Home » How to Prevent Common NFT Scams
NFTs

How to Prevent Common NFT Scams

nft hacks and scams

With NFT values skyrocketing, NFT scams are also more prevalent than ever. As with anything in crypto, it’s crucial you maintain proper opsec (operational security) to protect your funds.

Below are the best ways to prevent yourself from common NFT scams. By the end of this article hopefully you’ll always be wary of suspicious links and DMs. If you don’t have a hardware wallet already, do yourself a favor and get a Ledger or Trezor immediately.

At the end we’ll also go over some recent scams that happened to real people so you know exactly what to look out for. Sometimes it’s easy to overlook the importance of security unless we imagine ourselves losing everything to a scam or hack.

1. Be Careful About Clicking Links

You should always be cautious about clicking links someone sends you. Particularly if you don’t know the sender. But even if you do, you still need to be careful. Their account may have been compromised as well, or they may not have done their due diligence before sending it to you.

If you have to click on a link, try to hover over it to see where the URL destination actually goes to. Make sure it’s spelled identically to where you actually want to go. Check to see if the ending .com, .net, .org, .io, etc. is correect. Ideally it would also be https secured as well.

Scammers will often duplicate an entire website, such that it looks exactly the same as the original. The only difference will be the URL will be slightly off. For example, if the official page were “xyzNFT.com,” the fake one might be “xyzNFT.io.” If you don’t check carefully, you could easily end up connecting your wallet and minting on the wrong site.

Always double check the URL, and try to type it yourself instead of clicking if possible.

2. Turn Off Auto Approve Transactions

Some wallets have a button to auto-approve transactions on connected platforms. For example, the image below is on the Solana wallet Phantom.

Even if you trust the connected site, you should always uncheck auto-approve transactions. If you leave it on, the connected app basically has full power to send and approve transactions from your wallet, without you even knowing. This is the easiest way for a fake website to steal your funds.

Many have called for the function to be removed as it’s simply too dangerous. Thankfully, Phantom recently tweeted that they intend to fully remove the feature soon. Until then, check to make sure it’s off for every site you’re connected to.

3. Use a Hardware Wallet

Hardware wallets like a Trezor or Ledger add an extra layer of protection to your wallets. They are the single best thing you can do to prevent yourself from needlessly losing funds. So many hacks and scams could have been prevented had the victims used a hardware wallet.

Both the Trezor and Ledger cost around $100, which makes purchasing one a no brainer if you have any meaningful amount of money invested in crypto or NFTs.

Even if you use a browser wallet like MetaMask, you can and should still connect a hardware wallet. Doing so will require you to physically press buttons on your hardware wallet before any transactions can be approved.

4. Watch Out for Impersonators & Direct Messages

Scammers frequently impersonate an admin, moderator, or other trusted authority figure to earn your trust. An example is pretending to be the Collab.Land bot on Discord. They often direct message you first to open up the conversation.

These scammers are on every social media platform. Keep an eye out on Discord, Telegram, and Twitter especially.

Impersonators will often reach out to you after you’ve posted you need technical help with an issue or in high-intensity moments like during an NFT mint. You know you only have a limited amount of time to mint, so you’re less careful and willing to hand over trust more easily.

This is precisely the time to take a step back and ask yourself if what’s going on makes sense. Would an admin of a high profile project really DM you first and hand hold you to help fix a technical issue? Maybe, but most likely not.

Just like how you should check the URLs of any links, make sure you double check the exact username of anyone who DMs you.

5. Do Not Download Suspicious Files

Downloading files sent to you by random people is one of the fastest ways to get hacked. These files are often keyloggers that track your typing, giving away your password. Other times they can be trojan viruses that install spyware on your computer.

6. Use a Burner Wallet for New Mints

Whenever you connect your wallet to a new platform / app, there’s a risk of smart contract vulnerability or accidentally leaving auto-approve transactions on. Many people have lost their entire account balance because they use their primary wallet for new mints.

The best practice is to create a new burner address for any new mint you participate in. If you lose that wallet, you’ll only lose whatever funds you deposited for the mint instead of your entire balance.

You can then transfer any NFTs back to your primary address, which is hopefully backed by a hardware wallet.

7. Avoid Screensharing

Screenshare technology allows another person you’ve permissioned to see your screen. Sometimes the other person can even take control of your screen. This is a tremendous amount of power to give someone, so avoid screensharing if at all possible.

Examples of Recent NFT Scams

OpenSea Impersonator Scam

Jeff’s story is a scary example of how good these scammers’ social engineering is, and how they take advantage of you when your emotions are high.

He received a DM in Discord from what looked to be an OpenSea employee, as the scammer had “| OpenSea” in their name and was answering questions.

The scammer led Jeff through a number of steps, including screensharing and resyncing his MetaMask wallet. This contained his private QR code, which the scammers captured through screenshare. They even convinced him to sign his Ledger hardware wallet.

Remember, be wary of anyone who DMs you first. Avoid screensharing. Take a step back and ask yourself if what’s going on makes sense.

https://twitter.com/Ape_NFTs/status/1427699694919163913
Don’t think you’re above these kinds of social engineering scams. They may sound obvious in hindsight, but when you’re rushed or panicked it’s easy to get taken advantage of. Zeek (@Ape_NFTs), above, was a victim of the exact same OpenSea impersonation scam, as were many others.

Fake NFT Site Scam

The NFT scam above happened to Chase Devens, who actually works in the blockchain industry for Messari. He tried to participate in the AuroryProject NFT mint, but clicked a fake link his friend sent him instead of the official one. When he connected his wallet to the site, the scammers wiped his account clean because he had left the auto-approve transactions on.

Again, this highlights the importance of double and triple checking any links you click on and why you should turn off auto approve tx. It’s also a reminder to mint with burner addresses instead of your primary one.

Interacting With Fake NFT Airdrops

@babbler_dabbler on Twitter lost his NFTs and believes it was the result of simply deleting malicious NFTs he’d been airdropped on OpenSea.

The victim believes the exploit is a result of malicious approval/transfer functions in the smart contracts of these airdropped NFTs.

However, some blockchain developers don’t believe this is possible. Interacting with airdropped NFTs alone cannot give the sender permission to empty your wallet. Instead, they believe the victim’s wallet was already compromised as a result of phishing or malware.

Still, the victim says he’s certain he hadn’t revealed his private keys anywhere. So while the loophole may never be identified, it’s best to err on the side of caution.

Do not interact with unidentified senders or smart contracts you’re unfamiliar with. If you’re airdropped random NFTs, you don’t have to open them, list them, or accept offers on them. Simply hide them from your profile on OpenSea and move on.

Conclusion

It’s always heartbreaking to read about people falling prey to scams. In this case, these NFT scams cost people hundreds of thousands of dollars. We can put some of the onus on service providers like OpenSea, Discord, MetaMask, or Phantom, but at the end of the day we’re responsible for ourselves. No one is there to save us, especially not in the decentralized economy that is crypto.

Take the steps outlined here to protect yourself from these common NFT scams. We’re only in the very early innings of the NFT game. Do your best to keep yourself in the game.

Add Comment

Click here to post a comment