determine whether a Web 3.0 project was trustworthy or not. Though these trust signals and mechanisms work well in Web2, these same signals do not adequately map to how much you can trust in an entity in Web3.
“They (the scam) had engagement, but like I said, obviously, being a beginner I couldn't tell the difference between real engagement or fake engagement, so all they had was fake engagement which I later found out after you know the damage was already done…”
Here are some examples of Web2 trust signals that leave users vulnerable to phishing attacks:
Checking follower count
Checking how many group chat members there are
Seeing how active the group chat or server is
Checking to see whether profiles are verified
Looking for a profile picture
Visually appealing website design
Seeing who and how many people shared a project
And more…
It was at these points in our users’ journeys outside of the MetaMask experience where our users were convinced they could shift from skepticism into trust. From an emotional perspective, we also found that before getting phished, users tend to cycle between the emotions of excitement through the prospect of discovering new projects and the fear of not knowing whether they have enough knowledge to adequately & safely proceed navigating Web3.
Web 2.0 Social Trust Signals, a Double Edged Sword
While phishers use these trust signals to fool our users into believing they are trustworthy, it is critical to highlight that these same traditional social platforms provide users with trustworthy information, as well. “Seasoned” users who have been scammed in the past continue to use Twitter, Discord, YouTube, Twitch, and other social platforms to discover new projects and learn more about whether an entity is trustworthy or not. However, these “seasoned” users apply more discretion by forming group chats among close friends, following YouTubers who are developers of successful Web3 projects, and cross-referencing existing phishing lists such as rugdoc.io.
Not all social behavior online works against the safety and security of Web3 users - but the space is in need of more appropriate trust signaling in order for users to go about keeping each other safe.
Based on the data, a culture and practice of these users doing the due diligence and broadcasting worthy crypto projects already exists:
“I even personally reach out to these trusted developers on Twitter so that they can review contracts for me…”
Social Safety Research
Having established that MetaMask users were relying on interactions with other users, social channels, content creators, and projects for determining trust in a Web3 entity, we decided to interview an additional set of users (6) with more targeted questions around the broader theme of: How do our users utilize social tools & activity to keep themselves (tokens + identity) safe?
The questions which yielded most of the key insights were:
How do you personally keep safe in dealing with your crypto?
How do you now know what projects / tokens to trust?
(If at all) What do you currently do with the community to keep your tokens safe?
The findings around these questions similarly yielded insights that spoke to how our users utilize social tools and trust signals to evaluate whether a Web 3 entity can be trusted.
“With online friends we talk about with each other what they do with their crypto, what they invest in, and ask questions and if it’s a good idea… We talk on WhatsApp and Discord.”
The key differentiator in insights gleaned from this set of questions had to do with some users who benefitted from engaging in “reciprocal” or “Long-Game Relationship” behavior, where trust was built over time through a repeated set of “give and take” interactions between users and other users, projects, community managers, etc.
“When I interact with NFT projects on Twitter, I check to see if it’s a verified account and if they have a website, but they also solicit ideas from us (users) to create a better community. I tell them that I have certain requests on what I’d like them to add to the game and they tweet back at me.”
Though even long-term reciprocal interactions can still leave users vulnerable to phishing and attacks, it would take a far more costly and complex phishing scheme for scammers to effectively fool users repeatedly over time.
Building a Safer Future
MetaMask continues to help its users stay safe through the improvement of tracking safety metrics, testing new education methods, and warning and safety flows within the app experience. In parallel, we are working to maintain awareness within our team around the reality that users get tricked into thinking they can engage and trust in fake Web3.0 entities outside of the app experience itself.
The original version of this research was composed by Javi Ocampo.