Security Best Practices
Common Scams in the NFT Space
In most cases, when you hear about a 'hack' it is a misnomer, and what is meant is 'a scams' rather than an exploit. It is easy to think that you will never be a scam victim, yet scammers have sophisticated schemes that are set up to look like the real deal. The scams mentioned here are not exhaustive, and these are just the most common. Scammers are constantly looking for sophisticated ways to take away your valuable assets.
There are three key types: Trading, Social Media, and Seed Phishing.
Trading Scams
Fake Trading Links: Replicating a website is relatively easy, and scammers have taken advantage of this. The scam is popular when dealing with p2p platforms such as NFTTrader or SudoSwap. After agreeing on a trade in DMs, the scammer sends a fake link. Usually, it involves a misspelling of the correct website or an incorrect domain. When the victim clicks the link, it takes them to a fake website that looks and feels like the real one. The website prompts the user to sign a malicious transaction in which the NFT is transferred to the scammer. Tip: Never click on links in DMs; NFTTrader and SudoSwap do NOT use links anymore. You simply log in and check under pending trades or enter the trade code.
Fake Support: This scam typically starts with the scammers claiming they have issues completing the trade you agreed on. After a while, the scammer suggests bringing support, such as an NFTTrader team impersonator or someone impersonating a mod. The scammers may even do a voice chat with the victim to gain their trust. Once they have the victim’s trust, they will either persuade the victim to send their NFT to a fake escrow account or provide a fake link to sign a transaction signing their NFT away to a scammer. Tip: Never trust anyone in your DMs. It’s easy to impersonate people.
Social Engineering: This is a straightforward scam. After building trust with the victim, the scammer will offer to complete a trade by doing a manual swap “Send me the NFT first, and I’ll send you the ETH as well” in which the scammer never sends the ETH or uses a transaction with very low gas to pretend he is sending, yet the transaction never goes through. If doing an NFT swap, scammers have also tried to ask victims to list the NFT in a private sale in OpenSea at 0.01 ETH, and they’d list their NFT at a similar price for the victim to purchase. Tip: Only use secured platforms to trade. Never send your NFTs to someone else.
Trading stolen assets: This may not be a scam, but it is something to be aware of when trading. If an asset is stolen, the victim has the right to report the NFT on OpenSea, and their response is typically to freeze the asset, which becomes unavailable for trading on that platform. Scammers holding these frozen NFTs will try to offload them in other platforms such as NFTTrader, LooksRare or Rarible, leaving the victim with an asset that cannot be traded in OpenSea. Tip: Always check the NFT in OpenSea before buying.
If you are new to the NFT space or don’t feel comfortable using p2p platforms, stick to OpenSea.
Seed Phishing & Other Scams
Token Airdrop Scam: Most of us have received ERC-20 or ERC-721 tokens as airdrops. Many of these airdrops are phishing attempts. The victim typically receives the NFT and starts investigating what it is. The scammers include subtle info such as a website or a discord link where the victim joins and is prompted to transact. This transaction involves a phishing attempt by having a fake Metamask interface or producing a malicious transaction. Tip: Do not interact with airdropped tokens or NFTs.
Impostor Discord Server: Scammers love DMs, and in this scam, they send the victim an invite to a popular discord such as BAYC, Cool Cats, or Lara Labs. The invite directs to a fake Discord full of bots and victims. The victim is taken to a channel where they are asked to verify by typing !join or another verification function. The victim then receives a DM by a fake bot account and is directed to a website with a bogus Metamask pop-up asking for the victim’s seed phrase. Tip: Only join discords presented to you on official websites or Twitter accounts.
Fake Verification Process: Similar to the Impostor Discord Server Scam. Bad actors constantly lurk on Twitter and Discord. They prey on users trying to verify their NFTs. They typically send DMs offering help to unsuspecting victims and send them fake links that request sensitive information. Many times they use bot accounts that look and feel real. Tip: Most servers no longer have a verification process via DMs
Fake Giveaway: Like the Impostor Discord Server scam, scammers send fake giveaways via DMs that prompt users to share sensitive information. Tip: Do not blindly trust giveaways. Only participate in giveaways announced on official channels.
Google Ads: Scammers have taken advantage of Google ads and created fake OpenSea websites. Victims have tried to access OpenSea by using Google’s search engine and clicking on the first website that pops up. Unfortunately, this phony website prompts users to enter the seed in a fake Metamask pop-up. Tip: Bookmark essential websites and access them through there.
setApprovalForAll: Scammers have been convincing victims to use the setForApprovalForAll call in etherscan. In some instances, scammers convince that this function is needed to delist an NFT. In other instances, scammers act as fake support, and trap victims into using this function. Scammers ask the victim to set a specific address they control as the operator, and in turn the victim gives the scammer the ability to spend/steal NFTs in that specific contact. In essence they can steal your tokens if you end up using the setApprovalForAll shown in the image below. Tip: Unless you truly understand how to interact directly with a contract, stay away from functions you do not recognize/understand.
Fake Mint Scam: Scammers take advantage of victims’ feelings, and a very powerful feeling is FOMO. Scammers send out a fake minting website that prompts user to sign transactions. In the rush to mint, victims end up signing transactions to sent ETH to the scammer’s wallets and at times victims also are promoted to sign token approvals such as the setApprovalForAll scam mentioned above. Tip: Always obtain your information from official sources and read carefully what you are signing. Never mint from links in DMs.
Hijacked Discord Announcements: As discussed in the social media scam section, discord admins may have their log-in info compromised, and hackers may take over a discord server. Always be wary of announcements posted by bots in Discord. These scammers have taken over discord servers and announced fake mints in the past. Victims either mint fake NFTs or sign a transaction transferring ETH to the hackers, thinking it’s a real minting opportunity. In recent attacks, scammers have combined this scam with the setApprovalForAll scam mentioned earlier. Tip: Stay informed about relevant events in your community, and do not trust bots posting announcements.
Social Media Scams
The NFT space is still a relatively small community in which we know each other and, in a way, trust each other. We should be wary of impersonators and hacked accounts. Keeping your social media accounts secure is a must to avoid getting phished or hacked.
Discord Server Ban: Recent scams have targeted high-ranking mods in popular servers, but anyone can fall into this scam. A scammer will find a way for the victim to get banned from a discord server, typically by convincing that server that the victim was doing a fraudulent transaction. Once the victim is banned, the scammer will reach out to “help” them get unbanned. The scammer will ask for proof that the victim was involved in a scam. The scammer will try their best to get the victim to share their screen. Once the screen is shared, the scammer prompts the victim to do a specific command that exposes sensitive account information. With this information, the scammer takes over the account. The damage can range from scamming other victims using the hacked account to taking control of a discord server in which the hacked user is an admin. Tip: Never share your screen with anyone. 2-factor authentication does not prevent this scam.
Social Media Log-in Phishing: This phishing scheme is not specific to the NFT community but has targeted it. This can involve receiving phishing e-mails that claim a social media account has been compromised and prompt the user to verify using their log-in info. Another method of log-in phishing consists of a giveaway in which to participate, the user needs to enter their log-in credentials. Tip: wary of fake log-in prompts.
Always use 2-factor authentication on your social media accounts. Although it is not a perfect solution, it decreases the chances of having your credentials hacked.
Credit: @PPMan
Great video here:
Conclusion
MAKE SECURITY YOUR NUMBER ONE PRIORITY.
Last updated