NFT Safety Best Practices
The NFT and crypto space are moving at lightspeed. While we’re all excited about the new and exciting possibilities, scammers are working full-time around the clock, constantly coming up with new ways to trick people and relieve them of their NFTs and crypto.
In this constantly evolving space, the most reliable way to stay safe is to have a set of solid fundamentals and best practices. That’s why we worked with our amazing community to put together this growing list of NFT safety principles to help you stay safe.
Let’s dive into the best practices.
Don't click links from DM's
This is one of the most popular ways to scam people. People create all kinds of impostor websites, and then DM you the link so that you’ll be fooled into interacting with them.
I’ve seen people recreate scam imitations of everything: OpenSea, Collab.Land, project mint pages, and more. There’s nothing good to come from random DM’s.
Don't enter your seed phrase anywhere
You should never have to type your seed phrase anywhere.
Your seed phrase is used as a backup method to recover your wallet. It will never be used to log in or authenticate anything.
Keep your seed phrase safe. You will only need to use it if you’ve completely lost access to your wallet. Don’t treat it lightly.
Don't sign into fake MetaMask prompts
Fake Metamask interfaces are a popular way to scam people and trick them into sharing their seed phrase. You’ll usually encounter this type of page after following a link in a scam DM, most often from fake Collab.Land accounts.
If you need to legitimately sign in to MetaMask, close all of your pending requests to be safe, then sign in on your own accord by clicking your browser extension.
See the fake MetaMask popup scam in action at this Tweet.
Make sure you're on legitimate websites
Scam websites are popular. I’ve seen fake versions of OpenSea, Collab.Land, Project sites, and more.
There are many creative ways that scammers will trick you into going to these pages, including:
- Pretending to be Collab.Land
- Hijacking a Discord Server’s webhook or bot, and posting fake links in #announcements
- Pretending to be a mod or support
- Sending you a “too good to be true” OS deal
- And the list goes on… Use your principles to stay sharp.
Always double-check the URL of the page you’re on, and make sure that you’re in the right place.
Don't store your seed phrase on any device
Do not store your seed phrase digitally. Anywhere.
This is one of the easiest and most avoidable ways to get your seed phrase compromised. Don’t let hackers get easy access.
Keep your seed phrase written down on something physical, and then keep that somewhere safe. Never save your seed phrase or any sensitive information on your computer.
Use a hardware wallet
Always take your time
Don’t rush into things. Avoid FOMO. Take your time and make good decisions. Scammers take advantage of your speedy mistakes.
The downsides of rushing are usually much higher than any potential gains you could make.
Use 2FA whenever possible
Two Factor Authentication will help keep you safe in case your password is ever compromised.
For best results, use the Authenticator app, since text message 2FA is vulnerable to Sim Swap attacks.
Common Ways People Will Try To Scam You
We’ve covered some best practices that you should always follow. Now let’s dive into some of the specific ways that people will try to scam you, and how to avoid them.
Fake Collab.Land DM's
People will make fake Collab.Land accounts and DM you to trick you into connecting your wallet to their scam website.
The real Collab.Land bot will have a verified bot checkmark by their username. Double check that you’re communicating with the real bot before moving forward.
The real Collab.Land website takes you to roll.collab.land to connect your wallet. Make sure it’s not an impostor website using the letter “i” in place of the “L” in their url.
See this explainer video on Twitter for an example of what this looks like, and how to check if you’re interacting with the real Collab.Land bot.
Fake minting websites
Scammers will make a fake version of the website with a mint function. This will steal your ETH, or worse, drain your whole wallet. This can be easily avoided if you take your time.
To avoid this, you need to double-check that you’re on the correct website. Follow links from official sources. Never move too fast, and don’t be fooled by FOMO like “There are only 150 left! Limited mint! Go now! Next BAYC!”
Fake service websites
Services like Collab.Land are prone to impersonator websites. These will get traffic by pretending to be Collab.Land and DMing people to connect their wallet, then steal their assets.
Fake MetaMask Popups
Malicious websites will use a fake MetaMask popup to steal your information. We’ve detailed this above, but it’s worth mentioning again. This is one of the most damaging and common scams you will encounter.
Fake Prizes
Sorry, but you probably haven’t won a random contest out of nowhere. Scammers will take advantage of your excitement and trick you into slipping up, especially if you have to “act fast!”
Don’t be fooled by the prospect of something for free. If it seems too good to be true, it probably is.
Fake OpenSea Websites
Fake OpenSea impersonator websites will trick you into trying to buy a good deal.
When you try to buy, it will ask you to “Log in” with a fake MetaMask popup, or just take your ETH.
Fake OpenSea Emails
Scammers will send you a fake “Your item sold” or “You have an offer” emails.
Once you go to their fake OpenSea website, they’ll use the usual methods to steal your information.
Fake Support.
People will pretend to be a support member and try to help you. Then they trick you into sharing your private details. This is one of the most devastating ways people get scammed since they usually lose their entire MetaMask account.
This will happen on Discord, Twitter, Email, and anywhere else you can imagine. Use your best practices and don’t be fooled!
Screenshares
Never share your screen with strangers.
If someone sees your Metamask QR code on a screen share, your wallet will be compromised.
Your discord account can also be compromised during what seems like a harmless screen share, which is why they’ve included warnings in the console.
Just don’t screen share. It’s not worth it. They will lure you into a false sense of security and trick you into slipping up for something that seems harmless.
Social Engineering
People will pretend to be a support member, your friend, a team member, project owner, celebrity, influencer, and more. Once they’ve tricked you into trusting them, they’ll try one of the scams mentioned above.
Closing Thoughts
NFTs bring a broader audience to the blockchain. We’re going to be seeing scams in this space for quite some time, so it’s best that you protect yourself early. Scammers are good at what they do, and if you aren’t careful, you can fall victim very easily.
Always be vigilant. Use your common sense and never let your guard down. Remain skeptical and always double check who you’re talking to. You can never be too careful.
Did you find these tips useful and want to help stop scammers? Share this page on Twitter.
Do you have any safety tips or best practices that we should include on this list? Come visit us in Discord and let us know in our Best Practices channel.
Stay safe, and see you in the lab.