You've probably heard of airdrops, right? Well, although seemingly a win-win and potentially useful for new projects looking to quickly distribute tokens, airdrops can be a scam vector in numerous ways.
A common scam involves airdropping unsuspecting users with a token whose smart contracts make it impossible to be moved from your wallet. So, naturally, when you try and move it, the transaction will fail.
How failed transaction scams work
Here's how common and garden failed transaction scams usually go:
- A mysterious token is airdropped into your wallet. At first, you may not notice it — this could be because in MetaMask, tokens are only auto-detected on certain networks if they belong to lists of established tokens. However, you might run into it whilst looking at your wallet activity in our Portfolio Dapp or a similar platform, or by looking at your account on a block explorer.
- You try to transact using the token. On finding out from a token listing site that the token actually has some value, the natural reaction from most users unaware of the scam vector is to try and swap it for a more established token, and bank its value.
- Your transaction (swap) fails. For tokens configured to deliberately facilitate these scams, your transaction could never have completed. So if you're intrepid and persistent, you'd visit a block explorer to try and identify the cause of the failed transaction.
- The failure message directs you to a fraudulent site that will steal your funds. When you open up the transaction's details on the block explorer, you'll see a message asking you to head to another website to stake/swap/cash out (etc.) your airdropped token. Once there, the scammers could potentially try and scam you by:
- Manipulating you into handing over your Secret Recovery Phrase (you should never give this to anyone).
- Encourage you to sign an approval that grants them access to all tokens of a certain type in your wallet (which they'll then use to quickly transfer them to their own wallet).
The message attached to your failed transaction is therefore a lure to a location of the scammer's choosing where they can most easily coerce you into handing over tokens or your SRP.
The nature of scams is always developing, so it's entirely likely that if you encounter this method, it won't follow the above steps by the letter. It could include other methods such as simply manipulating you into sending tokens to an address (usually with the promise of earning more back in return, at some point) or handing over personal information like bank account numbers or card details.
How to avoid failed transaction scams
Unfortunately, and like any other web3 scam, there is no single trick or downloadable software that can prevent you from falling victim to this scam. When using a self-custodial wallet like MetaMask, you are solely responsible for your safety. Stick to these general principles:
- Never give your Secret Recovery Phrase (seed phrase) to anyone, regardless of who they say they are or what they're offering. Someone called "Metaa__MasK-support" on Twitter is not out to help you.
- Be sceptical of anything that seems too good to be true, because it most likely is. Ridiculous APYs, sky-high returns, free money, etc. — it will probably be a scam, or, at best, something you should think twice about getting involved in.
- Clue up on how token approvals work and why they're a common scam attack vector. Read more here.