Have you ever received a free airdropped token in your wallet that seemed too good to be true? Or noticed receiving transactions of tokens in your activity tab that you were not expecting? Navigating the world of cryptocurrencies can be exciting, but it’s also filled with potential pitfalls.
The good news? With the right knowledge, you can protect yourself from these deceptive tactics. In this article, we’ll help you:
- Identify common types of scam tokens and how they operate.
- Learn actionable tips you can implement today to avoid falling victim to these schemes.
- Understand what to do if you’ve already interacted with a scam token.
By the end, you’ll be better equipped to spot fraudulent tokens and safely navigate the Web3 space.
What Are Scam Tokens?
Scam tokens are fraudulent/malicious cryptocurrencies designed to deceive users and steal their funds. Unlike legitimate tokens, which are tied to real projects or utility, scam tokens often rely on hype, false promises, and deceptive marketing to lure victims.
Scammers typically prey on both curiosity and greed. They do this by targeting users during market booms or with flashy tactics like fake airdrops, misleading endorsements, or manipulated smart contracts. The goal is simple: trick you into engaging with their token, approving transactions, or even revealing your wallet’s private keys. For example, scammers have airdropped tokens into unsuspecting wallets with metadata linking to phishing websites. These sites tricked users into signing malicious transactions thus draining their wallets.
Common Types of Token Scams
Identifying some of the different types of scam tokens is an essential skill to have when navigating the Web3 space. Scam tokens not only lead to financial loss but also erode trust in the cryptocurrency ecosystem. By understanding these tactics, you can protect yourself and contributes to a safer Web3 environment.
Fake Airdrops
As exemplified above, scammers send tokens to wallets with embedded instructions (often in the metadata) directing users to phishing websites. These sites will then prompt users to connect their wallets and approve malicious transactions or disclose their private keys (Phishing). Always check the token’s contract address on trusted sources like CoinGecko or a blockchain explorer such as Solscan or Etherscan to confirm legitimacy before engaging.
Pump-and-Dump Schemes
Fraudsters artificially inflate a token’s price through social media hype or influencer endorsements, encouraging investments. When the token’s value spikes, they sell their holdings, causing a crash and leaving other investors with worthless assets.
A perfect example of this is that in December 2024, internet personality Haliey Welch, known as the “Hawk Tuah Girl,” launched a Solana-based cryptocurrency called HAWK. The token’s market capitalization briefly soared to approximately $490 million before plummeting by over 90% within hours. This rapid decline led to allegations of a pump-and-dump scheme, with critics accusing Welch and her team of artificially inflating the token’s value before selling off their holdings. (Cointelegraph)
Honey Pots
A honey pot scam involves smart contracts that allow buying of the token but restricts the user from selling. Victims are lured in with promises of rewards, but their funds are trapped. One famous example was the “Squid Game Token” (SQUID). This was promoted as a token tied to the Netflix show and as such, the token skyrocketed in price. However, the contract prevented users from selling, and the scammers made off with millions.
Rug Pulls
Scammers create tokens or DeFi projects, collect investments from unsuspecting users, and then disappear with the funds. This is especially common with liquidity pools or projects that promise high returns.
Impersonation Tokens
These scams mimic legitimate tokens, using similar names, logos, or partnerships to trick users into buying worthless assets. In the past, there were fake exchange tokens (ie: UniswapX) and they even had accompanying fake websites. These tricked users into thinking they were legitimate extensions of the Uniswap platform.
How to Identify Scam Tokens
Recognizing scam tokens early can save you from financial loss and protect your wallet. Here are key indicators to help you spot these fraudulent tokens:
Red Flags in Token Details to Look Out For
- Exaggerated Claims: Be cautious of tokens that promise “guaranteed” returns or revolutionary features without clear backing.
- Unverified Teams: Legitimate projects showcase their team members and partners. Scam tokens often lack this transparency or use fake profiles.
- Suspicious Tokenomics:
- Look for large portions of tokens held by a single wallet, which can indicate a potential rug pull.
- Check for excessive minting mechanisms coded into the smart contract.
- Malicious Account:
- Phantom will display an error that says "we believe this account is malicious". We use external scam detection tools like TokenSniffer, Forta, and GoPlus to identify potentially malicious tokens and flag them to prevent users from trading them within the app. This token was flagged by one of these tools, which is why you're seeing that warning.
Fake Community Hype
Scammers frequently create fake hype on social media platforms like X, Telegram, and Discord to make their token appear to be more credible. Things to look out for:
- Accounts with low follower counts or repetitive comments.
- Copy-pasted responses or messages across multiple platforms.
- Promises of rewards for joining a community or promoting a token.
Low-Quality Websites/Homepages and Whitepapers
- Poor Grammar or Multiple Errors: Legitimate projects invest in professional branding and polished documentation. Scams often rush their materials.
- Fake Roadmaps: Unrealistic timelines or overly ambitious goals with no technical evidence should raise suspicion.
Using Blockchain Explorers and other Analysis Tools for Scam Prevention
Now that you’re familiar with common red flags and tactics used by scammers, let’s look at some practical tools you can use to protect yourself. Blockchain explorers like Etherscan (Ethereum) and Solscan (Solana) can help you verify token contracts, check wallet activity, and revoke malicious approvals. These tools add a layer of transparency to your transactions, making them essential for identifying and avoiding scam tokens. For a deeper dive, check out our article on How to Use Blockchain Explorers to Avoid Crypto Scams.
