December 27, 2021 - 12 min read
NFT scams can be life-changing in a bad way. This article provides a step-by-step guide to preventing some of the most common and advanced NFT scams in the market today. Following these actionable steps will help keep your NFT assets safe from bad actors.
On Christmas day, a VeeFriend worth at least 9 ETH was stolen from an 18-year-old who put his life savings into the project. Just a few days before that, a 19-year-old lost a VeeFriend worth a similar amount due to a scam.
Witnessing the aftermath of an NFT scam is disheartening, and our mission at StartWithNFTs.com is to help educate you about web3 and the NFT markets.
We’ve put together a step-by-step guide to help you avoid NFT scams so that you can keep your assets safe. At the end of the article, we’ve outlined a routine you should implement every single time you interact online. NFT Scams are rampant and we need to work together to combat them.
Each of these 10 steps is equally important but is more effective when they are used together to keep your NFTs safe.
Turning off Direct Messages in Discord is one of the fastest ways to help secure your NFT assets and avoid getting scammed.
You will get messages like the one above from multiple accounts on a daily basis. Some of these messages are made to look like they come from a legitimate project.
Oftentimes, the links will take you to a fraudulent website and when you connect your wallet, the site will drain your assets.
For example, the official URL of Opensea is Opensea.io, but a Direct Message on Discord may use “Opensee.io” to trick you into connecting to a site that makes your NFTs and cryptocurrencies vulnerable.
(1) Open Discord (app or browser) and click on the gear icon on the bottom left-hand side of the screen next to your username:
(2) Select Privacy & Safety
(3) Scroll down to Server Privacy Defaults and turn off Allow direct messages from server members
When you turn off the direct message from server members, you’ll be prompted with an option to apply the change to existing servers. Select yes:
And voila! In 3-easy steps, you just disabled Direct Messages on Discord and are one step closer to protecting your NFT assets.
Note: You can still use the Add Friend function to send direct messages to users but be sure to confirm a user before you do this (breakdown on how to verify a user is included in step 2).
If you’ve disabled Direct Messages in Discord, you won’t have to worry about imposters very often, but this is still worth reviewing.
It is very easy for someone to create a Discord profile that mimics an existing user, but is actually someone else.
For instance, in the VeeFriends Discord group, there are 3 Gary V’s:
Someone could create a Discord account, use the name “garyvee” and the exact same profile picture, but ultimately be a scammer in disguise.
You can verify a Discord user name by looking at the four unique numbers that follow the user name. In the case of the real Garyvee, it’s #1565.
To verify a Discord user, click the name in the Discord chat and it will pull up more information about the account, including the unique four-digit identifier and role in the Discord (i.e. if someone is posing as an admin, you can verify it here):
Navigate to your direct messages, click on a username, and the same window will pop up so you can verify the unique four-digit code after the user’s name.
It is a common tactic for scammers to mimic a well-known Discord user name, message you directly, build rapport and trap you in a fake NFT trade, a screen-share request, or direct request for your seed phrase.
Note: This section contains affiliate links for Ledger devices. If you purchase a device, we receive a small portion of the sale, which is reinvested back into this blog. I have personally used a Ledger hardware wallet for the past 5 months and highly recommend it. It isn’t perfect, but the investment is worth it to add a layer of protection for your NFTs. You can read more about my affiliate disclosures by clicking here.
One of the most effective ways to protect your NFT assets is to purchase a hardware wallet. You can shop for Ledger Hardware wallets by clicking here.
The Ledger Nano X is $119, which is less than most gas fees paid during the minting of a popular project.
If you wanted a detailed breakdown (with screenshots) on how to use a Ledger device, you can click here.
Hardware wallets protect your assets by holding your private keys offline on the device. This means that every transaction you perform has to be approved from your Ledger device.
Note: Do NOT buy a hardware wallet from an individual or 3rd party — the wallet may be compromised and you could be vulnerable to hacks. Even though there have been many reported cases of a successful purchase of a Ledger wallet on Amazon, the absolute safest play is to buy directly from the manufacturer.
NFT scammers won’t only imitate users, they also imitate projects. For example, when Adidas started minting its new NFT project, I received multiple direct messages from accounts with the same exact profile image as Adidas, but they included altered links to try and get me to connect with their fraudulent website.
Before you connect your wallet to any website, double-check that you are on the right link no matter what platform you are on.
Recently, a Twitter user copied someone’s profile and tried to get me to click a link to their website. This can happen on Instagram, Slack, Twitter, and even Google.
At one point, there was a spam Opensea website that paid for ad space to show up first on Google when users searched “Opensea”. It has since been removed, but double-check links even when you click them from Google.
Below are a few steps to help with your verification:
(1) Check the top-level domain: .com, .io, .xyz — oftentimes, scammers use the exact same URL with a different top-level domain and users don’t notice it
(2) Look for dashes in the URL: for example, the official Opensea URL is Opensea.io, a scammer may use Open-sea.io to try and fool you
(3) Carefully examine the spelling of a URL: For example, glance at this URL quickly:
Did you catch it?
The URL begins with two of the letter “n” to fool you into thinking it is an m.
