It seems not a day goes by without a news of a new type of crypto scam. They can be nontrivial, like the hack of Beeple’s Twitter account a couple weeks ago, but the oldest tricks in the book also seem to be widely used. Take this guide with practical advice to be equipped against falling for a crypto scam!
The Most Common Types of Scams in Crypto
The aforementioned hack of renowned NFT artist Beeple happened on May 23. Attackers placed a link that masqueraded as a website dedicated to a recently unveiled collaboration between the artist and fashion brand Louis Vuitton.
In fact, this is probably the most common type of a crypto scam there is. Users who click the links are taken to a website which either has a form to input data (such as private keys) or gain access to one’s wallet automatically.
How to recognize phishing?
- A link may look like a legitimate site but have a slightly different URL;
- The website requests data such as private keys, that grants access to the funds in a wallet.
How not to fall for a phishing link?
- Do not open links or files in suspicious-looking emails or DMs. It is best to open a website from the URL directly or from a bookmark: search engines sometimes put phishing links on top as promoted results;
- Do not enter sensitive data in an unreliable form, even in wallets. Sometimes scammers create fake crypto wallets and gain access to funds by asking the user to input their mnemonic phrase.
Social Engineering Attacks
Another common vector of attack not only in crypto but tech as a whole is the user themselves. Phishing is an adjacent form of such scams, and you will see why.
Very often, it is not even necessary to set up a fake website, construct a protocol or come up with an elaborate scheme. Sometimes, scammers get to your money by getting you to trust them (and sometimes by extortion).
Let’s have a look at a couple of examples: take the Twitter hack of 2020. A hundred-something verified accounts, from Apple to Barack Obama, tweeted out a message: send some Bitcoin to a specified address and get double back. You wouldn’t trust any random bot account but when it comes from CZ or Coinbase, at least someone is inclined to think they truly are “giving back to community” this way.
Of course, there are more inventive ways to part people with their money by playing with their feelings and emotions — sometimes, more literally than figuratively. Cointelegraph reported that a Silicon Valley has been overtaken by a wave of ‘pig-slaughtering’ or butchering scams.
In this type of scam, users match with scammers or their accomplices in dating apps, who then spend weeks winning a victim’s trust and getting them to send crypto to scammers through a dodgy website or address. Given the Silicon Valley demographics, the victims of these scams may be more tech savvy than an average Joe — but they are not immune to such predatory practices.
How to recognize a social engineering attack?
- You are being asked or persuaded to make actions you may normally choose not to do;
- The persuasion comes from someone who masquerades as a party you are inclined to trust — for example, a support service member;
How to not fall for a social engineering attack?
- Don’t trust, verify — one of the main principles of crypto! For example, if you are approached by someone who claims to represent a service, it wouldn’t hurt checking if they are really affiliated with it;
- Take responsibility for your own choices. When things get sketchy, if you have the luxury to dip out, use it.
To no one’s surprise, the NFT market has also brought an array of “new and exciting” ways of scamming people. In the NFT scene, it is arguably even worse than in crypto at large.
Of course, you have phishing and social engineering attacks here as well, and the advice above applies here as well. However, you should also watch out for counterfeit tokens.
This could mean NFTs minted from a stolen artwork, or NFTs which will drain your wallet lest you so much as transfer them yourself. With the first, you could end up with a token with a link leading to a DMCA takedown notice instead of the artwork, and there is not much you can do about the second one, either.
How to recognize scams in the NFT market?
- The token seems to have an overly inflated trading history. This is usually a telltale sign of a token which price has been inflated by wash trading;
- The token comes from an unverified source. Like suspicious files, it can contain a script;
- The pop-up window or the web page you’re interacting with requests too much information. Anti-phishing precautions apply here, too!
How to not fall for an NFT scam?
