THE FLRDROPS ARC:
Scammers are always searching for and creating new ways to steal your digital assets. With the increased growth of the crypto space in recent years, there has been plenty of fraud opportunities. 14 billion USD worth of crypto tokens fell into the hands of fraudsters in 2021 alone. If you are interested in crypto, DeFi, or NFTs, it is important to be aware of the risks involved. In this article, we will highlight common crypto scams, how to spot them, and how to avoid falling victim to them.
The main objective of a scammer is to get access to your seed phrase. If anyone is asking you for your seed phrase, it is a scam!
There are two major attack vectors:
- The exploitation of Software Vulnerabilities.
- Social Engineering — Phishing.
Exploitation of Software Vulnerabilities
Software, such as operating systems, web browsers, and other applications, often have security vulnerabilities that hackers can exploit. Software developers are always looking out for vulnerabilities to “patch” — that is, develop a solution that ‘patches’ the issue, which is implemented in a new update. However, sometimes hackers or malicious actors spot the vulnerability before the software developers do. While the vulnerability is still exposed, attackers can take advantage of it. Therefore, it is always good practice to install all security updates as they become available. Outdated software may contain vulnerabilities that you could be susceptible to.
Another avenue for software exploitation is malware. Pirate software is commonly known to contain malware and it can be used to jeopardise your security by opening a ‘backdoor’ into your system. A backdoor refers to any method by which unauthorized and authorized users are able to avoid normal security measures and gain user access to a computer system, network, or software application. Once in, this backdoor can be used to reveal personal and financial data, install additional malware, or hijack devices.
It is good practice to record your seed phrase physically, written down with multiple copies stored in different safe locations.
Social Engineering — Phishing
By far, the majority of all security breaches are performed via phishing attacks. Scammers attempt to psychologically manipulate you into directly providing them access to sensitive information such as passwords and seed phrases. They may also try to convince you to connect your wallet to a nefarious link or imitation website.
- Replies and Messages from Scammers
On spaces such as Twitter, Discord, Telegram, etc, if you publicly mention a problem you are experiencing or ask for assistance regarding an issue, you are most likely going to get a reply or a message from a scammer.
Scammers create fake support accounts, clone websites, impersonate team members of projects, admins, moderators, etc, but they can also act like community members who have experienced the same issue as you and had it resolved. Some can be quite convincing, while others are more easy to spot.
Below are examples of some popular methods scammers use; their primary goal is to get you to give up your seed phrase.
- Below, this person has asked ‘@BifrostWallet’ a question on Twitter and has received a response from ‘@bifrostWallet’. Note the lowercase ‘b’ at the beginning of the username, instead of the real username’s capital ‘B.’ In this example, the scammer is hoping to take the conversation to private messages and try to coerce you into giving them your seed phrase. There are similar scams for even more popular wallets such as MetaMask.
- In this example below, a scammer is providing a link to a google document that the scammer has created. One of the data fields in the document is asking for you to provide your seed phrase.
- Below is a wolf in sheep’s clothing. The email address provided will be fake support or contain another link.
- This is an example of a fake FLR Drops website which was created by scammers before FLR Drops even existed:
- There are also more sophisticated scams where tokens or NFTs are airdropped randomly. The token name will contain a link that would lead you to an imitation website. The scammers will ask you to connect your wallet and give them the approval to spend your tokens or, even more blatantly, to enter your seed phrase.
Other psychological tricks may come in the form of time-limited offers or deals, where ‘fear of missing out’ could reduce your awareness of what is being offered and its (non-)legitimacy.
Another popular phishing scam surrounds airdrops or ‘token giveaways.’ The offer is usually based around you sending X amount of tokens to an address to receive a bigger portion of X tokens back. Beware, nothing will come back!
There are also imitation NFT collections where the genuine collection is copied and recreated under a different contract and put on sale. Always check that the NFT contract address is that of the genuine collection’s creator.
Be aware of family or friends who are contacting you randomly via social media for financial assistance. Their account may have been hacked or imitated. Try contacting them back via a more traditional method, to be sure it’s them.
Some new tokens may not have Hardware Wallet support. Scammers impersonating others may message you offering a solution for connecting your Hardware Wallet via some software or request your seed phrase.
Good Practices and Safety Measures
There are a few methods one can employ to reduce the chances of falling victim to phishing scams and their potential consequences.
Having multiple wallets will reduce the amount of potential harm that can be caused by a single attack. Keeping your long term assets or NFTs in a Hardware Wallet will ensure they remain safely stored offline. If you want to utilise your tokens or NFTs online, having a second hot wallet for that purpose, and sending your tokens to it when necessary, will ensure that you have a buffer between online and offline wallets. Having multiple hot wallets to divide up assets will also reduce the potential harm of a phishing scam.
The best way to remain safe when seeking support or assistance from the community is to remain in public view. Scammers never ask for your seed phrase in public, it’s always via private messages or links. If anyone ever asks for a seed phrase in public, then the community would alert you to the scam.
Team Members, Admins, and Moderators will never message you first!
Remember… never rush into anything, and there are no stupid questions.
Again… the main objective of a scammer is to get access to your seed phrase. If someone is asking you for your seed phrase, it is a scam!