Caveat emptor: a Latin phrase that can be roughly translated in English to "buyer beware."
It is a legal principle which exists to place the burden on a buyer to do their proper research before buying (i.e. don’t blame the seller if what you buy doesn’t turn out to be exactly as you expected).
This principle very much applies to NFTs right now.
As money comes in, so do scammers.
This article is an alert. An alert of some (not all) of the ways people are losing money to nefarious actors at the moment.
Be safe, and read my previous article on NFT Security: Part 1 for more foundational security content.
1) DISCORD DMs
Discord has become the ‘home’ of NFT projects. On this platform founders, creators, administrators, investors, collectors and fans can all hang out and discuss things.
It also provides the functionality to DM other users.
Be wary of this, as DMs are almost always a scam.
Projects will NEVER dm you to tell you about an unexpected opportunity to purchase.
Random people asking to borrow money from you do not intend on paying you back.
More complex is the DM from someone who appears familiar to you. They may have a name extraordinarily similar to someone you know, or even a friend of yours.
Solutions:
Close all DMs: this forces those who wish to speak with you to send you a friend request, at which point you can ignore those you don’t know and accept those who are genuine.
Keep DMs open but block unknown people immediately / never click on links: you might not like having DMs completely closed if you want to stay open to those reaching out for a deal, so this way you get to see what comes in first.
Find legitimate handles: If you do receive a suspicious message from someone you think you know, find the person’s real handle and send them a direct message to check if the same conversation pops up.
2) DISCORD HACKS
Always a scam, but slightly harder to spot.
The problem here is that communication to buy something comes through the official discord channel because the real project leaders/administrators have lost control of the account.
This will probably take the form of a message in the announcement channel which is designed to make you think it’s super urgent for you to buy a very limited, exclusive offering by the team.
A link will take you to a minting site where you send your sweet ETH to the scammer and receive nothing in return.
Solutions:
Read + comprehend: ask yourself if what the message announces really sounds like the team in its style, and if its content is believable. Most projects will not launch something unexpected without giving at least a hint something is coming.
Check the general channel chat: the majority is usually wise. If something is suspicious, someone in the general chat channel would probably have sounded the alarm.
Continuous learning: though I’m sure there are many people who excel with discord security, the person who I have learned most from is undoubtedly @VGFreakXBL who is always sharing the latest learnings in this area. I would suggest you follow him.
-Scammer (impersonating Admin/Mod) accuses target of scamming, often providing “evidence” -Target in good faith & now on the defensive tries to prove innocence -scammer asks to screen share (to navigate you to Dev Tools) exposing target’s Discord tokenThis is the beginning of how a server gets compromised. Please don’t fall for this. https://t.co/QoiPG8rjLFCorso @Corso52
3) FAKE EMAILS
You might get fake offers in your inbox. The link might try to get you to pay into a fake site or ask for your seedphrase/wallet access. Do not fall for this!
Solutions:
Use official channels only: always verify the offers you receive by logging into your account by yourself.
4) PAID ADS ON GOOGLE
When you search for websites make sure you are clicking on the correct link!
Sometimes the first link that Google shows you is a paid advertisement, and the paid advertisement might be a scam.
Solutions:
Use official channels only: get to websites by using official links from official Twitter or Discord channels.
5) STOLEN IP / FAKE COLLECTIONS
The search functionality on many marketplaces is not great. Marketplaces also don’t necessarily verify official collections quickly. This means there can be confusion as to which NFTs are “authentic” if there is no verified collection.
Solutions:
Use official channels only: use official links from official Twitter or Discord channels.
6) EXCHANGE HACK
Without going into the technicalities, it is more likely your exchange account could be hacked if the only 2FA (2 factor authentication) used is email or SMS.
Authenticators like Authy are considered to be safer.
Solutions:
Use an authenticator: don’t just rely on email or phone number as 2FA.
7) INAUTHENTIC MINTS
Some people think it is wise to watch the wallet activity of “influential” people to get an edge to decide what to buy next.
Whilst this might be profitable sometimes, you must beware that it is possible that NFTs can be minted directly to wallets without the consent or knowledge of the wallet owner.
Solutions:
Be wise: don’t blindly make financial decisions based on the activity you see in someone’s wallet.
8) MALICIOUS AIRDROPS
Sometimes you will receive airdrops into your wallet that you did not purchase.
These are most likely malicious.
If you interact with these NFTs (e.g. try to transfer them out of your wallet), your wallet may become compromised and your assets can be stolen.
Solutions:
Do not interact with airdrops that you do not trust
9) SWAP SITES
Sites like Sudoswap enable trading of NFTs between parties.
There was a period of time where malicious actors would pose as wanting to do a trade, then generate a malicious link, such that the trade you hoped for would not take place, though they would be able to steal your assets.
“Always make sure the URL is sudoswap.xyz-- bookmark it to be safe!”
Sudoswap website
Solutions:
Follow official process - read the website carefully to understand how the trade works
10) RUGS
Some projects which have anonymous founders might sell a project out quickly and simply disappear with the money.
Most recently there has been a wave of new launches that have had incredibly high mint prices, suspiciously high Twitter/Discord follower count, and long wait times for full reveal of NFTs.
A high price extracts as much as possible from the customer, a lot of Twitter followers / Discord members gives the impression of insane demand, and a long wait time for the NFT reveal maximises speculation on the secondary market from which the team obviously receives royalties.
Solutions:
DYOR - read the website, Twitter feed, and be in the Discord to get a feel of the real intentions of the creators
FINAL THOUGHTS
There are all sorts of ways for you to gain and lose money in this space at the moment.
This is just a snapshot - no doubt there will be more opportunistic scammers of whom we will need to keep aware.
In the end and in my experience, the best thing to do is take as much responsibility on your own shoulders as possible. It is your decisions which really matter.
Do not click on malicious links
Do not interact with malicious NFTs
Use the best 2FA possible
Use a hardware wallet - more info in my previous article
Never give your private keys/seedphrase to anyone
Have a great day
B
Security is a big, BIG concern in the NFT space with so many mistakes being made by folks daily. Thanks for helping guide on staying safe!