5 Common Scams to Watch Out For in the NFT Space

As the NFT space continues to grow, so does the number of scams in the space. Sadly, a lot of collectors, even those with lots of experience, are getting scammed out of their NFTs as fraudsters get more clever at tricking people to provide sensitive information or sign dodgy smart contracts. 

It's increasingly common to hear of people losing hundreds of thousands of dollars in NFTs and crypto due to such scams. Once you authorize your wallet to interact with a malicious contract, or the scammer somehow gets your seed phrase, it’s game over. They can drain your entire wallet, taking away all those precious NFTs and crypto you have. It is the Wild West in the space, so you do need to be aware of the most common scams and precautions to take. 

To help prevent this from happening to you, here are 5 common scams to watch out for (though there are many others). As a general rule, don't rush into things and, if it’s too good to be true - it is! 

1) Discord - switch off direct messages (DMs)

If you’re fairly new to the NFT space, you’re probably new to Discord too. Discord defaults to allowing anyone in a server you’re in to direct message you. Most of the time, these DMs are scams. People can DM you with malicious links pretending that the project you’re in is doing a stealth launch (it’s not) or there’s an urgent presale going on (it isn’t). The scammers create a sense of urgency/Fear of Missing Out (FOMO) to try to get you to click on the link. 

At best you might lose some crypto minting a fake collection, and at worst they could get access to your whole wallet and take everything. This can happen if you sign a smart contract enabling this on the scam website. 

So it’s best to switch off DMs by going to Settings > Privacy & Safety > Switch off ‘Allow direct messages from server members’ (these are the current setting instructions at the time this article was written). 

It’s always better to communicate within a channel and then, if someone needs to DM you, they can get your permission first and then can add you as a friend. But as always be cautious as they could be trying to socially engineer you to fall for a scam.

2) Hacked discords / social media accounts

A lot of people have this past year been the subject of scams resulting from hacked discords or social media accounts. When a project’s discord gets hacked, usually an announcement or post is put out saying there is a stealth launch. A sense of FOMO will be created.

For example, you only have 30 minutes to mint the NFT, and a fake countdown will be shown where it will look like minting is happening fast and there are not many left. This happened recently with NFT influencer @fluralpha who had their discord hacked. The hacker posted a time-sensitive link for an Alpha Group token where many users lost their NFTs. They posted that it was free if claimed within a short timeframe- so they created urgency and FOMO to trick people. 

Scammers prey on this sense of urgency/FOMO and you need to realize that it’s better to miss out than lose all your crypto/NFTs, which will probably happen if you connect your wallet and try to mint. This happened recently when the Bored Ape Yacht Club Instagram account was hacked where they posted a fake minting link for the land sale. This resulted in over $13m of NFTs being stolen and is now considered one of the biggest heists ever. 

As mentioned above, if you do connect, you could grant permission to the scammer to empty your wallet like what happened with Bored Ape owners through the Instagram link. If this happens and you realize it straight away, you must revoke all permissions in your wallet. You can do this via Etherscan or a more user-friendly website called revoke.cash. 

3) Don’t connect to a site to ‘animate’ your NFT / unsolicited NFT airdrops

There have also been instances of ‘animators’ saying they can animate a person’s NFT for free (or at a small cost) to make it look cooler. Again, 99% of these offers are scams! They will probably send you a link that has a malicious smart contract. And if you approve this, you'll approve the scammer to obtain the NFT you wish to animate.

You might find that you have NFTs airdropped to your wallet that you don't recognize. On Opensea, these usually go into your hidden folder. Do not ever interact with them. If you try to sell them or transfer them out of your wallet, you could get hacked. It's best to just leave them there or move to hidden (which I understand is safe to do) if they're in your main folder.

4) Trading NFTs 

You might know that it's possible to use websites to trade one NFT for another (E.g. trading a Doodle for an Azuki) and it can be done safely. But scammers are becoming more sophisticated and are socially engineering people to trade their NFTs for a fake collection (E.g. you trade a Doodle and the scammer sends back a fake Azuki derivative), but on the trading website, it looks legit. 

