Stay Safe From NFT Scams
The NFT ecosystem is moving at breakneck speed. Projects are being created daily, competition among collections is pushing creativity and innovation, and more users are collecting their first NFT each and every day.
While most participants in the NFT space are genuinely interested in propelling the industry forward, given the financial opportunities and the lack of formal education, bad actors are also present everywhere you look, trying to take advantage of ill-informed users.
Below, we’ll walk through some of the most notable NFT scams and how you can spot them and avoid them moving forward.
Discord Direct Messaging Scams
Discord is an integral part of the technology stack for NFT ecosystem participants. Most NFT projects and collectors use Discord regularly to communicate with fellow collectors and keep up to date with all of the announcements from project administrators.
Because Discord allows collectors unique access to project creators and administrators, it also presents opportunities for imposters to take advantage of unsuspecting users.
Discord Direct Messaging - Malicious Links and Phishing Attempts
Most of the notable Discord scams happen in direct messages, where users think they are communicating with a notable community member or project contributor, but instead they are communicating with an imposter.
Common examples include imposters reaching out to ask for an amount of ETH or trying to get a server member to click a malicious link.
Here's a recent example from Twitter user, Josh Aust.
While this is made to appear like it came from the real Degen Ape Academy, the website URL does not belong to the real Degen Ape Academy project. Always proceed with caution when reading through Discord direct messages.
Discord Direct Messaging - Fake Discord Server with Fake Collab.Land
Another recent Discord scam occurs when users receive invitations to Discord servers that appear to be from legitimate collections. Take the example below from Twitter user, Adreis.eth. The user was invited to what appears to be the Cool Cats NFT server. It's common practice for NFT Discords to have members verify their wallet holdings for particular roles within the Discord. This is often done using the Collab.Land bot. In this particular instance, when a user goes to verify their status for a role - they are greeted by a fake Collab.Land bot. The differences are small but pointed out in the screenshot below.
Much like the direct messaging scam above with Degen Ape Academy, it is important to always slow down and proceed with extreme caution when receiving invitations and direct messages on Discord.
How You Can Avoid Direct Messaging Scams
One of the easiest ways you can avoid direct messaging scams on Discord is to disable the ability for server members to send you Direct Messages. This feature can be found in the settings, security and privacy section of a user's profile on Discord.
By toggling this setting to “off,” no members of a shared Discord server will be able to send you direct messages.
When pairing this setting with “allow direct messages from friends,” you can be sure to only receive messages on Discord from friends you trust.
This security feature can be applied to all of the servers you join or you can remove it for select servers where you feel other members are trustworthy.
To turn on direct message capabilities for only select servers, travel to that server and choose the settings cog. From here you can toggle the setting to “on,” which will allow only members of that particular server to send you direct messages, even if they are not your friend on Discord.
As the largest secondary marketplace for NFTs, creative scammers have come up with multiple ways to try and trick unsuspecting NFT participants.
OpenSea Email Scams
We’ve seen recent evidence of increasing email scams, whereby bad actors are attempting to appear as OpenSea and exploit the receiver via a malicious link.
See the below example from Twitter user Dylan Mayoral.
Here scammers have nearly replicated the user experience and interface for an email that comes from the team at OpenSea. It should be noted that OpenSea only will require you to verify your email after linking one to your account profile. It will not ask you to verify your account in this manner.
What To Do If You Receive a Suspicious Email
If you receive a suspicious email, please do not interact with it in any way. Clicking links or opening files can make you susceptible to attack from a hacker or scammer. The best course of action is to delete the email from your inbox and permanently delete it from your trash folder as well.
Always be sure to check the official sender, listed as the “from:” email address and verify the logo marks and prompts are legitimate.
Wrong Currency Bid Scam
Another popular OpenSea scam tactic run by bad actors is the “wrong currency bid” scam.
For example, when someone lists an NFT for 1 ETH, a bad actor will bid 1 DAI (a stable coin worth about $1). An unsuspecting user who may be uninformed or hastily in search of liquidity may accept this offer, not knowing or thinking twice about the disparity in the bid compared to the listing.
How To Avoid The Wrong Currency Bid Scam
There are two major ways to avoid this as a new entrant to NFTs. First, currencies are denominated with a color, symbol, and ticker. Therefore, when listing in ETH, you’ll see a black ETH logo followed by ETH.
When bids are received in other currencies, like DAI, the symbol is a different color, shape, and holds a different ticker (DAI).
Paying close attention to these symbols and colors will help you to avoid a silly mistake.
Additionally, OpenSea has just added a new feature on “offer strength.” This feature prominently displays the percent change of the offer, to the floor price of the asset collection. Therefore, prior to accepting an offer, make sure that you are comfortable with the difference between the floor price of the asset collection, and the offer you have received.
In the example above, it is clear that the bad bids are extremely weak.
Wrong Link OpenSea Scam
Similar to other phishing attempts seen in the industry, sometimes scammers will replicate the user interface for OpenSea - but do so through a malicious URL, not OpenSea.io. Unsuspecting users searching for OpenSea via a search engine may be none the wiser. In this example from Twitter user, Nathan Head, notice a clearly fake OpenSea link populating at the top of the page.
Blindly interacting with these links and sites could place your account in harm.
How to Avoid the Wrong Link Scam
A security best practice is to bookmark the correct OpenSea, OpenSea.io. After you’ve bookmarked the site, you’ll no longer need to type it in your search bar or respective search engine and you can be sure to head to the safe link every time.
Otherwise, always be sure to verify that the OpenSea you’re interacting with is OpenSea.io and NEVER share your recovery phrase.
Fake MetaMask Phishing Scams
Popular from malicious links in Discord comes a MetaMask phishing scam. Interacting with the link will populate a nearly identical MetaMask extension, asking for a recovery seed phrase, instead of a password.
Unsuspecting users may input their recovery seed phrase, handing access to their wallet and contents to the scammer. Here's an example from a video breakdown by Twitter user, Kevin Kiggs.
This scam also utilizes an OpenSea clone, fooling the user into proceeding.
How You Can Avoid MetaMask Scams
Heed all of the warnings from the previous scam listings. Slow down, always proceed with caution, turn off your direct messages. But perhaps the most simple piece of advice we can give is, NEVER enter your seed phrase online unless you are restoring a wallet with a legitimate wallet provider.
Putting your secret recovery phrase online is a dangerous and could provide a scammer with access to the contents of your wallet.