What is an airdrop?
Airdrops have become a mainstay of web3 since the explosion of ICOs (initial coin offerings) that began in 2017. Airdrops involve receiving tokens in your wallet from a third party, usually in exchange for some other service or payment rendered. For example, a frequent user of a dapp or chain may receive a generous airdrop if that dapp decides to launch a token.
Airdrops can also be used as a promotional tool: a new platform may look to generate interest in their project by depositing tokens in your wallet. Though their value is never guaranteed and often negligible or fragile, it is easy to understand why this tactic is popular. People are excited by free stuff. Free money? Even better. It's a reliable way of generating interest and engagement with a new project.
Airdrop phishing scams
Unfortunately, the lure of free stuff can sometimes cloud judgement.
Let's be clear: no one can get access to your funds or any sensitive information simply by depositing tokens into your wallet.
Where they can do damage is hoping that the wallet holder tries to sell or swap the token after seeing it listed in their balance (usually on a block explorer. MetaMask does not automatically display all tokens, but only established ones, and only if you have token detection turned on).
Usually, scams involving airdrops rely on these two core mechanisms:
- As the recipient of a mysterious airdrop, you may see on the block explorer or token listing site that the token has some value. The immediate temptation is to try and realise this value by swapping it to a more mainstream token with more stable value, or just by selling it.
- When you view the token on the block explorer or add it to an exchange of some kind, you'll see an error message directing you to fraudulent dapp or website via the block explorer. Sometimes this appears on the transaction's page on the block explorer as an explanation for why the transaction failed.
The fraudulent site is where the phishing takes place. To swap or redeem or sell, the scammers claim, you'll need to approve a transaction, approve access to a token, or even hand over your Secret Recovery Phrase (something you should never, ever give to anyone).
How to tell the difference: a checklist
Auto-detecting tokens in MetaMask
As explained eloquently in this article by MetaMask co-founder Dan Finlay (which is worth reading in general), MetaMask's token detection only displays tokens on approved, curated lists. This means that new and obscure scam tokens airdropped to your address are unlikely to be detected.
Here's some things to look out for when deciding whether or not to trust a token:
- Does the token appear in MetaMask when you have token detection turned on? If it doesn't, it means the token is absent from the trusted tokens lists that the token detection feature uses. It may therefore be untrustworthy.
- Is the token flagged on the block explorer? Locate the token on Etherscan or the appropriate block explorer for the network (e.g. BSCScan, Snowtrace, PolygonScan, etc.) and look at its details. Known scam tokens will already be flagged on these pages. To find the token, simply input its name into the block explorer search bar.
- Does the project seem trustworthy? Trustworthiness is subjective and hard to pin down. However, you could try researching things such as the following and check whether it all adds up:
- Does the token have a website?
- Does it have an active community of real people?
- Are the creators named (doxxed) anywhere? Are they real? Do they have social media accounts consistent with this information, and do real people follow them?
- Is there a white paper that explains the project in detail?