Web3 Security & Scams: What to do to keep your assets safe
The world of Web3 is new and constantly evolving, making it a perfect environment for shady characters to take advantage of inexperienced users.
As a former financial advisor, I approached my first few months of learning about Web3 with suspicious resistance. Exploring a decentralized world without regulation pushed me out of my comfort zone. I needed to figure out who to trust and was overwhelmed by technical jargon and clunky user experience. To top it all off, I was learning in a hyper BUY NOW market, where the pressure was immense for fear of missing out, and scams were everywhere.
Thankfully the market has since settled down. Although scams are still prevalent, more and more experienced users are sharing their advice and guidance to help prevent them from happening.
Find trustworthy people to help
My first significant advice for avoiding scams is to find trustworthy people to help. Many Web3 communities provide excellent advice and share their stories of experience.
One community I belong to is Web3 Doers, and this week, I participated in a mastermind with its members to discuss the critical topic of security and avoiding scams.
Nicole Reznic, a member of Web3 Doers, provided some great advice to the group. Nicole worked in Web2 as a CRM consultant, protecting company and consumer data. She applied this experience to her safety measures in Web3. She founded Zernica, a business that helps extend luxury brands' customer experiences into Web3, building and leveraging data.
I asked her the following questions on the subject. Here are her answers:
For someone brand new to Web3, what is the best way to learn how to use a crypto wallet for the first time? What simple transactions should they practice?
I think the best way to learn about wallets is to set up one with minimal money on it and play around.
Some people first buy the currency (Ξ Eth, BTC, etc) through a cryptocurrency exchange, like some of the more popular ones: Binance (Europe and abroad), and others like Coinbase and Gemini (popular in the US).
Although you can often buy currency through some wallet applications like MetaMask (they have integrations like MoonPay, Banx or Transak) who will convert your fiat currency (wire, credit or debit) to the currency requested at the exact price plus gas fees and transaction fees. Note, this is easier to do than buying currency first at an exchange, but you will pay more for the simplicity and convenience.
I personally purchase my currency in large groups via Binance and Gemini and keep it in a wallet on a Ledger drive, which is separate from my other wallets and fund them as needed. This allows me to control the funds and to manage the exchange rates to buy at favorable moments and get better exchange rates.
For more information on how to set up your wallets, YouTube also has many videos on how to set them up. Someone I like is Becks Perfect @ Nifty World who has a series of many different NFT videos on how to secure a wallet using Ledger.
What is the best practice for keeping your recovery phrase safe?
The private key is super critical to keep protected and hidden when you first create a new wallet. It is a 24 word phrase algorithmically created that ties your account to the holder of that key.
Personally, I would keep that 24 word passphrase in a metal plate and hidden or stored away from your access spots. It is more permanent than paper and more secure than saving it digitally which could be hacked. I use a company called Billfodl, which has metal plates you use to spell the phrases and it is stainless steel and fireproof.
What Web2 security advice should I follow and apply in Web3?
Having been an email marketer for many years, I hate junk email. So, I use different email addresses for different functions. As I have various wallets for various security levels, I use different email addresses for setting these up.
Personally, I do not want my personal email used for all NFT projects. This helps to disconnect my social media accounts to my crypto buying and my NFT holding. Depending on where you live, you may use various tools to buy Crypto and hold NFTs.
Is it safe to do transactions through a crypto wallet on my phone?
If you have different types of wallets, you can have different integrations in your desktop browsers. Don’t ever trade, buy or sell online using your phone. I never suggest this. One, many things can go quickly on a phone and the security of a desktop or laptop is less mobile than your cellphone on a wireless network.
Do your Web3 business on secure closed networks via desktop browsers.
Personally, I keep my MetaMask wallet on FireFox, where I integrated my Metamask wallets through an add in, but I use Chrome to view things, and surf online to research projects, though it is not connected to my wallets in Metamask.
What is the best way to research NFT projects and its founders?
DYOR is a term you will hear quite a lot. It means Do Your Own Research. The best way to do that is consider these things first:
How did you hear about this project?
Who is giving you this advice
What is there to gain for them by selling this to you?
For the project research I like to do a Google search and see what their webpage offers, who has written articles about it, and what caliber of the news it is on. How long has the business been building? What other projects exist, if any?
As for the founders, I do a Google search, LinkedIn search and check to see what their past and connections look like and how comfortable I feel with their project based on their backgrounds. Honestly, my biggest red flag is often their lack of info. Lastly, I check transactions and wallets on Etherscan and Polygonscan.
What is Etherscan and Polygonscan? Why is this information useful to conduct research when buying NFTs?
These are the respective tools you can use to research the NFT, the wallet or the address/hash/block/token/domain in question. Etherscan for Ethereum-based tokens and products, and Polygonscan for the Polygon/Matic tokens and products.
If you find a fresh wallet with NO transactions before it, red flag.
How many wallets should someone own? What is the best way to organize and keep track of them?
I would say most people should have at least 2-3.
One should be a burner wallet with very little money (gas fees only) on it, to ensure when you connect it to minting sites, it leaves them with nothing to steal, if they ever do get access. You can often transfer assets to other accounts, and if you are hacked in one, you can quickly transfer major assets to another account quickly before they clear it out.
If I was given an NFT for free, should I always assume that it is a scam? If not, where should I go to find out?
Not all NFTs that are free are scams. But I would always wonder specifically if you are not paying for it, what are they getting from you in return?
Some free NFTs can actually be the trojan horses to getting you to interact with these bad actors.
In your OpenSea wallet, you may find a folder called Hidden. Some of those NFTs are to whet your appetite for new projects and have you pay modest fees for more.
But other free NFTs are there to be “bought” by someone. Here are the steps they take:
Often they place an offer to you well above a normal price, and you get tempted to sell it to this person.
This scammer then directs you to an alternate site to sell or trade.
Then on this new site, it will create a trojan horse into your account.
If you give access to it for one NFT, you may not realize that you just gave them access for ALL your NFTs.
They drain your wallet of all your assets.
What should I do if I find out that I was scammed? Should I not use that wallet again?
Unfortunately with decentralized finances, there is no bank to call if you have a problem with your cryptocurrency or NFTs. Each transaction is permanent and no one is there to “help” or intervene. The ecosystem is still developing but a centralized authority is not part of the solutions so far.
So the tough part here is that it depends on the scam.
Most scams happen when you connect outside of the NFT market environments, so what you may find is you are led to a webpage with a domain that can likely be researched on the scan tools. You can also look up the wallet that you interacted with and see if your NFTs are there.
While there is no real court or justice for such a problem like scammers, you can get the wallet address and the NFT number and see if the issuer can flag that NFT you held, or even reissue you another NFT. Don’t expect them to do this, but some communities can red flag that NFT if they find it in a market place. OpenSea can do this if you report it to them via a support ticket with a police report within 7 days of it happening. https://support.opensea.io/hc/en-us/articles/4815371492499-What-is-OpenSea-s-stolen-item-policy-
I would permanently delete that wallet and ensure you create a new wallet to house your hot wallet NFTs, and of course be extra careful with your interactions going forward!
When it comes to safety and security in Web3, the best advice is to go slow and practice with less valuable assets so that you are comfortable with the process and be able to catch red flags if they come up. Also, find a community or mentor so that you can ask your questions with someone you trust.
There are many great resources available on this subject, here are a few more tips to check out:
8 Dangerous Crypto Scams & How to Avoid Them
5 Types of Crypto and Web2 Scams
Here’s How to Avoid Scammers and Phishers
As always, reach out if you have any questions or want to learn more! Thank you Nicole for your contribution to this article. You can connect with her at Alpha@zernica.com