Scam Protection Guide: What You Need To Know To Avoid Crypto & NFT Scams

Unfortunately, crypto scams are common. This resource explains typical crypto scams and helps you understand the tricks that scammers use in an effort to steal your cryptocurrencies or non-fungible tokens (NFTs).

See the bottom of the resource for all of Collective Shift’s resources on scams and security best practices, as well as where to go if you’re unsure about a possible scam.

Follow Twitter Accounts That Spot Scams & Do Your Due Diligence

Some Twitter accounts such as NFT Ethics and zachxbt actively point out crypto scams. A group of 18 crypto organisations created the NFT Security Group. In particular, zachxbt is elite in exposing malicious actors and shady projects.

These can serve as a good learning tool to understand the risks and help avoid rug pulls (i.e. when the project founders run away with the funds and abandon the project).

Tip: If you’re looking at investing in a cryptocurrency or NFT, it’s worth searching your project in their Twitter history to see if it is associated with any shady behaviour.

Be Careful With Influencer & Celebrity Endorsements

Unfortunately, many cryptocurrency influencers and celebrities may be paid to promote the project, NFT or cryptocurrency.

Tip: Due to lack of regulation, many of these are undisclosed and do not provide disclaimers—take them with a grain of salt and can often be a red flag.

Double Check Airdrops Before Claiming

Airdrops happen when a crypto organisation or platform giveaways cryptocurrency to active participants in a blockchain, dApp or platform.

Wait to see if the contract is legitimate before claiming an airdrop: Everyone loves an airdrop and the allure of free money—but remember to see if the contract address is verified and the contract is safe.

You can do this by commenting in the community or waiting for trustworthy individuals to verify the contract.

Some warning signs that the airdrop may not be legitimate include:

  • Founders not answering questions or providing little detail.
  • An added fee to claim (on top of gas) which goes to the developers.
  • No social media presence.
  • Tokens can not be traded or swapped.
  • There is no use case for the tokens.

Tip: If you claim an airdrop without checking its authenticity and whether it’s safe, then the creator could’ve programmed something malicious in the smart contract. Always check before claiming.

Leave any unknown cryptocurrency you were airdropped: A common scam is individuals who airdrop tokens to random wallets. You might see in Etherscan you have some cryptocurrency you didn’t buy or don’t recognise. 

If you trade these tokens via a DEX or their own platform, signing the transaction could give access to your wallet and MetaMask to a hacker.

etherscan screenshot
Ignore suspicious tokens you did not buy yourself.

Tip: Simply leave these tokens in your address and do not move them.

Check the Authenticity of an NFT Collection

Due to the permissionless nature of blockchains, anyone can create an NFT and sell it on an NFT marketplace.

Two essential best practices before pulling the trigger include:

  1. Check if the collection is verified on OpenSea: OpenSea has a blue checkmark beside the collection name. (Some scams will put the blue checkmark in the picture to fool you).
image 16
Fake BAYC listing
image 15
Official BAYC listing

2. Reverse image search the NFT: Sometimes scammers may plagiarise an artists work without their knowledge and sell it on OpenSea. To see if it appears elsewhere, perform a reverse image search.

3. Learn to spot a scam on OpenSea: Signs of a fake collection include a smaller collection size, much lower price than the current floor or low to no sales volume.

Be on Phishing Alert

Phishing is when someone sends you an email or a message that leads you to a fake site—sometimes, they even appear in Google.

A common scam designed to steal your NFTs is phishing emails claiming you have an offer on one of your NFTs. To see if it’s legitimate analyse the URL and email format. If you aren’t sure, go directly to your OpenSea account via the official link.

Tip: Dive deeper into phishing scams through our Beginner Course lesson What is Phishing and in our resource Guide to the Latest Wave of Crypto Scams.

Use Bookmarks & Only Click Official Links

To avoid any phishing or nefarious actors/websites, it’s best practice to bookmark your most used platforms to avoid Google search.

Tip: If you aren’t sure if it’s an official link, head to the project’s official Twitter or Discord where they will supply official resources and links.

Analyse the Team & Be Careful of Anons

Being anonymous in the crypto space is quite common. After all, Satoshi Nakamoto was anonymous—and this isn’t to say all anonymous builders are bad. 

However, there’s been a noticeable increase in anonymous developers coming from nowhere to launch NFT sets and cryptocurrencies. 

Ask yourself critical questions of the team (whether they are public or anonymous):

  • Have they built a dApp before?
  • Do they have a public profile and what’s their experience?
  • When did they start building?
  • Does their Discord, Twitter or social media accounts have a suspiciously large amount of followers in a short amount of time?
  • Are they withholding information or have an unrealistic timeline and over promising?
  • Do they withhold vital information and lack transparency?
  • Is the team active in their Discord community?
  • Is there an over focus on profit and promise of guaranteed returns?

    Tip: If the team has raised funds then they have likely doxed themselves to VCs—so this will increase the legitimacy.

Be Careful With Discord & Telegram Direct Messages

Telegram and Discord are beneficial tools, however, they are plagued with scammers private messaging you. Admins or projects will never DM you first or offer unconsolidated exclusive offers, promotions or airdrops. 

Tip: Turn off your Discord DMs and never share your private keys.

live now defi land scam example
A scam DM in Discord

Move the Majority of Your Crypto-Assets Away From Your Daily Wallet

Cold storage (securing your crypto assets off any internet connection) is the best way to reduce the risk of losing your crypto assets.

Moving a sizable stack of crypto assets you don’t need daily access to helps mitigate centralisation risk.

If you’re hacked (it can happen to the best of us), you’ll only lose a small portion of your total assets—many people have been hacked and lost everything because they kept all their assets in the one MetaMask wallet.

Tip: When participating in more risky protocols or newly established projects and/or NFT mints, it’s wise to use a separate wallet expressly for this behaviour.

Remember the Basics

  • Keep your private keys to yourself: Never share your seed phrase, private key or back up phrase with others (the only exception is if you are restoring a wallet—double-checking the legitimacy of the website).
  • Keep your recovery phrase offline: Avoid writing your seed phrase or recovery phrase online where it’s connected to the internet.
  • 2FA is a must: Activate 2FA on all exchange accounts.
  • Too good to be true? If it’s too good to be true it probably is. 
  • Maintain good risk management: It can be best practice to ensure the NFT or cryptocurrency is only a small fraction of your overall portfolio.

Relevant Collective Shift Resources

We have a lot of resources available for you to consume if you want to learn more about scams or up for crypto security.