Originally posted on January 2, 2025 at labs.wonderfi.com/blog

We covered best practices for keeping your device secure in our previous blog. Now we want to make sure you know how to stay safe while exploring the Web3 space.

This blog isn’t intended to alarm you, the Web3 space is wonderful and full of new and exciting things to do. The vast majority of those operating in this space are great people. We simply want to make sure that you're prepared to spot the bad actors if you do run into them.

Remember, blockchain transactions are permanent and irreversible. Exercise caution around urgent calls to action, requests from people you don’t know, or promises of financial returns that sound too good to be true.

General security practices​

Let’s start with some easy day to day tasks that you can use to keep yourself safe and aware:

• Proactively practice security measures for your wallet and device: The more security practices you do daily, the less chance there is of someone gaining access to your wallet, and on the rare chance they do, you have a better chance of catching it before damage is done.

• DYOR (Do your own research): Don’t jump too quickly on new tokens, projects, investment deals or any other activity without doing some digging into who’s offering them. Look at previous promotions and offers from the same team or person. Don’t trust influencer posts at face value. Remember that if it sounds too good to be true it probably is.

• Regularly check your wallet transaction history: Just like you would for a traditional bank, keep an eye on your transactions. If you see something suspicious take steps to lock down your wallet or transfer your funds out to a new wallet.

• Do NOT share personal information: Scammers will try to get you to share personal information and then use it for things like opening accounts in your name, accessing existing accounts that require ID checks, and more. Don’t share any personal information without thoroughly confirming the request is legitimate.

• Learn the common signs for scam tactics: It’s always good to know how previous scams worked and how to spot the signs for them. This makes it easier to spot shared tactics and similarities to avoid new scams as they emerge.

Web3 scams: ways to spot them​

There are a ton of various scams out there in the Web3 space - from traditional style investment scams to ones that use blockchain specific features, like smart contracts or airdrops, to get the drop on you.

Going through all the scams individually would take several blogs, so instead we’re going to give you some key things to watch out for. While this won’t be an exhaustive list, it should give you a good idea of what to keep an eye on and when to be cautious.

We’ll also give you the names of a few scams that employ the specific tactic. If you’re interested, you can look up more details on a specific scam. Remember, knowledge is power, and in this case, safety too!

But first - the cardinal rule of the Web3 space. Write it down, stick it on a post-it note, make it your phone background, tattoo it on your hand (okay, maybe not that far). Be wary of promises of large amounts of wealth very quickly and with little effort.

Alright, here we go:

1 - Urgent, aggressive or pushy messaging​

You’ve been contacted by someone that has a deal for you, an investment, a job opportunity; something you’re currently looking for. But it’s limited. You have to hurry. You’ve got to put in your money right now or you’ll lose out.

The goal of this tactic is to get you to act without thinking; getting you to send money or personal information before you realize something is wrong.

Look out for:

• Demands for funds or action right now.

• Not giving you enough time to investigate the deal, company or person in question.

• Something that’s too good to be true; an apartment for a lower rate that is normal in an area, a job that pays above average for the position, investments that pay out an unheard-of percentage.

A good indicator of:

• Investment scams

• Job & rental scams

• NFT minting Scams

Tips to avoid:

• Don’t engage with any pushy messaging, no matter how tempting.

• Always insist on doing your own research before committing to any exchange of funds.

2 - Relying on you to miss key information​

You type in your normal website for logging into a personal account. You copy your wallet address to send yourself funds. You enter a contest hosted by a famous person on Twitter. In all these cases you’ve missed a slight misspelling, a single weird symbol or didn’t double check a full address. Now the scammers have your information.

The goal of this tactic is to get you to share personal information with a source you believe is legitimate by spoofing the site, person or address with only a slight change that’s easy to miss.

Look out for:

• URLs that are misspelled slightly.

• Names of social accounts that are misspelled slightly or use odd characters or combinations of symbols to make a character.

• Random deposits to your wallet that you don’t remember.

• Wallet addresses that look familiar but aren’t completely the same.

A good indicator of:

• Address poisoning

• Imposter scams

• Social impersonation

• Clipboard Hacks (requires Malware installed)

Tips to avoid:

• Bookmark your favourite sites; don’t rely on Google or typing them correctly every time.

• Always copy your wallet address directly from the Receive screen of the wallet you want to send to; don’t use a transaction history list or an explorer link.

3 - Phishing attempts (weird SMS, calls, emails)​

You’ll get a call, email or SMS from someone that proports to be your bank, UPS, the government and you need to act now. Click the link and log in, hurry before it’s too late.

The goal of this tactic is to get you to share or otherwise compromise your information either via the communication they’ve started, or linking to some sort of spoof site.

Look out for:

• Calls or texts for an unknown number/wrong number.

• Emails coming from a strange or slightly off email address.

• Shortened links that obscure the actual URL.

• Urgent prompts to click the link and log in.

