Phantom's top priority is to keep our users safe as they navigate through the Web3 space. Amongst the many security features that we have in place, one of the most effective ways to keep your assets safe is with education. This means knowing what scams are trending, what they look like, and taking preventative measures will significantly decrease your risk of getting scammed.
It's important to understand that Phantom is a non-custodial wallet, which means that we don't have any control over your assets. This also means that you are responsible for keeping your private keys and seed phrases safe. This leads scammers to resort to creative methods to trick you into giving them access to your credentials. One of the most common methods used to deceive users is phishing.
Let's take a look at some of the common Phishing scams and how you can prevent yourself from becoming a victim.
NFT scams
The most common type of phishing scams that we are seeing today are fake NFT airdrops/giveaways/mints.
NFT airdrop scams
Nothing sounds more appealing than VIP access to a new project, huge rewards, or free money. That's exactly why scammers are airdropping these types of NFTs to wallets, hoping to trick people into claiming the rewards.
What does this look like?
Let's say you received an unexpected NFT claiming to be from a trusted dapp or project similar to the one below.
In the description is an explanation of the offer with a link directing you to claim the rewards. You choose to visit the site unaware that the link is actually taking you to a malicious site.
When you try to claim the rewards, the dapp prompts you to enter your seed phrase or ask to confirm a transaction. While this may seem harmless, in the background the transaction approval has the intent to drain your wallet.
When you try to claim the rewards, the dapp prompts you to enter your seed phrase or asks you to confirm a transaction. While this may seem harmless, in the background, the transaction approval has the intention to drain your wallet.
Shortly after doing so you notice that your funds have been drained from your wallet.
What happened? Well, these NFT airdrops are designed to do 2 things when you interact with them:
- Gain access to your seed phrase/private keys
- Prompt you to sign a malicious transaction that will allow funds to be transferred from your wallet.
In either case, the scammer now has the ability to make transactions within your wallet or completely drain your assets.
How do I recognize scam NFT airdrops?
<aside> ⚠️ Any unsolicited NFT airdrop should be considered a scam NFT.
</aside>
By default, Phantom checks the NFTs' metadata and sends any NFTs that are potentially malicious to the hidden section of your collectibles.
Unless you have manually hidden a collection or NFT it's best to assume that any NFT found in this section is likely malicious and should be safely discarded.
If you're still unsure, cross checking the URL can help validate its legitimacy. In the description of the NFT above displays the URL (orca-true.online) which directs to the URL (orca-defi-pool-6406.serene.pics) - Do NOT visit these scam sites
Right away you may not be able to tell if it’s the real site but if you cross check the URL you will realize that the official site is actually (orca.so) and neither of those URLs are associated with the official site.
You can see a few more examples in the image above showing the different types of outrageous offers scammers send with these airdrops. While these may be easily identifiable, some may be very convincing so it's best to do your research to avoid them and if it seems too good to be true, it's likely not good at all.
Link What to do with scam NFTs
NFT Mint scams
NFT Mints are booming. Every day there are claims to be a new and promising project. All you have to do to be a part of the rewards is to Mint their NFT.
NFT creators typically distribute new collections through minting processes. Most times these mints are closed to specific users who have privileged access, however, you may see a new project that has opened up its gates to anyone that chooses to flood in.
Those are the ones you really need to be cautious of since scammers use this method quite often to lure you in and steal your funds.
How does this scam work?
What happens is the scammer creates a project including a website and social media presence. They then present this newly created NFT using any marketing tactic from social media, emails, Google ads, and text messaging. They hype it up throughout the community and once they’ve convinced you of getting involved, the last thing to do is mint the NFT.
Unfortunately, what you don’t realize is that you are signing a malicious transaction that will likely result in one of the following things:
- Your funds will be sent to another wallet instantly
- You allowed token approvals, meaning they will be able to access all of your tokens or a specific token and send them to another wallet.
How do I know if an NFT mint is a scam?
Scammers are getting very creative in finding new ways to exploit users so it's not feasible to educate all the ways a scammer can trick users. Some NFT mints are practically indistinguishable from the legitimate ones, however following the guidelines that we laid out below can help you avoid these scams.
- Do your own research. The most crucial thing you need to perform comprehensive research about the project on your own.
- Do not simply trust the words of others. Identify the team that built the project. What is their status in the community? Do they have a roadmap for the project?
- Be aware of any direct messages and links they contain. Make sure you are clicking on the official links or connecting your wallet to the official website of the NFT project. If the same links cannot be found on the projects' verified Twitter page, you should be cautious about using them.
- Be aware of urgency tactics. Scammers will create urgency by presenting countdown timers, progress bars and pop up messages that indicate that you only have a limited time to mint or the NFTs are running out.
- Be cautious of what permissions you grant any NFT smart contract you connect your wallet to. Assume any contract that is requesting access to your tokens is malicious.
- Warning Message. Phantom employs transaction simulation that will identify potential scam sites and display a warning stating that moving forward with the transaction may result in a loss of funds. You should never continue with the transaction if this message is displayed to you. If the transaction simulation results are not available, you should not proceed.
Additional Security measures:
- Bookmark frequently visited sites
Summary
- NFT airdrops are the most common phishing vector so doing your own research is critical to your safety.
- Wait for the transaction simulation result before approving a transaction. If the simulation results are not available, do not proceed.
- Be cautious of rushing into a project that is promoting limited time or limited offerings.