The Ultimate Guide to Spotting and Avoiding NFT Scams

NFT scams have become a growing problem in the world of Web3. In the first half of 2022, it’s been estimated that over $100 million worth of non-fungible tokens have been stolen from NFT marketplaces and social media platforms. 

The cost of these NFT scams can be devastating so it’s important to understand and identify the most common methods and tactics that scammers use in order to protect your digital assets.

Rug Pulls

Rug pulls can be divided into two categories: soft pulls and hard pulls. 

Soft pulls

Soft pulls – also commonly referred to as exit scams – often start with intense advertising on social media, with developers aiming to lure investors into their NFT project. As people get lured in and start to invest in the NFTs, the NFT collection will start gaining real value on the market. This will make the ads and the promise of the collection more true to investors and potentially have a snowballing effect on the sales and the relative values of NFTs within a very short time.

However, after selling enough NFTs from the collection, scammers sell off their tokens, abandoning their investors with NFTs whose values are tremendously reduced. One notorious example of a soft pull or exit scam in the world of NFTs occurred back in September 2021 with the Evolved Apes NFT project which you can read more about here.

After a rug pull, developers often will delete or stop the NFT project’s social media accounts and all communication channels. Creating a foggy, chaotic and speculative situation for investors.  

Here are some ways you can protect yourself from soft pull scams: 

• Carefully examine the website of the NFT project, social media accounts, Discord, and research the team and/or developers behind the NFT project. In rug pulls, social media platforms, or websites of projects often have inconsistencies or holes, such as conflicting information.
• Check if the NFT project contract uses a distributed multisig key. While this will not ensure the safety of your funds, it’s still a good indicator. 

Hard Pulls

Hard pulls – also referred to as smart contract scams – are premeditated as they have to be made during the construction process of the NFT collection’s smart contract. With hard pulls, you’ll typically see malicious codes embedded in the smart contract, some backdoors, or bugs intentionally left in the contract. Hard pulls can result in: 

• Scammers raiding the funding of the NFT project without allowing their investors to retrieve their funds from the funding pool.
• People can buy NFTs from the collection but can’t sell them. Making the project grow, taking money in, and letting none out. After enough NFTs are sold, developers will vanish, taking all the funds.
• Developers can steal all of the funds in a moment using a backdoor function they implemented.

To increase your protection against hard pull NFT scams, do your own research (eg. read the NFT whitepaper) and make sure a third party has conducted a security audit of the project.  

NFT Giveaways and Airdrop Scams

With airdrop scams, scammers replicate the interfaces of well known projects’ websites and use a very similar domain name to the original project. When these malicious ads are clicked on – typically inciting users to receive a free giveaway of NFTs – it will redirect the user to another link which will try to convince the user to perform a malicious transaction to receive the airdrop of the NFTs. However, this malicious transaction will only allow the scammers to transfer all the NFT and funds from the victims wallet into their own.

Scammers can also hack into the social media accounts of influencers and celebrities to use their public profiles to share links to malicious websites.

Here are some ways you can protect yourself from NFT airdrop scams:

• Don’t claim airdrops if you were to receive one unexpectedly. Because, in order to claim an airdrop, you have to connect your wallet to that NFT’s smart contract and sign a transaction. This process can allow scammers access to your wallet, robbing you of your money.
• Double check the domain name of the site that you are redirected to and check if the domain name matches the real site it’s alleging to be.
• Use a temporary wallet for claiming airdrops or performing suspicious transactions.
• Do your best to research the legitimacy of the NFT giveaway online before performing any transactions. 
• Check your approvals and revoke them if you sign a suspicious transaction.

Customer Support Phishing Scams

Phishing scams are manipulation techniques that aim to trick people into giving their sensitive wallet information. Customer support phishing is done by bad actors who disguise themselves as the technical or customer support team of an NFT project or marketplace, reaching people through WhatsApp, Telegram, Discord, or similar channels. 

The “customer service” rep will eventually ask for your seed phrase or private key in order to help you with your problem. Scammers can also persuade you into clicking unverified site links or downloading malicious data depending on the context.

To protect yourself from these kinds of NFT phishing scams: 

• Verify the links you are clicking. Check the domain names of the received pages and compare them to the ones that are known to be legit.
• Be aware of how officials normally behave and reach out to people. It would be highly unusual for an official of an NFT marketplace to reach out to you personally via social media accounts. 
• Never share your wallet private key with anyone. 

NFT Bidding Scams

Bidding scams happen when a scammer becomes the highest bidder on an NFT and, just seconds before the auction’s end, the scammer changes the cryptocurrency to one which is much less valuable. If the seller of the NFT is not careful and the change in cryptocurrency types goes unnoticed, the seller will be scammed, receiving a below-market payout for his/her valuable NFT. 

To protect yourself from NFT bidding scams:

• Verify the type of cryptocurrency before accepting payments.
• Set a minimum bidding price.

NFT Pump and Dump Schemes

“Pump and dump” scams are similar to rug pulls. However, pump and dumps create the illusion of demand on their NFT projects via funding, whereas rug pulls usually accomplish this using social media ad campaigns. 

Scammers will often split their assets into different wallets and continuously buy and resell the NFTs in the project (the Wash Trading technique), intending to create the illusion of active trading and demand for the project. This method tricks investors to buy the NFTs and, when certain funds are collected, developers abandon the project, taking all the funds out of the project.

To protect yourself from pump and dump scams:

• Check the transactions coming in and out of the NFT project.
• Check the NFT project’s whitepaper and investigate the developer’s credibility. 

Fake NFT Scams

Creating an NFT is not very difficult. With options such as lazy minting on the OpenSea NFT Marketplace, an attacker can potentially copy other artists’ works without paying a penny in advance. 

Some artists have reported thousands, even tens of thousands, worth of their artworks available on OpenSea without their consent or recognition. Even though OpenSea has improved its regulations and the community is more informed than it used to be regarding stolen NFTs, the problem of fake or counterfeit NFTs still persists. 

After copying the original NFT, attackers lure users to buy these fake NFTs using various methods such as hacked social media accounts or social media ads.

To protect yourself from fake NFT scams:

• Verify the origin and the authenticity of NFTs using the Blockchain Explorer
• Do a reverse search of the image of the NFT on Google Images and see if it’s an original

Final Thoughts

The NFT landscape is full of scammers and thieves who seek to take advantage of those who are new to the Web3 market. To protect yourself from these scammers’ traps, the most important thing you can do is RESEARCH the project and use your critical thinking skills. For more information on how to stay safe in the world of Web3, bookmark our blog, follow us on Twitter @HalbornSecurity, subscribe to our YouTube channel, and reach out to our Web3 security experts at halborn@protonmail.com.