• Communication via unprofessional means (ie: Telegram).

A good indicator of:

• Social impersonation

• Inheritance Scams

Tips to avoid:

• Always remember Stranger Danger. Don’t engage with people you don’t know.

• If you’re concerned and want to engage, don’t respond directly. Instead look for contact info on official sites and reach out via those methods.

• Mouse over email links but DO NOT CLICK. Your email client should show you a preview of the link; look for misspellings, weird domain names or long strings.

• Never click links provided in SMS texts.

4 - Random NFT airdrops appear in your wallet​

You get a free NFT randomly airdropped into your account. When you look at the metadata of this new NFT you’ll find a URL and instructions to visit a site to get some sort of boon, like more NFTs, the ability to cash in or even get tokens.

The goal of this tactic is to get you to the site provided so they can employee a variety of actions to gain access to your wallet and assets.

Look out for:

• Unknown NFTs in your account.

• Metadata URLs promising more assets if you visit.

A good indicator of:

• Malicious Smart Contracts

• Seed Phrase Phishing

Tips to avoid:

• If you didn’t buy or don’t recognize an NFT, don’t interact with it.

• Don’t sign any Smart Contracts without knowing exactly what they do.

5 - Smart Contracts that ask for unnecessary access​

You’re prompted to sign a smart contract to complete an action or transaction you’re attempting to do, like mint an NFT. However, the prompt also includes other options, like sending tokens, or granting access to your tokens, neither of which is needed for an NFT mint.

The goal of this tactic is to get you to grant the scammers more access to your wallet than you initially intended.

Look out for:

• Smart Contracts that prompt access to actions that aren’t needed for the transaction you’re attempting to do.

• Strange or low effort dApps.

A good indicator of:

• Malicious dApps

• Seed Phrase Phishing

• NFT Listing Scams

Tips to avoid:

• Keep an active wallet for your day-to-day activities with only some of your crypto holdings; if your wallet does get compromised, the majority of your assets are safe elsewhere.

• Don’t sign any Smart Contracts without reviewing exactly what actions they can take.

6 – Having to send funds to get funds​

All you need to do is send this amount of crypto to an unknown address and you’ll be a winner! Pay the taxes on those gains you’ve gotten and be able to withdraw them!

The goal of this tactic is simply to get you to send funds with promises of more. No matter the exact messaging, the results are the same; you send crypto, you get nothing, and the scammers vanish.

Look out for:

• Promises of found or unclaimed crypto or winnings.

• Promises doubling your money if you invest in a new app or platform.

• YouTube Live videos promoting a giveaway that you must ‘pay’ to claim your winnings; these generally use an AI generated version of a famous person.

• Pay the ‘tax’ to withdraw or claim funds.

A good indicator of:

• Social Impersonation

• Pig Butchering Scams

• Recovery Scams

• Lottery Scams

• Inheritance Scams

• Fake CEX Scams

Tips to avoid:

• Do a deep dive into the giveaway or investment or donation first; especially the specific accounts that are promoting them.

• If someone suggests an investment app to you, research it before downloading or adding any funds.

• Don’t engage with any messaging from unknown sources that claims to have recovered funds for you, no matter the situation.

Additional Points​

There are a few additional signs that on their own aren’t obvious indicators of a scam, but paired with the signs above can be a further indication that something is off:

Crypto is the only payment method or way to participate in situations where traditional payment methods are usually also offered as an option.

Bad design on websites or in emails. Look for an excess of poorly used templates, low resolution graphics, misspellings and weird grammar.

Links to download anything. Links are an excellent vector for scammers to get malware onto your device to monitor you and your activities. Always confirm URLs, programs or tools are legitimate before downloading. Don’t click links from unknown sources, even if the program is known, get it from an official source that you locate yourself.

The TL;DR​

Life is busy, so if you aren’t able to take it all in right now, that’s okay! Here's a quick list of the key points we covered.

Most important:

• If it sounds too good to be true, it probably is.

Do these:

• Practice good security measures for your wallet and device.

• Do your own research.

• Never share personal information.

Watch out for these:

• Urgent, aggressive or pushy messaging.

• Relying on you to miss key information.

• Phishing attempts (weird SMS, calls, emails).

• Random NFT airdrops appear in your wallet.

• Smart Contracts that ask for unnecessary access.

• Having to send funds to get funds.

Consider these:

• Crypto is the only payment method or way to participate.

• Bad Design.

• Links to download anything.

Wrap Up​

Keeping yourself and your assets secure doesn't have to be a full time job, or something to stress about. The info and tips in this blog can help you recognize when someone is trying to gain access to your hard-earned assets. Spotting these attempts early and taking a moment to question them are key to backing out before any damage is done.

Use your new knowledge to simply be aware as you explore the web3 space. We're excited for you to join us in this next evolution of technology, and can't wait to show you the Wonder Wallet that can take you on this journey!

Come follow us on X or hop into Discord for all the latest news and updates.