How to Avoid NFT Scams: The 10 Commandments to Protect Your NFTs
by Christian Hardy
Never has security for your NFTs and crypto wallets been as important as it is right now. Sure, you’ve probably heard about the importance of safely storing passwords and getting a cold wallet a hundred times by now. But security is only getting more important, as more NFT scams have begun to pop up.
The scammers and phishing techniques are getting better, smarter, and more sophisticated. Some are fooling people who are experienced in the crypto space into a fake mint. These scams are typically coming in the form of social media phishing — primarily on Discord. But they’re becoming harder to spot for many.
Let’s take a look at what these recent scams have looked like, then identify 10 NFT security measures we can all take as collectors, project heads, Discord moderators, or anyone else under the sun to secure our NFTs and crypto assets.
The NBA Top Shot Phishing NFT Scam
Last week, about 18.75 Ethereum was stolen from Top Shot collectors by a scammer who hacked the official NBA Top Shot Discord. The messages, posted to the #announcements channel and others, told collectors about an exclusive opportunity to mint an NBA Top Shot NFT on the Ethereum network.
The scammer used a sophisticated phishing scam, where they were able to exploit the webhooks in a Discord server to take control of bot integrations. Several Discord members paid .2 ETH each to the contract posted by “NBA Top Shot Team Bot” in the Top Shot Discord before the malicious bot and messages were removed entirely.
See this Twitter thread from Dumbo, a Top Shot community lead, for more info on the Discord exploit.
However, users should have automatically had some skepticism when a “Top Shot” account posted an Ethereum contract, considering Top Shot does not interact directly whatsoever with the Ethereum blockchain. Another major signal: the transactions sent were “sending ETH” transactions, and not to mint an NFT — this could be seen before confirming the transaction on MetaMask.
Although the scammer was able to get away with the funds sent to the wallet, NBA Top Shot paid back all of the ETH to the wallets who sent money to the scammer’s Ethereum wallet through the fake site posted in their Discord.
The CreatureToadz Phishing NFT Scam
Later that same night, over 89 Ethereum was temporarily scammed from CreatureToadz members who saw a post in the official CreatureToadz Discord about an early minting opportunity.
Similar to Top Shot, a malicious announcement from a previously unknown account in the Discord posted with an “exclusive” link to mint CreatureToadz early. A hacker was again able to use a webhooks to take control of Discord integrations in the server and post these messages as an official-looking account — a new way of phishing.
In an unlikely turn of events, the funds from this scam were eventually returned to the official CreatureToadz team, thanks to help from the community in outing the scammer. The CreatureToadz team then returned it to all who minted from the malicious site posted on Discord.
After the scam, the scammer spoke in Andrew Wang’s Twitter space about how easy the hack was to execute — albeit sophisticated — and how many NFT projects are leaving themselves very vulnerable to these attacks right now because of their lack of security.
The next day, the official CreatureToadz minting went off without a hitch.
10 Ways to Protect Yourself from NFT Scams
After hacks from major projects, let’s talk about 10 surefire ways to protect your NFT and crypto assets from NFT scams and potential social media phishing attempts.
1. Thou shall not use the same password twice.
2. Thou shall not store their seed phrase digitally.
By storing a seed phrase digitally, you open yourself up to someone having access to your seed phrase via the digital location it’s stored at. Just don’t do it.
3. Thou shall store at least one physical copy of their wallet’s seed phrases (including the last 4 of the wallet address) in a safe, physical space.
Like, actually, once it’s securely stored in those safe spots, your seed phrase doesn’t even exist to you anymore. This also includes the bar code to set up your mobile MetaMask account.
4. Outside of the physical locations where the seed phrase is stored, thou shall never share or expose their wallet’s seed phrase to anyone. Ever.
Ideally, store it in multiple locations (such as your house and your parent’s safe). It’s also a good idea to keep these wallet addresses hidden, especially if you own multiple wallets.
5. Thou shall not click random Discord or social media links from unknown sources, in DM or elsewhere.
Before clicking any Discord link or opening any download from a random site, verify who it came from and confirm the source is legit. I would actually advise you never open a download that came from a Discord link unless you 100 percent trust the source. If you can’t verify the source 100 percent, then don’t open the link or download.
This includes the case of CreatureToadz and NBA Top Shot, where the phishing posts in announcements came from Discord bots that had never posted in the server before these fake “exclusive” minting opportunities. Take a second and confirm first.
6. Thou shall take several seconds (or minutes) to think and do their own research when arriving at a new website before confirming any transaction or connecting your wallet.
Once you confirm a transaction or connect your wallet, you open yourself up to being scammed. Don’t take this first step unless you are sure you trust the person or contract you’re transacting with.
7. Thou shall use a cold storage wallet — or a hardware wallet — for all high-quality NFTs and cryptocurrency they wish to keep for a very long time.
By using a cold storage wallet, like a Ledger or Trezor, you can protect your high-value assets from being stolen, even if you fall for a phishing scam. At the current price of ETH, the cheapest Ledger costs less than .02 ETH.
8. Thou shall never log into MetaMask, other wallets, or social media accounts on unsecured internet networks.
Always confirm you are using a secure internet network before entering any private data on any website. Also make sure the website’s connection is secure. To take it a step further, a VPN is probably a good investment to protect your privacy.
9. Whenever possible, thou shall use two-factor authentication for any account.
Two-factor authentication will take you only a few extra seconds to set up, and you’ll sleep better at night knowing no one can get into your account without access to your phone. This step is especially important for Discord mods.
10. Thou shall not share their screen with people on Discord.
This one may seem harsh if you screen share in your communities, but your personal information could be at risk once your share your screen, especially if your screen contains private or sensitive information.
A popular scam in earlier NFT days was scammers pretending to be OpenSea, MetaMask, or an NFT project’s support or mod team, then asking you to share your screen which contained private information. Again, never share your screen — no matter who is asking.
How to Protect your NFTs
Anyone can get fooled from phishing scams — it’s happened to thousands of people in the last week. Probably more than ever, and scammers are not going to go away, they’re just going to keep evolving.
As a general rule across all of NFTs and crypto, If anything seems too good to be true, be very skeptical, and automatically assume the worst. Blockchain created a trustless economy, but that puts the burden of trust on every single user to do thorough research and fully trust any person or contract they interact with.
Always do your own research, confirm the validity of contracts and interactions on your own, and take a breath before connecting your wallet or confirming any transaction.
Lastly, always look out for those around you in your communities. If we have each other’s backs, we’re all going to make it — with our digital assets safely secured.
Have more NFT and crypto security tips. Send them to us: @MomentRanks on Twitter