NFT #2 | Scams Explained to Protect Yourself as Scammers see New Frontier
NFT Scams | Most Common Cases | Tips
By X⎻iO member of NFT Talents & Untitled-INC Token Economy Experts
What is this all about?
There’s exciting news sitting among your direct messages or emails. When you open it, your digital wallet is more likely to be empty. How come? Let us lift the lid on the most common NFT scams.
Scams have always been a significant threat to any sort of investment or business. In May 2021, millions of Americans experienced first-hand the damage of cybercrime. Malicious software gained access to the password of one employee of the Colonial Pipeline, which provides about 45% of the oil supplies to the east coast of the US. This presumably happened through phishing emails. The cost escalated from 4.4 million into the billions for shutting down the whole infrastructure for a week. By far, the most expensive phishing attack ever seen.
NFTs are no exception. As we move into Web3, the flaws do not necessarily lie in the technology itself, but in the naivety of many of us entering the space without much information. Many consumers fear and do not give it a try, others are discouraged or even traumatized by a bad experience. I think keeping ourselves informed is key. Therefore, scam techniques are probably the first things you should know before digging into the topic of NFTs. More often than not, you can catch scammers if you know what to look for. We will explore this in more detail now.
EXPLORING MOST COMMON NFT SCAMS
1. Phishing with a long-known trick: Emails
Phishing is undertaken through multiple channels, including email, mobile, social media, and phone calls. Most phishing attacks share common characteristics of an urgency to act or an impersonation of an individual or brand. Attacks will often leverage current topics to increase the likelihood of a victim taking the lure.
MetaMask is one of the most popular crypto wallets and gateway to blockchain apps giving you access to buy, store, send, and swap tokens on many platforms. Once you register, you will be given a 12-word called seed phrase, which is exactly what scammers are looking for.
Below is a typical email phishing sample asking for verification, which Metamask itself published on its social channels to raise awareness.
→ Long old trick: Emails
Below is a typical email phishing sample asking for verification, which Metamask itself published on its social channels to raise awareness.
2. Tinder → Crypto Roms
Bulgaria-based cyber forensics call these new-age romance crypto scammers as “CryptoRoms.” The fraudsters manipulate their victims with love and seduction into transferring their tokens to strange third-party-applications and then ditching them afterwards.
Cyber Forensics reported a recent scam involving $277,000. The victim thought that it was a serious romantic connection, but it turned out to be emotionally manipulative tactics to gain access to the victim’s personal and financial information. Here are the different ways Tinder crypto fraudsters operate.
Tinder Verification on a particular app to enter personal and financial information, which is vital to bypass your crypto wallet.
Catfishing or fake profiles as women establishing emotional connections and promising nudes, but draining your wallet, -good for ‘her,’ a kinky job with a clever move.
Rule #1, never share your seed phrase, even if you are falling ‘in love’.3. Discord Bot | Channels | Direct Messages
Discord, along with Twitter, Reddit, and Slack, are popular in the crypto space. Once you join the projects’ channels, you will receive links from people pretending to be one of the founders, and urge you to click on them. However, no project will send you a direct link to mint an NFT, and to be safe, make sure you read their channel dedicated to guiding you on what NOT to do and follow their official social media to be aware of possible scams.
Hackers took phishing to another level by exploiting Discord bots on popular NFT projects and persuading users to click on malicious links. …one wrong click can cause irreversible damage to individual earnings, and a hijacked Discord server can pose threat to a large audience.
Many Discords have been hacked. The attackers make themselves administrators through webhooks and post a fake minting link in the Announcements channel.
Most projects even suggest turning your DM off, as they will never approach you with a promoting link to click on. Another way to avoid this type of scam is to follow and check the official support accounts of wallets and platforms and to keep yourself informed.
4. Customer Support NFT scams
Scammers are usually faster and more reachable than official support channels ;). As soon as issues come up during minting, scammers jump to help under customer support accounts. As seen below, one Adidas fan asked the entire community if the dm received was a scam or real. It turned out to be a scam, — scam exposures like this, can raise awareness among the Adidas team and community and thus reduce damages.
5. Fake NFT Airdrops, Giveaways & Stealth Drops
When a new collection of NFTs is released, members of the white list or active community members are entitled to free limited edition or promotional items known as giveaways. NFT Airdrops are digital assets distributed among members’ wallets for free in return for any sort of marketing effort. The ultimate goal is to add additional value or draw attention to the brand by promoting awareness and circulation of the new project.
Scammers will use free airdrop events with posters, QR codes, or links to promote within a community. When users enter the website and approve to receive airdrop tokens, scammers get permission to make transfers and to manipulate assets easily.
Rule #2, do not click/open received files by direct messages.6. iCloud Backup
Storing seed phrases with iCloud’s automatic MetaMask wallet backup stores keys online, — and therefore are susceptible to hackers. To that end, here is a warning from the official MetaMask account (@MetaMask):
7. Hardware Wallet
Even hardware wallets like Trezor or Ledger are vulnerable once they are connected to the internet and used for transactions. In addition, Rogue actors at e-commerce partner Shopify exposed 20,000 new Ledger customer records, including emails, names, postal addresses, and phone numbers. Scammers are sending fake replacement devices to Ledger exposed customers, — devices designed to steal cryptocurrency wallets.