(4) If something feels off, don’t connect your wallet to the site: Start With NFTs outlined the top 10 discord groups to join in 2022. Use the list. Pop into the group and ask a question in the general chat. Now that you know never to click on a link from Discord and how to spot fake Discord users, you can be more comfortable confirming a link that feels off. Many Discord groups use an Off-Topic channel to cover these types of questions.
Note: Whenever someone mentions Metamask on Twitter, a fake Metamask support account almost always responds with a Google form or encouragement to send a DM:
Develop a habit of double-checking links, account names (look at the user name above), and user names to avoid scams across all social platforms.
Make it a habit to remove connected websites after you are done using them, even if you have verified them as safe.
Navigate to your Metamask Extension and click on the three vertical dots in the upper-right hand corner:
Source: Metamask Extension
Click on Connected sites:
Source: Metamask Extension
You can click the garbage can icon to disconnect your wallet from a site. You may be surprised how many sites are still connected to your wallet, so hurry up, get in there and disconnect those sites!
When a 2018 soccer NFT project was rediscovered, valuations of the NFTs in that project skyrocketed. After the project increased in value, fake collections started popping up on Opensea and fooled some very experienced users.
We even caught this and warned users:
Unfortunately, Opensea still hasn't verified the collection, so we recommend you always confirm the official Opensea project link in the project's Discord group (oftentimes, this link is a pinned post or is included in the Resources or Announcements channel).
In this case, the project URL extension was wrapped-strikers but another project removed the dash (remember, it’s important to look at dashes as part of your URL analysis routine) to create wrappedstrikers and used the exact same images of the assets.
Opensea has done a better job of authenticating projects with a blue checkmark (similar to what you see on Twitter) so you can always look for that checkmark:
Warning: Scammers have started including the blue checkmark in the project logo to fool users. The best way to protect yourself from the scam is to hover your mouse over the blue checkmark to ensure “Verified Collection” pops up:
Double-check by clicking on the blue checkmark to ensure the Verified Collection pop-up shows:
A current scam going around combines a few of the elements we’ve discussed above. A few people have lost NFTs worth at least 10 ETH when a scammer did the following:
(1) Posed as a known Discord user
(2) Sent a DM on Discord to initiate a trade
(3) Proved that the scammer holds an asset they are offering for trade (in this case, Bored Ape Yacht Club)
(4) Building rapport and convincing a user to list at the Opensea minimum instead of a verified trading platform. In the cases I’m familiar with, the victim explained that the scammer convinced the person that NFT trading platforms were riskier.
Use a platform like NFTtrader.io. Again, be careful with links. It wouldn’t be surprising if someone created a site NFTttrader.io (with an extra t) to fool users.
I highly recommend verifying a user first — their wallet, Twitter account (look at followers), and ask for references before completing a trade.
Note: If it sounds too good to be true, it is. In the case of two VeeFriends that were stolen, users thought they were trading a VeeFriend for a Bored Ape, which currently has a floor price of 55.95 ETH whereas their asset was worth 10–12 ETH.
There are still stories of users getting scammed because they share their seed phrase directly in a chat or a message, but hackers are getting better. Some have convinced users they were part of the Opensea support team and convinced a victim to share their screen, which exposed a QR code that allowed access to a seed phrase.
Other hackers get into a computer and find seed phrases stored in Google Docs or other files located on a computer (especially when they are plain text files).
The safest play, even if it sounds ridiculous, is to write your seed phrase on two physical pieces of paper, storing one in a safety deposit box at a bank and another in a safe stored in your home. There isn’t any reason to enter your seed phrase into a computer unless you are installing your Metamask wallet on a brand new machine.
While it may seem trivial, I’ve read stories about people getting scammed out of their NFTs without being able to pinpoint exactly what happened. In one case, a Twitter user explained that he had multiple computers and browsers linked to his Metamask wallet and left both his computer and his wallet, unlocked for extended periods of time.
To lock your Metamask wallet, open the extension and click on your profile picture at the top right, then click Lock:
Source: Metamask Extension
If your computer is stolen, someone hacks your computer with remote access or something else of the sort, you have an added layer of protection but now requiring entry of your password to access the wallet.
Note: It is also worth adding two-step verification to your Google accounts, especially if you use Chrome. Two-step verification requires a code (typically sent via text message or phone call) when logging into a Google account on a new device. If a hacker gets access to your Google account, then they can also get access to the extensions associated with that account (i.e. your MetaMask wallet).
For those who internalize the security steps listed in this article, you will start to see all of the vulnerabilities the internet offers to hackers looking to steal NFT assets. No matter how often we share information to protect NFT assets, there’s always someone who could learn more, so please share this article with as many of your friends and fellow NFT degens as you can.
Besides sharing this article, the next best step to take after closing this window is to develop secure daily habits:
(1) Get into a habit of using your hardware wallet
(2) Get into a habit of verifying links before you click them
(3) Get into a habit of assuming that if it’s too good to be true, it is
(4) Get into a habit of verifying users you are interacting with — this could be Twitter, Instagram, Discord, etc.
(5) Get into a habit of locking your Metamask wallet, using strong e-mail passwords and enabling two-step verification to prevent remote access hacks
While there are plenty of scams out there, we all have the tools and resources to protect ourselves and ensure the safety of our new hobby.
Enter your email address below to subscribe to my newsletter
Support The Blog