How to Avoid Interacting with Scam Tokens
Preventing interaction with scam tokens is the best way to stay safe. Here’s how you can protect yourself:
Verify Before You Engage with New Smart Contracts and dApps
- Check Contract Addresses: Only use official token contract addresses from trusted sources, like the project’s website, Coingecko, or verified social media.
- Research the Team and their Partners: Avoid projects with anonymous or unverifiable team members. Real-world credibility is a key sign of legitimacy.
Things to know working within Phantom:
- Phantom’s Spam Detection: Phantom automatically hides tokens flagged as suspicious, such as those with embedded URLs in their names. This is for your protection!
- Avoid Clicking Metadata Links: Never click links embedded in unsolicited tokens until they’re verified as safe.
Be Skeptical of “Too Good to Be True” Offers
Scammers exploit FOMO (fear of missing out) to make you act quickly. Be cautious of:
- Free token offers or guaranteed profits. If it seems ‘too good to be true.’ It probably is!
- Time-sensitive claims, such as countdowns or pop-ups urging immediate action.
Revoke App Connections
If you suspect a malicious app or token, revoke its connection to your wallet immediately and also look into revoking corresponding token allowances as well. Tools like Phantom allow you to manage app connections directly in your wallet settings. Revoking connections ensures the app can no longer interact with your wallet or tokens. Tools such as Famous Fox’s Revoker tool and revoke.cash are also useful in this scenario.
For more detailed information on how to use tools like blockchain explorers, revocation platforms, and analytical tools effectively, check out our article: How to Use Blockchain Explorers and Analytical Tools to Stay Safe from Scams. It’s a great resource to help you dive deeper into these strategies and stay one step ahead of scams.
Use Burner Wallets to Keep New Transaction Separated
For unverified projects, create a burner wallet within Phantom. Fund it with only the amount you’re willing to risk, ensuring your primary wallet remains secure.
What to Do If You’ve Interacted with a Scam Token
Even with the best precautions, mistakes happen. If you suspect you’ve interacted with a scam token, quick action on your end will help minimize damage and secure your wallet. Here are some steps that you can take to help you if you’ve suspected that you’ve been scammed and feel like you can protect your funds.
Step 1: Stop Any Further Activity
As soon as you realize something may be wrong, stop interacting with the suspicious token or dApp. Avoid approving additional transactions or clicking any links.
Step 2: Revoke App Connections and Suspicious Token Approvals
- Check for any active token or app approvals connected to your wallet. Disconnect any that you suspect of being malicious by useing Phantom’s Built-In App disconnection feature.
- For additional security, consider using tools like Revoke.cash (Ethereum and EVM networks) or Famous Fox Federation’s Revoker (Solana) to manage and revoke permissions.
- For more information on how to use such tools, visit our post on How to Use Blockchain Explorers and Analytical Tools to Stay Safe from Scams.
Step 3: Transfer Your Funds to a New Wallet (use of a burner wallet)
If you suspect your wallet has been compromised, follow the general steps below and also refer to our instructions on creating a new Phantom multi-chain account.
- Create a new wallet in Phantom for added security.
- Transfer all unaffected tokens and funds to the new wallet.
- Avoid transferring what you suspect to be a scam token to prevent further issues, as some tokens are actually programmed to trigger malicious actions upon the transfer.
Step 4: Report the Scam
Reporting scams helps improve community awareness and security. By using Phantom’s built-in reporting feature to flag phishing NFTs or malicious dApps, you're helping not only yourself but others to stay safe. You can create a ticket with Phantom here, or learn more about reporting scams here.
Step 5: Strengthen Your Security Practices
After addressing the immediate issue, take steps to enhance your overall wallet security:
- Enable 2-Factor Authentication (2FA) on accounts linked to your wallet (Biometrics or hardware keys such as a yubikey). Both are accepted at many popular exchanges.
- Regularly update your Phantom app to ensure you have the latest security features.
Remember, interacting with a scam token doesn’t have to result in a total loss. By taking swift and informed action, and being hyper-aware of your interactions, you can minimize the impact and secure your funds. For additional guidance on staying safe, visit the Phantom Help Center for more resources.
Stay Safe, Stay Informed
Navigating the world of cryptocurrencies can be exciting, but it’s also full of potential risks. By understanding the tactics scammers use, how to identify red flags, and leveraging tools like blockchain explorers and revocation platforms, you’re already taking critical steps to protect yourself and your assets.
If you’ve fallen victim to a scam and your funds have already been stolen, know that you’re not alone, and there may still be options to explore. Opening a support ticket with Phantom is a good first step, and we recommend working with trusted investigative partners such as Chainalysis or CipherBlade, who specialize in tracking blockchain transactions. However, it’s important to understand that recovery is not guaranteed, as the decentralized nature of blockchain can make funds difficult to retrieve.
While scams can happen to anyone, many of them can be prevented by safeguarding your Secret Recovery Phrase. There’s a reason why we emphasize this so often with warnings and pop-ups—it’s the single most important thing to keep safe. Never share your Secret Recovery Phrase with anyone, no matter how legitimate they may seem, and always ensure it’s stored securely offline.
Finally, remember that staying informed and vigilant is your best defense. If you ever have questions or concerns, visit our Help Center for guidance, tools, and resources. We’re here to support you as you explore the Web3 space with confidence.