Web3 Scams: Common Crypto Scams and How To Avoid Them
KEY TAKEAWAYS: |
— The crypto scene attracts all sorts of people, including innovators, traders, and speculators. However, like with any kind of valuable asset, crypto also attracts scammers. — Some crypto scams are simple and others are more complex. Even crypto natives are often victims, and a hardware wallet can’t protect you from all scams. — The best way to deal with crypto scams is to avoid them entirely. With education, you can implement the best security practices to avoid the most common scams |
Scams are an all-too-common yet unfortunate aspect of the crypto space. While the crypto ecosystem has grown substantially, so too has the number of scammers. Of course, there are countless methods you can take to stay safe, but they aren’t infallible. For example, while a hardware wallet can protect you from hacks; it can’t protect you from falling for a scam.
Crypto scams come in many shapes and forms but they are all after one thing: your digital assets. Typically, these thefts aren’t as simple as a mugging on the street either. A bad actor might be a masterful hacker, able to gain access to your web2 device (computer or mobile phone” through your internet connection. Alternatively, they may be a masterful manipulator instead, managing to convince you to hand over the funds yourself. They may even employ a range of methods at each step of the scam.
Since the blockchain is pseudonymous, it’s not always easy to find the culprit of a crypto crime. Often, your best option to keep your funds safe is to know how to avoid risks in the first place.
So what are some of the most common crypto scams and how can you spot a crypto scammer?
To help you stay safe, let’s dive into the most common crypto scams in 2024.
The Most Common Crypto Scams in 2024
Of course, the number of scams is increasing each day, so it’s impossible to list each one you may encounter. However, the following scams are some of the most common. Before you start transacting, make sure you take a look at some of these ploys that could be targeting you.
Rug Pulls
Rug pulls are possibly the most well-known type of scam in the crypto space. To explain, a rug pull is when founders launch and market a token, typically attracting “Investors” via FOMO-style marketing. But when the price of the coin inflates, the founders immediately sell a huge amount of their share, removing significant liquidity from the project. This essentially leaves the “investors” holding worthless coins.
Usually, at this point, the founders abandon the project, but that’s not always the case. Some projects rug pull in a different way, with founders keeping up communication with “investors” and blaming the project’s failure on mistakes rather than malice. However, the result is the same: the project “members” end up holding worthless coins and the founders siphon out the funds slowly, claiming they needed to pay for things here and there. In these cases, the scam is usually deemed a “slow” or “soft” rug pull instead.
Pump and Dumps
Pump and dumps are similar to rug pulls, but instead, they are performed by collectives. Essentially, a pump and dump involves a group collaborating to manipulate the price of a coin. The operators of a pump and dump could be a group of friends, or they could be investors who have never met in real life. As long as there are enough participants to impact the price of a coin, it could be anyone.
The idea is that this group will conspire to hype up their chosen asset at the same time. They may use Twitter, discord, or any social media to reach as many people as possible to “shill” the chosen asset. If that term is new to you, essentially shilling is a method to drum up hype for a specific asset. The problem is that a pump-and-dump group will have a target selling price. When unsuspecting investors start inflating the price of the chosen asset, the original group will all exit their positions simultaneously, dumping worthless coins on the new entrants.
Phishing
Phishing scams happen everywhere, both in and out of the crypto space. With a phishing scam, someone pretends to be another person or business. The aim is to either get your login details, and Secret Recovery Phrase, or convince you to sign malicious approvals or transactions.
They may use an NFT marketplace as a disguise. Or even worse, you could encounter a fake metamask pop-up that prompts you to input your secret recovery phrase. Essentially, phishing scams attempt to trick you into thinking you’re accessing a familiar platform.
Double-check the URL of any website you visit to ensure you’re accessing the official website. Then, make sure that if you’re signing transactions, the proposal includes the correct recipient’s details. If you’re accessing a phishing site masking as a site you know, their blockchain address won’t match. Hopefully, you’ll notice before signing away your assets.
