Everyone likes getting free stuff. So when scammers airdrop NFTs into your wallet that promise methods to get further free assets... well, you can probably see where we're going with this.
How does the scam work?
In a nutshell:
- A scammer airdrops (read: sends) one or more NFTs to your account.
- The NFT's image or its metadata (information packaged in with it, including a description if the site supports it) contain instructions directing you towards a malicious site.
- Tempted by the promise of free assets, high returns on investment, or privileged access to allowlists, for example, you visit the site.
- Interacting with the site will most likely involve one of the two main web3 attack vectors:
- Phishing for your Secret Recovery Phrase or private key
- Prompting you to sign a malicious transaction that could drain your entire wallet, or just specific assets.
The exact means for sharing the fraudulent site's URL can vary. Some NFTs may include it directly in the description that comes loaded into its metadata; others may include it in the image itself.
Identifying scam airdrops in MetaMask Portfolio
MetaMask Portfolio's dashboard feature automatically detects and displays NFTs in your account. It also checks NFTs' metadata to flag potential scams and prevent them from showing in your dashboard by default (learn how to manage which assets show, here).
Unfortunately, scammers have recognized this and are airdropping tokens to Portfolio users. If you use our Portfolio dashboard, please make sure you do not follow the unsolicited instructions of any NFTs airdropped into your account.
Here's how they might look:
If Portfolio detects an actual URL in the NFT's description or title, it will be redacted.
We've tightened up the rules to minimize the possibility that fraudulent NFTs will appear in your 'Owned' (safe) list, and we'll be continually tweaking and improving this system going forward.
How can I identify a fraudulent NFT airdrop?
Broadly, telling apart scam NFT airdrops shares many principles with the task of identifying malicious token airdrops:
- Ask yourself: did I expect this NFT to be in my account? If the answer is no, you shouldn't interact with it or follow its instructions.
- Is it promising something too good to be true? If yes, avoid at all costs. As the saying goes, there is no such thing as a free lunch. Scammers may offer fraudulent temptations such as:
- A limited-time ticket to get free services, such as free transactions, staking, exchanges, etc. on a given site.
- The ability to swap/burn the NFT and receive tokens with real value in exchange.
- A voucher that allows you to 'claim' tokens you're supposedly entitled to.
- Is it asking you to visit a site you're not familiar with? If so, chances are it's malicious and you shouldn't do what they say.
Unfortunately, the sophistication of web3 scams scales with the maturity of the ecosystem in general. You cannot rely on spotting poorly-designed NFTs: many of the examples we have seen are visually convincing. Instead, don't let yourself by led by unsolicited opportunities.
- Don't interact with NFTs airdropped into your wallet. They're probably trying to attract you to a scam.
- The NFTs will try to send you to a website by sharing its URL. Once there, they'll try and phish your Secret Recovery Phrase or ask you to sign a fraudulent transaction.
- The tried-and-tested principle of "if it's too good to be true, it probably is" applies.