Today my guest is Simona. She is a cybersecurity expert and NFT artist who has helped many people in the community who have unfortunately been scammed. Simona is also the co-founder of Anchor DAO. Its core values are honestly and freedom of artistic expression.
In this episode we speak about one of the scariest but the same time most important topic: security. The main purpose of this conversation was to learn how to prevent being scammed and understand better what you should and shouldn’t do.
Food for thought
The criminals are using the same techniques they were using 10-15 years ago.
If you are an NFT artist it’s not only the Ethereum or the NFT that you loose. The problem is that you also lose your identity/profiles on the NFT platforms.
Where’s the problem?
Looks like the technology is already quite strong and the issues rarely come from that side. The weakest part is the human psychology. 70-90% of any attack comes from social engineering.
How does social engineering work? By common psychological triggers.
Scam example #1 (using 3 triggers at the same time)
I am sure we have all received the nice message where scammer complements our work, says they wanna buy it at a high price and asks to help them figure out how to do that. In this case they are using not 1 but 3 different triggers increasing the possibility that at least one of those will work.
Trigger 1 – our need for attention and recognition (“I really love your art” )
Trigger 2 – financial gain or greed – (“I want to buy your art”)
Trigger 3 – feeling good about helping people (“Can you help me buy it?”)
Not a scam per se but another trigger that may get us in trouble is FOMO. The fear of missing out makes people rush into minting/buying and the time pressure makes them forget to pause, step back and check things before clicking/approving.
How to avoid most common mistakes that put you at risk
- don’t store your valuable items in hot wallet (Metamask)
- don’t downloading pirate software (they have backdoors as potential attack vectors)
- don’t save passwords and seed phrases in digital format (NEVER do that)
- check for viruses before downloading stuff from internet
- don’t click unknown links
- don’t fall for fake copies of legit collections
- don’t go for unverified free mints
- don’t use the same password everywhere
- use 2FA for all accounts (for that better use Google Authentificator)
- don’t save the 2FA backup codes online/in digital format
- if not sure about the person ask them to get on a video call
- make sure your hard wallet stays offline with no smart contract interaction
- check spender approvals of your wallets on Etherscan. If it’s a spender you don’t recogniseand immediately revoke those permissions directly from Etherscan
- Don’t trust fake “expert” advise. Do your Due Diligence and check their track record/knowledability
Scam example #3
So how do they work these days?
You are mentioned on Twitter and there is a link to claim a free mint. You follow the link, connect your wallet and sign a message on your wallet. By signing you approve to take your NFTs out from your wallet.
How to prevent being scammed by this method?
- even before going to free mint sites check the following: who is tagging you and if you know that person, how many followers do you have in common, does the account tweet or it’s just full of retweets
- check what are you signing. If you see the phrase “approval for all” – run
- make sure that name of website on top + contract/wallet that you are interacting with matches the collection that you actually want to mint (if you see a different contract from what you are minting it’s a problem). You can check by copying the contract number and putting it in Opensea.
- always check the real collection account to see if they have announced any free mint
Above was just the summary. Simona mentions way more issues and examples so make sure you go through the full episode.
Check out Simona’s book here.