In light of the recent OpenSea phishing attack, it's definitely a good time to refresh on some ‘best practices’ for NFTs.
Of all the advice we can give on NFT safety and security, the simplest piece we could give you is to take your time because most scams incorporate some aspect of time sensitivity. Scammers want the panic-parts of your brain to light up. They want you to make a rushed decision. In many of the cases we will go through in this article, stepping back, sitting on your hands for a minute, and then doing research are good first steps.
Anti-Phishing
Email is a cheap and easy way for scammers to get their foot in the door. It never hurts to check the sender address on an email that seems either catastrophic (YOUR NFTs ARE UNDER ATTACK) or too good to be true (YOU’VE WON A FREE NFT, OFFER EXPIRES SOON.)
Some phishing emails will be extremely convincing. Take a step back, scammers want you to rush in and follow their directions. Don’t. Even if the sender’s address is not obviously fraudulent, still don’t take immediate action.
Most importantly, don’t click links or open files. Simply opening a link sent from a fraudulent source can infect your device with key-logging software. If you click their link or open their file, you might not be doomed, but you should consider doing a careful software cleaning of your device.
Chances are, if there is something important that an exchange or wallet service needs you to do, like correcting your information for tax purposes, you can do it directly within their app (no need for an external link.)
And if you’re really unsure, reach out directly to customer support at the service in question – they'll be able to verify whether the email was legitimate or not.
Never Share Your Seed Phrase or Private Keys
Your seed phrase is what stands between you and all the cowboys trying to steal your NFTs.
No one should ever ask you to share your seed phrase or private keys (a rare exception is when you have to recover a lost or stolen wallet.)
On that note, keep your seed phrase or private keys in a secure, non-digital place. Don’t keep your seed phrase or private keys anywhere online or on your computer or your smartphone – anything connected to the internet is potentially susceptible to hackers.
Likewise, don’t store your private keys by writing them on the back of a Post-It note, things get lost and ruined. Your keys should be stored on/in something that is relatively hard to get to and hard to destroy.
Lastly, it is best practice to utilize a hardware wallet if you're currently only using a hot wallet like MetaMask on your phone or desktop. By connecting your hardware wallet via the MetaMask software, you can still do all of your desired transactions, but now they will be much more secure as they require physical confirmation via the hardware device.
Watch Out With Airdrops and Permissions
Everyone loves airdrops, it feels like free money, but don’t let the combination of an airdrop announcement and one too many coffees in your system end up with you getting scammed.
A shady airdrop could include a prompt to grant permissions to your wallet, thus ceding control over your assets.
Step back before claiming an airdrop. Make sure the airdrop was announced by the verified source, whether that be an NFT creator or a protocol. Once again, don’t rush, if the airdrop is legitimate, it usually will be claimable over an extended period of time, like weeks, not minutes.
However, if you have already granted permissions to a shady or uncertain project, it's not too late, there are steps you can take to remove permissions that are unwanted or no longer necessary. In fact, it might be a good idea to check and clean your wallet permissions periodically, regardless of if you think any are compromising.
Marketplace, Minting, and Buying
At this point in the NFT boom, there are countless NFT marketplaces to choose from.
An easy way to get scammed is by buying or minting an NFT from an unsafe or inauthentic source.
Make sure that you are safely minting or buying from a verified source (a blue checkmark next to their name on OpenSea) on a reputable marketplace (look up the official website for the collection and then click their direct link to the marketplace.)
Beware, scammers can get verified, so don’t take a checkmark as proof alone.
Double-check the name of the collection, the number of items in the collection, the volume traded, the floor price, the description, and the traits section– these statistics should roughly match what market trackers have listed. If a deal looks too good to be true, if a Bored Ape is selling for 1% of its market value, then it's a scam.
Check the Smart Contract
For the more technically savvy, you can check the NFT contract yourself.
Does the contract address match the provenance record listed on the NFT collection’s official website? See this video for a simple explanation of verifying the contract address.
As a plus, by reading through the smart contract yourself, you can catch issues, intentional or not, within a developer's code.
For now, we hope the aforementioned steps help to restore your confidence and provide you with actionable guidance relating to the safety and security of NFTs.
As always, remember to take your time and do your own research.
Happy Flipping,
The Flip Team
Disclaimer: Not financial or tax advice. This article is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research.