NFT Security GuidE
NFTs: How to Avoid Scams
(TLDR at bottom) The crypto and NFT scene has a dark underside of people lurking to scam others new to the scene. Transactions with NFTs can not be reversed so one wrong move and your favorite ones are gone. People pose as mods, create fake sites, DM acting helpful, and so much more, but once you know what to look out for, you can better protect yourself from being scammed.
It Starts with your Wallet
Buying an NFT starts with setting up your wallet. When you first create a wallet you’re given a seed phrase which is literally control keys for EVERYTHING in your wallet. If someone has your seed phrase, they literally own your wallet. They can reinstall you wallet and control it. UNDER NO CIRCUMSTANCE SHOULD YOU EVER GIVE OUT YOUR SEED PHRASE.
I take it a step further and suggest you never take a screen shot or copy/paste your seed phrase. The safest thing you can do is write it down on a piece of paper or in a notebook for safe keeping. If you ever forget your password or your device/computer gets fried, you can use your seed phrase to recover your wallet and everything in it.
We say to not take a picture of your seed phrase because computers/phones/etc get hacked all the time, oftentimes without the owner even knowing. If you have a picture of your seed phrase and a scammer sees it, they will try and use it. They will then own your wallet. Do not take pictures of your seed phrase, write it down. It’s the only way to make sure you’re safe.
NOBODY FROM THE TEAM WILL EVER DM YOU
We are very public with everything we do/post. If you ever receive a DM from someone claiming to be support/mod/team/anything really, it is NOT FROM OKAY BEARS YACHT CLUB. It is a scammer. Please close your DMs and report anything like this to an actual mod.
If there ever is a need to give out sensitive information to a mod in OBYC, we will have you open a ticket. Again, NOBODY FROM OBYC WILL EVER DM YOU.
TURN OFF YOUR DMs FOR DISCORD
If you join an NFT server with your DMs enabled, it’s only a matter of time before you’re spammed with a scam. You can always add someone as a friend to DM with them but I guarantee you if your DMs are open, you will receive a scam before long. For your safety and sanity(scammers message very often) I suggest you disable your DMs for any NFT server you are in.
ENABLE 2FA ON YOUR DISCORD ACCOUNT
One of the best things you can do to protect your account is enable 2FA. Two Factor Authorization will require you to verify through text or email that it’s actually you logging in whenever logging in on a new device or whenever you’ve been fully logged out. It’s a bit annoying, but REALLY helps to keep your account secure from password stealing/phishing. Unfortunately this will not help you if your Discord key is stolen which is why we say to never click links sent to you in a DM or from someone you don’t know.
NEVER CLICK ANY LINK SENT TO YOU IN A DM
Direct Messaged links are one of the biggest ways people get their wallets/accounts stolen. I recommend you turn off your DMs but if you don’t, NEVER CLICK A LINK IN A DM. Even if you know the person, accounts can be compromised and one of the first things a scammer does is message a malicious link to everyone in the friend’s list. Only way I would click a link in a DM is if I was actively chatting with someone I already knew and was expecting them to send me a link which rarely happens. If it’s a link to a project, I’ll usually still google the project and click through from their Twitter or Discord.
CHECK WHO YOU’RE TALKING TO
Just because someone has the same name as a mod and even the same profile picture, does not mean that you’re actually talking to a moderator/team member. If you click their name you’ll be able to see their full Discord name. Oftentimes these will be something completely different because you can change your name in individual servers.
To help protect yourself, go into an announcement and click on the actual moderator’s name and see what their full Discord name is including the four numbers that come after the name. If an impersonator does have the same name, check to see if the four numbers match. Be extra careful because a lowercase L looks like an I zeros look like the letter O and so on.
This also stands true if a friend DM’s you a message about a free link or something you weren’t expecting out of the blue promising something for free. Scammers use these tactics when they hijack an account to steal more people’s accounts. They’ll send a mass DM with a scam link to their victim’s friend’s list.
CREATE A SECOND WALLET FOR FREE/DEGEN MINTS
You never want to connect your main wallet or your NFT/crypto storage wallet to any contract you don’t know. Ideally you’ll have your main storage on a wallet you almost never use and/or a physical wallet you also rarely use. Websites can be compromised or entire projects can be scams. You never want to connect your main wallet to anything if you can help it.
