Cybercriminals are developing more and more sophisticated ways to swindle victims out of their assets, with a particularly popular method being phishing. So how exactly is phishing used to steal NFTs?
What Is Phishing?
Before we dive into how phishing is used to illegally retrieve NFTs, let’s quickly go over what phishing actually is.
You’ve probably heard of phishing before, as it is an incredibly popular technique used to steal all kinds of sensitive data. In this process, cybercriminals use phony emails, texts, or websites to trick users into believing they’re interacting with an official entity.
For example, a malicious individual may send victims an “urgent” email that looks exactly like that which would be sent by PayPal. The email may, for instance, state that there has been some unusual activity on the recipient’s account, and that they need to sign in to their account to verify if the activity was carried out by them or not.
After the victim clicks on the link provided in the email and signs into their account, they have unknowingly provided the cybercriminal with their login information, giving them access to their funds. In all likelihood, the victim’s funds will already be gone or spent by the time they realize what has happened.
Because many individuals don’t know what to look out for to avoid phishing, this method of cybercrime can have a good success rate. This is why it’s now being used to swindle people out of their precious NFTs. So, let’s get into how exactly phishing is used in NFT theft.
How Is Phishing Used to Steal NFTs?
You may think that the cryptography used in the process of buying and storing NFTs makes the whole system super secure. And, yes, it would certainly be difficult for a cybercriminal to access your NFTs without some of your sensitive data. But this is why phishing is used in the theft process.
There are a number of ways through which online attackers can get their hands on your NFTs by phishing, all of which you should be vigilant of to keep your assets safe.
1. Phishing via Discord
In recent years, the social media site Discord has become a popular option for crypto and NFT enthusiasts who want to connect with each other and the artists or developers they love. But cybercriminals are all too aware of this and therefore use Discord to target unknowing users.
Fake NFT giveaways are a particularly popular phishing method on Discord, wherein scammers impersonate NFT artists and convince users to divulge certain information so that they can enter the giveaway. These giveaway phishing scams will often require you to enter your private key or seed phrase to enter.
However, no legitimate giveaway scam would ever ask you for these two pieces of sensitive data. So, if you’re ever asked to provide your seed phrase or private key to enter a giveaway, back away immediately. There’s no reason why your private key would be needed to receive any kind of asset, so if you’re asked for this, you’re most certainly on the verge of being swindled.
2. Phishing via Emails
Cybercriminals often rely on emails to trick users into divulging sensitive information. Many people have given away their bank account details, login info, and even social security numbers through these scams, and now, NFT owners are being targeted.
So, if you ever receive an email from an alleged NFT artist, project developer, or company, be aware that it may be a scam. Such emails can contain links to NFT drops, giveaway sites, or similar, and will likely ask you to give away your seed phrase or private key.
Alternatively, these emails may come in the form of a notification from a marketplace, alerting an NFT owner that someone has allegedly bought or placed an offer on an NFT they’re selling. Users will be asked to click on the provided link and log into their marketplace account. If they do, the scammer will then be able to access their account and the NFTs they’re selling on there.
This happened in March 2022. Cybercriminals impersonated Opensea, a popular NFT marketplace, and sent emails to users to access their login information. A number of individuals fell victim to this scam, and hundreds of NFTs were unfortunately lost as a result.
This is why it’s important that you do not click on the links provided by an alleged marketplace in an email. If you’ve been notified that your NFT has sold or an offer has been made, go to the marketplace directly and log in there. Then, you can see if there really has been any activity associated with an asset you’re selling.
3. Phishing via Instagram
A lot of NFT artists use Instagram to promote new work, discuss developments, and connect with their fans. But this has given way to impersonator accounts, through which unsuspecting victims are scammed via phishing scams.
Scammers will often carry out this kind of swindle by messaging users who follow the artist or project they’re impersonating, or users who clearly have an interest in NFTs in general. They will inform the user that they’ve won a giveaway, and will then provide a link to the site where they can claim their prize.
Of course, there is no real prize, and the link is only provided so that users will provide the scammer with the information they need to access an account or wallet that they own. At that point, it’s likely already too late for the victim.
But impersonation accounts aren’t where things end in terms of Instagram NFT scams. More advanced criminals can hack official accounts, and target individuals from there. This layer of apparent authenticity gives scammers an even better chance of tricking users.
4. Phishing via Twitter
Like Instagram, a lot of NFT artists and projects gain a big following on Twitter from fans and enthusiasts interested in their work. And this just provides another way for cybercriminals to exploit users.
NFT phishing scams on Twitter operate the same way as they do on Instagram, with criminals either targeting victims via impersonator accounts or hacking official accounts and going from there. Scammers can also post phishing links publicly from fake or compromised official accounts to cast a wider next and draw in even more victims.
Because of this risk, you need to be cautious whenever you’re met with any kind of NFT giveaway link. Again, if you’re ever asked for any kind of sensitive information to enter a giveaway, be on your guard. There is no reason why your seed phrase, login password, or private key would ever be needed in a giveaway.
You can also use link checker websites to check if a link is legitimate or not before clicking on it.
The NFT Landscape Is Rife with Scammers
With NFTs reaching incredible price points, it’s not surprising that cybercriminals are doing all they can to take advantage of this booming market. So, if you own any kind of NFT, keep in mind that you should never give any of your sensitive information away, as this can be used to quickly and irreversibly steal your valuable assets.
About The Author