Airdrop Scams
Another common scam uses airdrops as its medium. To explain, bad actors may airdrop tokens directly into your crypto account. These tokens could be benign, and the contract may lead you to a phishing site or a site designed to install malware on your device. Alternatively, interacting with the tokens, such as trying to transfer them, may initiate a malicious transaction, aiming to seek your approval to move funds out of your account.
If you buy or collect NFTs, you may have encountered these types of scams before. All of those spam NFTs in your hidden folder are likely the result of a failed Airdrop scam attempt. Whether you’re dealing with a fungible or non-fungible airdrop scam, the advice is the same: don’t interact with them and there’s nothing to worry about.
Compromised Accounts and SIMswapping
One of the worst and most common scams in 2024 is compromised social media accounts as a result of SIM swapping. This scam involves a bad actor gaining control of a legitimate figure’s social media accounts by re-routing the victim’s two-factor authentication codes to their own device. This is usually orchestrated by either bribing or scamming the victim’s mobile phone service provider.
Typically, once a bad actor has access to the social media account, they will post links to malicious websites. The link may be disguised as an offer for an exclusive digital asset such as a Free NFT. Maybe the post is offering a limited edition opportunity to meet and greet your favorite celebrity. Sometimes compromised accounts don’t bother to try and disguise themselves at all, posting obvious links to dodgy crypto casinos. Either way, if you see famous people posting links with time-sensitive opportunities, make sure to do your research! If the offer sounds too good to be true, it probably is.
Cloud Mining Scams
Mining crypto can be expensive, as hardware and its upkeep costs money. Cloud mining companies offer the option to rent their mining hardware for a fixed fee and a share of the revenue. However, the reality is that many cloud mining companies turn out to be scams. Since the cloud mining service handles all mining operations, including buying and running the hardware, it is impossible to oversee its actions with transparency. Who knows how many mining rigs they have and how much they cost to run? Unfortunately, there’s just no way to tell.
As a result, you may find that smaller cloud mining services tend to be fraudulent, or in a slightly better case scenario, they may be profiting very unfairly using your funds. Either way, it’s always good to research the reputation of a cloud mining service before you dive in to avoid these types of scams.
Investment Schemes
Investment schemes are common both within and outside the crypto realm. It starts like this: an unknown ‘investment manager’ approaches you with an enticing opportunity that appears too good to pass up. The website seems legitimate and the investment manager is knowledgeable. But, all is not as it seems. The actual investment process typically involves sending crypto to the scammer or downloading an app promising quick wealth.
Once you’ve parted with your crypto or granted access to your wallet, the ‘manager’ and the platform suddenly disappear. You find yourself blocked and without recourse. It’s a common scam where the promise of quick riches overrides all suspicion. With these types of scams, just avoiding any “get rich quick” scheme is generally the best option. After all, nothing in life tends to come for free.
Fake Crypto Job Adverts
Crafting a career in the crypto field can often be the ultimate goal. Unfortunately, scammers often exploit this enthusiasm through fake job listings. These deceptive job listings are often in crypto mining or recruiting crypto investors. One key red flag to distinguish between genuine opportunities and scams is the payment process.
Scammers may insist on payment from you to initiate your role, requesting a payment in crypto to commence. Some may even offer up apparent proof by claiming they’ve made a Fiat payment into your account, suggesting you can make a crypto deposit without any cash loss. However, this initial Fiat payment is likely to fail, leaving you out of pocket.
Another way they may attack you is by asking you to download specific working docs or software in your “onboarding package”. In reality, they are giving you malware, and from there they gain access to your device to find and extract your private keys.
Fake Apps
Another way scammers target individuals is by building fake crypto apps. These apps are available for download on reputable platforms like Apple’s App Store or the Google Play Store, leading users to believe the apps are legitimate. Once downloaded, users deposit cash into the app. The app may be posing as an exchange, convincing you to purchase cryptocurrency. Alternatively, it could be disguised as a familiar app or service.
Some false apps go a step further by sending emails, claiming users must pay taxes in fiat before being allowed to withdraw their crypto. The bottom line is: if you give these apps a dime, you’re not getting it back out. While these kinds of apps are quickly identified and removed, they often have a significant impact.
