NFTs played a considerable role in the surge that web3 experienced in 2021. Creating, buying, and selling all helped raise asset prices, and web3 was further pushed into the spotlight of mainstream media coverage and discussion amongst people who had previously had no involvement with crypto.
Abstracting crypto away from numbers and charts and into art and collectibles means that NFTs often appeal to people who, in years gone by, would not have been involved with crypto. This can make them such an appealing target for scammers. If you're not an experienced web3 participant, and just got involved because you want to explore a new and more rewarding way of selling your art, you're less likely to be clued up on the technical underpinnings of blockchain, smart contracts, and tokens, and therefore more likely to fall victim to a scam.
That's not say that those involved with NFTs aren't knowledgeable; just that the popular appeal of these assets may attract people who are ignorant of key web3 security principles.
How does this scam work?
Borrowed from its usage as a term used to describe the creation of that much more traditional asset, the physical coin, the word mint basically describes the act of creating an NFT. From its minting onwards, the asset and its owner are recorded on the blockchain.
In a lot of cases, NFT creators or collectives distribute new collections through open minting processes, where anyone can get involved. Often these are gated by membership of a certain club, possession of existing related NFTs, or some other credentials. Sometimes, though, they're fully public, with a first-come, first-served model.
These are usually the situations that scammers are trying to lure you into. Though the circumstances can and do vary significantly, this is the general procedure:
- The scammer invents an NFT project. Sometimes this may be almost impossible to distinguish from a genuine project. In other cases, it may imitate existing prominent projects in some way, to capitalize on — leach off — the interest they attract.
- They present you with the scam NFT mint, and apply pressure. Emails, SMS, Telegram, Instagram, Twitter, Reddit... the number of possible options for publicising a scam NFT project is considerable. Once they've made you aware, they will contrive various ways of convincing you that you absolutely need to get involved, right away.
You're made to sign a transaction that results in you losing funds. Again, the scope for this is large. Types of transactions that scammers may prompt you to sign include:
- Send: A simple 'send', i.e. transfer of funds. This should ring alarm bells because it demonstrates you're not receiving anything in return — you're just asking to have funds removed from your wallet and added to someone else's. NFTs will not be involved at all. It is also not a contract interaction, meaning it couldn't possibly be interacting with an NFT smart contract.
- Token approval: Asking you to authorize the dapp and its smart contract to move around a given amount of a token in your wallet (you can read more here). Think: "Why would I need to provide access to my tokens to mint an NFT?" Answer: you shouldn't. NFTs will need gas, paid in ETH, to mint. But an NFT mint certainly won't need access to any token, such as an ERC-20.
- Dangerous transaction (warning message): Sometimes MetaMask will automatically identify when you're interacting with a suspicious contract, and present you with a warning message in red text advising that you may be handing over control to a significant amount — or all — of your assets. A suspect NFT mint site may prompt this message. If you see it, you should never sign the transaction.
What's all this talk about smart contracts?
An NFT mint is always orchestrated by a smart contract. Whether you 'create' your NFT on a major marketplace or write your own smart contract to do so, you need to interact with the Ethereum Virtual Machine so that your NFT is safely recorded on the blockchain. This is why minting NFTs is not free: gas fees must be paid to fund this computation (though some marketplaces have 'lazy' minting, where you don't pay until your NFT sells.)
Minting an NFT fundamentally will involve a smart contract interaction.
How can I identify scam NFT mints?
Given the creativity and desperation of scammers to find new ways to exploit people, it isn't possible for us to exhaustively document every single way that this scam could reach you. Additionally, as we mentioned above, in some cases a fraudulent NFT mint may be indistinguishable from a genuine one. However, if you learn to recognize what an NFT mint should look like in MetaMask, you're far less likely to get scammed.
That being said, a lot of instances of this scam can be avoided by:
- Being wary of any direct messages you receive, and, specifically, the links they contain. If the mint is attempting to mimic an existing legitimate project, inspect the URL and compare it with the real site.
Not falling for FOMO. Scammers will try to create a sense of urgency, pressurizing you into acting without scrutinizing what you're interacting with. In these situations, where you're worried about missing out on an opportunity to potentially secure a valuable asset at a bargain price, take a step back. If the NFT mint exhibits one or more of these signs, it could be a scam:
- A progress bar or a counter, indicating that there are fewer and fewer NFTs available to be minted as time goes on
- A countdown timer
- Popup messages on the site showing others — in real-time — that have just minted, and how many NFTs they minted
Due diligence. As we stated with imitation NFT projects above — where comparing URLs and other features against the legit version can help you identify scams — you can usually get a clearer picture through additional research. If the project is not imitating an existing one, you could:
- Check socials and websites for traces of an identifiable team behind it, a whitepaper, roadmap, a community, etc.
- Take the public address of the party you're interacting with and check it out on a block explorer. Does it match the activity you'd expect of an NFT minting contract?
- NFT mints are often used as an attack vector as scammers elicit FOMO to try and make you act with less caution.
- Always do your due diligence on any NFT project that is hosting a mint.
- Often, scams will rely on you not properly scrutinizing the transaction that they prompt.
If you have any questions about this subject, feel free to head to the MetaMask Community or get in touch with Support via the 'Start a Conversation' button on the homepage of this site.