Create a second(or a third if you need to) wallet and keep a minimum amount of crypto in there to cover gas. ONLY use this wallet for free/degen mints. If you get something that ends up doing well that you’re not going to sell right away, transfer it to your storage/cold wallet or create another wallet.
I also recommend that you initiate your burner/extra wallet when gas is low on OpenSea. Before you’re able to sell anything on OS you have to pay an initiation fee. When gas is low it’s under $15. When gas is high it can be $80+. I’ve minted bad mints I could tell were going to drop in price but gas was high and I would’ve lost money to initiate at the time. Now I make sure all my burners have that done before I’m in a position to want to sell.
ALWAYS DOUBLE CHECK YOUR TRANSACTIONS BEFORE CONFIRMING
Once you’ve confirmed a transaction, it’s very hard to cancel it and once it’s completed you can not reverse it. Just because a website says one thing, doesn’t mean it’s doing that same thing with your wallet. Always double check that the function matches what you’re trying to do. If you’re trying to mint, you want to see mint, or free mint, etc. If it says transfer or approve all or similar, reject the transaction immediately.
A common scam these days is starting a mint for free and then changing the price for mints from the website. The site will say free, but then in the wallet they will charge way more. Keep in mind that wallet requests queue. You’ll literally see at the bottom it will say “XX of transactions/requests” and there’s a prompt at the bottom to accept/reject all. ALWAYS make sure you’re only approving one transaction and not several.
THERE WILL NEVER BE AN UNANNOUNCED/SUDDEN FREE MINT
Sometimes mod/team member’s Discord accounts can get hacked. The OBYC team all have 2FA enabled and are using best practices to avoid this but sometimes things do happen. When this happens scammers have full control of that Discord account and can post as the mod in any channel the mod has access to.
Usually they’ll create an announcement about a fake free mint to try to get people to connect their wallet to it. OBYC WILL NEVER HAVE AN UNANNOUNCED MINT. If you ever see a sudden post about an unplanned mint, it is not real and you should not click the link and definitely not connect your wallet to the site. When this happens the scammers will put up their fake free mint post, @ everyone and then continue to post it over and over to try to get as many people scammed as possible. Oftentimes you’ll see the posts being deleted and then reposted over and over.
IGNORE/HIDE RANDOM AIR DROPS TO YOUR Wallet
There’s scams that involve sending you an NFT that run code when you interact with the. Scammers will send you a random NFT and then if you go to list it/sell it/etc. they’re able to steal from your wallet. When you receive something that you are not expecting, move it to your hidden folder and try to forget about it. There is currently no way to safely remove these, best thing to do is hide and forget.
REVOKE PERMISSIONS FROM TIME TO TIME
Every now and then it’s best to go remove permissions for your wallet that you don’t use anymore. This helps protect your wallet from malicious attacks done on sites that you may have connected to in the past. We’ve partnered with EverRise’s EverRevoke tool as the preferred method for revoking token approvals to help you take control over the access external protocols have to your wallet.
CONFIRM WEB ADDRESS BEFORE CONNECTING
Always double check the URL for sites you are on make sure they are spelled right and are using the correct TLD(.com/.xyz/.io/etc). Scammers will substitute similar looking letters/numbers to fool you into thinking you’re on the right site. Recently a scammer did ALMoonbirds which when written in lower case looks almost the same as the original project (almoonbirds instead of aimoonbirds).
Whenever possible search for a project’s Discord/Twitter and click through from there. The OpenSea search is terrible and often has scam projects listed so I highly recommend searching for a project’s Twitter and getting to OpenSea through their posted links.
- TURN YOUR DMS OFF
- ENABLE DISCORD 2FA>
- NEVER CLICK A LINK SENT TO YOU IN A DM
- MOD/TEAM WILL NEVER DM YOU
- NEVER GIVE ANYONE YOUR SEED PHRASE FOR ANY REASON
- THERE IS LITERALLY NEVER A REASON TO GIVE OUT YOUR SEED PHRASE, NEVER, NEVER, NEVER