Giveaway Scams
Another common scam is the ‘giveaway’ scam. Giveaway scams lure you in with promises of free money or other prizes, such as a free NFT, in exchange for following the scammer’s instructions. Many people fall prey to these scams because the perpetrators pose as influencers or celebrities, leveraging their perceived legitimacy in the space.
Typically, the giveaway scam involves signing up on a malicious site or clicking a deceptive link. Unbeknownst to you, your crypto is sent directly to the scammer. You thought you were entering a giveaway, but you were actually signing over access to your assets instead.
Impersonation scams
While scammers often pose as high-profile individuals for giveaway scams, there are also other ways that these thieves use impersonation to gain access to your funds. One example involves criminals posing as government officials, asserting that your assets have been frozen as part of an investigation. To purportedly resolve the issue, they insist on receiving payment in crypto to “prove your account.”
Another deceptive tactic involves scammers claiming to be officials from reputable entities like Microsoft, Amazon, FedEx, or your bank. By assuming the identity of trusted organizations, these scammers aim to gain your trust. Once they have your trust, they can get you to send them money in cryptocurrency, or even give them your secret recovery phrase.
Blackmail or Extortion scams
Extortion scam emails target hundreds of thousands of people every year. In these scams, fraudsters claim to have possession of personal information. This personal information could be explicit photos, videos, or messages. They threaten to share this content with your entire email list, reveal it to colleagues and family, and make the private information public.
To stop the spread of this material, the scammers claim that if you pay them in crypto, they will refrain from publishing any of this sensitive content. These emails typically emphasize urgency, stressing that you have less than 24 hours to send the crypto to prevent being exposed.
Romance Scams
Finally, we come to a scam that is prevalent both in and out of the crypto world: romance scams. Romance scams involve the development of an online relationship where someone establishes a connection with their targeted victim. This may include ‘catfishing,’ where a fake profile is used. Alternatively, the scammer might even use their own photos and engage in video calls to create a false sense of security. These scammers are patient, investing weeks or months in communication with their fake lover.
Once trust is established, the scammer then requests crypto payments or encourages the victim to invest in crypto together, promising that they will get rich. However, once the scammer has what they want, they abruptly vanish, leaving the victim deceived and defrauded.
How do Crypto Scams work
There will always be bad actors in any space, and often, they stop at nothing. Scammers may use one of the above methods, or they may employ multiple tactics alone or at the same time. Whatever way the scammer decides to target their victim, the goal is always the same. The scammers want your money. Whether that is through accessing your account, stealing your assets, or having you send crypto to them.
Let’s take a look at how crypto scams work.
Via Malware or Spyware on Your Internet-Connected Device
Many of the common crypto scams will aim to attack you via malware or spyware. They do so by leading you to download this malicious software on your internet-connected device.
Malware allows the hackers to change the screen of your internet-connected device (i.e. phone, laptop, tablet, desktop computer). Once the screen is changed, the hackers can trick you into approving ill-intentioned transactions. By approving a single transaction, you could be handing over all of your crypto, or perhaps just a single NFT. Either way, malicious transactions never end well for the victim.
Another type of hacking includes spyware, malicious software that allows the attacker access to your system’s files. The hacker can then go through your files and find where your private keys are stored. Once they have your private keys, the hacker has complete control of your crypto wallet.
This method is popular with hackers attacking software wallets, as only these types of wallets operate solely on your internet-connected device.
Exposing your secret recovery phrase or private keys
Some spyware might not only target your private keys but your secret recovery phrase too. If you use a hardware wallet, you don’t have to worry about revealing either of these pieces of information when signing transactions. But with a software wallet, you risk exposing your private keys or secret recovery phrase to attackers using malware or spyware.
Even if your secret recovery phrase is safe from hacking using a hardware wallet, the final barrier is you. To explain, attackers will also target your secret recovery phrase via social engineering., With a social engineering scam, the attacker will manipulate you to reveal your SRP through any means possible.
Whatever you do, do not tell anyone your secret recovery phrase, and never enter it into any app or service that requests it. The only time you need to input your secret recovery phrase anywhere is when you want to restore access to your wallet on a different device. Remember: anyone with access to your secret recovery phrase can control all of the accounts associated with it. It’s the single most important piece of information you need to keep safe.
