Scammers are forever coming up with more sophisticated ways of accessing your crypto-assets. This resource sheds light on the relatively new types of scams that have become increasingly common in 2022.
(If you’re after content on spotting the more established types of scams, head to How to Identify & Avoid Crypto Scams. More best practices are shared in What To Do If You Lose Cryptocurrency To Scammers.)
A common type of crypto-related scam is an impersonation scam. An impersonation scam is when a scammer pretends to be an influencer, admin, or founder in an attempt to steal crypto from a user. A common impersonation tactic utilised by scammers is to offer users paid services while impersonating an influencer. For example, many scammers are impersonating popular crypto traders offering to manage funds for individual users. If a user is tricked into sending funds to the scammer, the scammer will run away with the funds.
Another impersonation scam is where scammers impersonate project admins or founders. These scams usually originate on Discord or Twitter after a user publicly asks for community help. Scammers will see the user participating in a community and then directly message the user while impersonating a prominent figure such as an admin or team member. Often the scammer will have a remarkably similar username to the person they are impersonating. The scammer may offer to help a user solve their problem, but the scammers ultimately try to convince the user to disclose sensitive information.
A popular tactic by impersonation scammers is to convince users to share their screen and display the user MetaMask QR code, accidentally allowing the scammer access to the user MetaMask.
Traditional Phishing Attacks
Scammers are also re-packaging traditional phishing scams into Web3 projects by falsely navigating users to a fake MetaMask pop-up, prompting them to enter their seed phrase. Once the user enters their phrase, the wallet is compromised.
Scammers use various methods to trick users into submitting their seed phrases. The most common approach is direct messages on Discord inviting users to a private Discord server or to mint an NFT.
The invitation may take the user to a fake Discord server, where a phony Collab.Land Bot is used to gather wallet information. Alternatively, the DM may take the user to a phony minting website where users input their information.
Another phishing attack is a scammer creating a fake website and purchasing Google ads to make their website look legitimate. For example, a scammer may create a fake webpage mimicking the user experience of Compound, then buy Google ads to make their website a top result if someone searched ‘Compound’. Users may mistake the website for the actual protocol and accidentally disclose their seed phrase.
Scammers also use more traditional phishing attacks such as fake emails or promotional posts linking to a phony website where users wrongly input details. Examples include fake emails pretending to be OpenSea notifying users of a fake NFT bid or fake giveaways where users need to register with their wallets.
Web3 Phishing Attacks
Web3 phishing attacks are similar to regular phishing attacks, but instead of tricking users into entering sensitive information, users are tricked into interacting with predatory smart contracts.
Typical Web3 phishing attacks begin with scammers airdropping ERC-20 tokens or an NFT to a targeted user. If the user wants to interact with the tokens, they will need to ‘Approve’ the token with a wallet signature. Unless the user has audited the code within the token, they have no idea what code will be executed when they ‘Approve’ the token. In many instances, the code that runs will be malicious, resulting in attackers gaining access to the user’s wallet.
There have been a growing number of Web3 phishing attacks going around crypto Twitter. There are many instances of scammers airdropping victims and the NFT then making a small bid on the NFT, tricking the user into approving the NFT for sale. Similar stories have appeared involving ERC-20 tokens where scammers provide liquidity to a Uniswap pool to make the token look legitimate.
Collective Shift Best Practices
Collective Shift research team has pooled together a list of best practices to keep funds secure in response to the uptick in crypto-related scams.
General Best Practices
- Never expose your seed phrase to unknown parties.
- Never show your MetaMask QR code to unknown parties.
- Diversify funds across multiple wallets.
- Keep most funds in a cold storage wallet such as a ledger.
Best Practices to Avoid Imposter Scammers
- If it sounds too good to be true, it probably is.
- Double-check the person you are messaging is not an imposter. An easy way to do this is to find the person’s verified profile (i.e., navigate to their Twitter profile or click their prominent profile within a discord server) and then send them a direct message through the verified channel. If the message appears in a new conversation, you know it is an imposter.
Best Practices to Avoid Traditional Phishing Attacks
- Go through official channels to navigate to protocol webpages for the first time.
- Always double-check the protocol’s URL before inputting any information.
- Avoid fake Collab.Land bots in discord by viewing your conversation history. You will likely have an existing conversation with the real Collab.Land bot from previous verifications.
Best Practices to Avoid Web3 Phishing Attacks
- Do not interact with any airdrops you did not claim.