Also, it's best to avoid trading with others on Discord channels too. A lot of the people you speak to will try to get you to connect your wallet to a dodgy website which will drain your funds. I've read of people speaking to these scammers for weeks or months before the scam occurs, which is crazy - so I suggest just having a rule not to connect to trading sites whatsoever for now.

Until a fully safe system is put in place, e.g. on Opensea or a similarly large competitor, it's probably not worth trading NFTs, unfortunately. 

5) Google Sheets and phishing emails/websites

For some projects, as you may be aware, you need to fill out forms such as Google Sheets to enter raffles or add your details for an allow list to mint the project. Recently, sophisticated scammer groups have started putting malicious code/macros in what is thought to be something that looks like Google Sheets/ Google Sheets itself, which if you open, may be able to get access to your whole wallet / sensitive information on your computer. So it’s best to avoid opening Google Sheets on the same device as your crypto/NFT wallet for now, until it’s confirmed this issue does not exist anymore. 

It would be wise to be wary of opening any kind of document that you're not expecting, e.g. if it's sent via email or via a Discord DM (if you haven't closed them yet!). 

Additionally, be wary of phishing emails e.g. emails that look like they're from Opensea and have links in them. Do not click those links, instead, look for them on the Opensea website and access them from there if relevant. And favorite any upcoming mint websites/ other commonly used NFT websites. E.g. I use LooksRare for NFT trading often. But recently I googled 'Looksrare' to access it and the first link was a sponsored link to a fake LooksRare! I almost connected my wallet but somehow realized the layout was slightly different and then I double-checked the link and noticed the spelling was off, so luckily I did not get scammed. I now only access LooksRare through my bookmarks. 

And on a similar note, if you use Google Chrome, keep it up to date at all times as there have been some security flaws identified in older versions recently. 

Some precautions to take

Here are some best practices to avoid scams or mitigate losses if you fall for one. It’s honestly more common than you might think, so it’s worth keeping these points in mind if you haven't already: 

1. Double-check and triple-check links - only take them from the official project's Twitter / Discord page and, if in doubt, check with others in the Discord first. Don't rush with opening links or connecting your wallet - it's better to miss out on one project than lose all your assets. 

2. Double and triple-check what permissions you’re giving when you connect your wallet. 

3. Use a ‘burner’ wallet to mint new NFTs. If you can, use a separate wallet that doesn’t have all of your valuable NFTs/crypto, to connect to sites and mint.

4. If you realize you’ve connected to a dodgy site, use Revoke.Cash or Etherscan to quickly revoke all transactions as mentioned above. This will stop the scammer from transferring everything into your wallet. To be extra safe just move all your assets to a new wallet immediately once you have revoked access and never use the hacked wallet again. 

5. Use a ‘cold’ wallet such as a Ledger or Trezor device for the wallet with your valuable assets, which will help prevent assets from being stolen if you do connect to a dodgy website. With that said, if you give certain permissions you may still not be safe so ensure to follow step 3 above if you fall victim to a scam immediately. So stick to using a ’burner’ wallet where possible. 

6. Never share your secret recovery phrase with anyone, not even Metamask - they will never ask you for this, so it will always be a scammer. They do not have a support service- you may get scammers on Twitter commenting or messaging you pretending to be from Metamask- just block or ignore them. Do not provide any details, especially your seed phrase or click any links! 

Whilst it is scary out there, given the number of scams you can fall victim to, if you take sensible steps, proceed cautiously, and don’t FOMO- you should be fine. Here are a few NFT thought leaders who have useful tweets on this topic in case you want to learn more:

Zachxbt has some great tweets about scams: https://twitter.com/zachxbt

Richerd has some great threads on cyber security: https://twitter.com/richerd

NFTethics has great threads about project rugs/scams: https://twitter.com/NFTethics

imBagsy has great tweet-storms on what precautions to take when minting NFTs: https://twitter.com/imBagsy