Approving Malicious Smart Contract Functions
Bad actors may exploit blind signing to trick you into signing away your assets by leveraging the complexity of smart contract functions, particularly the SetApprovalForAll function.
Smart contract functions are pieces of code that enable specific actions within the context of smart contracts. When you “call a function,” it triggers an interaction between your wallet and the web3 platform you’re using. Approving these functions allows smart contracts to execute tasks involving your wallet. Unfortunately, some smart contracts are designed with malicious functions intended to steal your digital assets.
Scammers may trick you into ‘blind signing’ (signing raw contract data that is not able to be ready by computers). The contract that you sign sets approval for the scammer to transfer and withdraw assets. Moreover, this approval is not limited to existing assets; it extends to all future tokens from those smart contracts entering your wallet. It’s like writing a blank cheque to a hacker!
How to mitigate risk when interacting with web3
It’s important to note, that it’s impossible to avoid all scams simply by taking heed of the following advice. However, if you want to keep your funds safe, there are a few key things you can do to mitigate risks.
Use a Hardware wallet
First things first: if you want to keep your crypto safe, you should invest in a hardware wallet. A hardware wallet is a physical device that allows you to sign transactions and interact with the blockchain while storing your private keys offline.
This protects you from exposing your private keys via your internet-connected device. To explain, your web2 device, such as a smartphone or laptop, is vulnerable to malware and spyware. This malicious software can help bad actors extract your private keys via your internet connection when you sign a transaction with a web2 device. Hardware wallets avoid this risk by allowing you to sign transactions offline and sending the already signed transaction to your web2 device in a state it can’t be tampered with.
Not only that, hardware wallets also protect your crypto using physical confirmation, as a sort of two-factor authentication. Using a hardware wallet, you can only move funds after confirming the transaction physically with the device. Typically, hardware wallets also employ mechanisms to guarantee that only the true owner can confirm the transaction physically. For Ledger devices, confirming a transaction on your device requires you to input a PIN, which makes sure that even if a bad actor has physical access to your wallet, they can’t control your accounts.
Thus, using a hardware wallet can protect your funds from online scams, and remote access to your wallet. In some cases, they also protect you from hackers who might attempt to gain physical access to your wallet. For example, Ledger devices use a Secure Element chip which is protected from countless physical attacks such as side-channel attacks and glitching.
Keep Your Most Valuable Assets in a Cold Account
To keep your assets safe from malicious smart contracts and approvals, another great option is segregating your crypto assets into multiple accounts and keeping one account cold.
Today, most crypto wallets allow you to create a near-infinite number of accounts managed by the same interface and restored using the same secret recovery phrase. While you can restore them with a single mnemonic, these accounts operate completely separately from one another. This means that an approval you sign with one account will not affect the security of another.
An account that never interacts with smart contracts, apps, or unknown wallets, is immune to the threats associated with signing transactions. Thus, a clever way to keep your most valuable assets safe is by keeping them in an account that only sends and receives assets to/from other known wallets rather than engaging with Web3 apps.
This is called a cold wallet, and although they are often confused with hardware wallets, the terms are not synonymous. A cold account can operate from your hardware wallet, only storing private keys and protecting your funds. Meanwhile, you can sign potentially malicious transactions with a separate account containing less valuable assets. This keeps your cold account protected.
Don’t Click Any Links
It’s a well-known rule, and if you’re using a software wallet, it’s probably the most important piece of advice you can hear. To clarify – do not click any links when you are connected with an account containing valuable assets. You can never be certain if a link is trustworthy.
Mostly the websites themselves are benign, and simply prompt you to hand over your secret recovery phrase or connect to a malicious platform via your wallet. In these cases, just closing the window and forgetting about the whole experience is the best solution.
However, sometimes clicking the link means it’s already too late. Although it’s unusual, there are master hackers out there who can trick your system into downloading malware as soon as you click a malicious link. So, make sure if you click a link, you know where it will lead, and don’t trust anyone!
That said, if you’re using a hardware wallet, you don’t need to worry about clicking links. Your hardware wallet signs transactions offline and away from your web2 device, so even if you have malware on your computer, your hardware wallet will be unaffected.