- Perform due diligence. It is best to check with the artist themselves whether they are the ones selling the tokens and on which platform;
- Keep up with the news. Hacks and leaks are usually promptly made public;
- Blockchain literacy is your friend. If you link back trades of an NFT to a few addresses flipping it between each other — congratulations on blowing a wash trade’s cover.
Pump-and-dump & rug pull
Both of these refer to a trading scheme as old as the stock market but made even more popular in the crypto space. In these events, the price of a token is inflated with insider trading, who then sell it on top and drive the price back to the ground.
One of the better-known recent examples of a rug pull was the SQUID token. The memecoin rallied 45,000% up before coming down to (almost) zero.
The red flags were there but somehow the team managed to escape with $3 million in liquidity. You wouldn’t want such things to happen at your expense, would you?
How to recognize a pump-and-dump?
- Sometimes anonymous developers do not hide behind aliases for the best of reasons;
- Be wary when “star power” is involved: there have been numerous cases when influencers were paid to shill a coin and were with the insiders selling on top;
- Excess centralization. Squid Game token team managed to keep so many investors holding the bag simply because there was no way to cash out.
How to not fall for a pump-and-dump?
- Another important principle of crypto is Do Your Own Research, and for a good reason. More often than not, a rug pull attracts investors by ponzinomics that are simply too good to be true;
- Ignore the shillers. It is true that we are more likely to give attention to the name we have heard, but think about who is keeping the name in the spotlight;
- Keep an escape plan in mind and try not to ignore the red flags.
How to Avoid Being Scammed?
In addition to the advice above, we have also asked our CMO Alexey to give some insights into crypto security. Take a look at his advice to keep your investment safe and sound!
1. Double- and triple-check the URLs. This is the measure to follow at all times. Before you click a link or interact with the website, for example, by connecting your wallet, have a good look at the URL and make sure it is legitimate. Otherwise, you could be on a scammer’s website and not even realize it.
2. Do not trust anyone in your Discord or Twitter DMs. With each passing day social scams become more and more elaborate. Fraudsters will explore your socials and engineer a story for you specifically. For example, a scammer pretends to speak on behalf of a company looking for cross-promotion. When given a pass, they send out a file with a “contract”, which leads us to—
3. Do not open files sent by strangers. A file can turn out to be a script which bruteforces a password or a seed phrase, or even hijacks the computer to eventually provide a hacker with access. Even a .png file can contain a script — scammers would often rename the files to confuse you.
4. No rush. Take a breath in and breathe out when sending a transaction. FOMO can push you to make crazy decisions: think buying an overheated coin at a top/bottom (hi, LUNA and GST). Stealth drops were pretty popular last year, like GoGos on Tezos, which launch without prior notice.
5. Be cautious with verified accounts on Twitter. Hacking those seems to be getting more common. Scammers get access to stolen verified accounts to feign affiliation to reputable projects, such as BAYC or Moonbirds.
6. Use a cold crypto wallet. If you take your crypto holdings seriously, cold storage in a hardware wallet is a must. Trezor and Ledger are popular options.
1.View the entire history of a coin’s price, not the past month only. Day traders and crypto maxis only look at the current trend in the asset, without noticing that there may be artificial pumps at the time of listings.
2. Review the fundamentals of a coin. Studying the social media, asking the community can be vital prerequisites for mid- and long-term purchases. Too often buyers are blinded by marketing (STEPN) or the appeal to an authority (Dogecoin), and the next thing you know, they are losing millions.
3. Read the whitepapers. If a coin offers 20% or more for a bounty or a ridiculous APY, while the community pool distribution is a mystery, it’s better to walk away from it.
4. Run a background check on the team. Scams are quite often perpetrated by the same people who were complicit in dubious or outright fraudulent schemes. Googling or checking the LinkedIn of the developers and founders would never hurt.
If you get scammed out of your money — ultimately, it is not your fault. However, it is in your power to prevent it from happening. Following these pieces of advice can help you to navigate the crypto space safely and worry-free.