DYOR
Finally, and perhaps the most important piece of advice when it comes to crypto security: Do Your Own Research. No matter how trustworthy someone or something seems to be, always dyor. Whether you’re buying an NFT or registering for an airdrop, verify the trustworthiness of the transaction.
Check the recipient’s address with their official website or spokesperson if you’re having doubts. Double-check the contract of any app using a block explorer to check you are interacting with the correct platform. In short, just make sure you verify each detail, and only click accept if you’re certain.
Final Thoughts on Crypto Scams
It is clear to see that scams are common, and navigating the crypto space can be a minefield. However, these bad actors should not deter you from interacting with the crypto sphere. If you follow the four simple rules of using a hardware wallet, keeping a cold account, not clicking links, and of course, doing your own research, then you greatly reduce the risk of being targeted by hackers and scammers.
To conclude – protect your assets, play safe, and have fun!
Crypto scam FAQ
Can you get scammed if someone sends you crypto?
Someone sending you crypto does not automatically mean that they can scam you. Think of it like having a bank account. If someone sends you money, it does not mean that they are scamming you. However, scammers can target you by sending you scammy assets. While some scam assets will simply try and redirect you to a malicious website, others will have in-built functions that can attempt to drain your wallet or access specific assets. If someone sends you crypto you don’t recognize, including spam NFTs, just ignore them. What you don’t interact with can’t hurt you.
I just fell for a crypto scam….What now?
If you’ve just been scammed, you now need to protect your wallet. How to handle the situation depends on how you got scammed. So let’s explore some of the best methods of protecting your wallet after being compromised.
What to do if a scammer stole a single asset
If the scammer was only able to take one particular asset, you may have signed a malicious approval. If that is the case, they may be able to steal that asset from the wallet again if you refill it. In this case, the first thing you should do is revoke the approvals on the account. This will stop any app from taking any more assets out of your account. While it may already be too late, it’s always good to revoke your approvals first. Next, the best course of action is to move all of your assets out of the compromised account. If you’re using an HD wallet you can create another account and move your assets there instead. Your new account has completely separate approvals, so it should be perfectly safe.
What to do if a scammer has access to a single account
If the scammer seems to have access to a single account, they have likely obtained the private key for that account. If that’s the case, they can move any asset in and out of your account without worrying about approvals. Yes, they can just sign transactions without limits themselves. In this situation, there is no use revoking approvals, the scammer already controls your funds.
If the scam is still ongoing, you’re racing against the clock. Transfer as many of your assets out of the compromised account as soon as you can. If you’re using an HD wallet, you can create a new account from the same interface and move all of your assets there.
What to do if a scammer has access to more than one of your accounts
Finally, if the scammer seems to have access to more than one account protected by your wallet, they likely have access to your secret recovery phrase. In this case, it’s necessary to set up an entirely new wallet with a new secret recovery phrase and transfer your assets to a newly created account there. If your SRP is compromised, every account associated with it (both past and future) is compromised along with it. If you’re using a software wallet, you will just need to download a new wallet. However, if you’re using a hardware wallet, you will
need to reset the device to generate a new secret recovery phrase. Make sure if you do that you have access to the old account so you can move your assets across though.
Can you report crypto scams?
Crypto laws differ globally and many laws are still in creation. However, scammers are beginning to face the consequences of their online actions. So, if you’ve been scammed, check your local laws and report to the police.
Additionally, there are now on-chain methods of reporting crypto crimes. A good example of one such method is chainabuse. This website allows you to submit reports on projects or individuals to help keep track of bad actors.
Another great way to report crimes on-chain is using Etherscan. If you encounter a wallet drainer or malicious app, you can report it using Etherscan. This will create a warning on the contract page which may help other users avoid the same fate. Finally, if all other methods fail, you might want to reach out to a blockchain sleuth such as ZachXBT or Intelligence On Chain. Although they tend to have numerous cases, it may be that details of your case will help sleuths solve a larger investigation. Crypto detectives might not immediately come to your call, but sometimes, you may be able to help them get justice for a wider pool of victims.