Decentralized finance (defi) and Web3 have made airdrops a common feature in cryptocurrency. However, while airdrops sound like free money, there’s been a growing trend of airdrop phishing scams that steal people’s money when they attempt to get the so-called ‘free’ crypto assets. Below are the two main ways hackers use airdrop Phishing scams in order to steal your funds.
Airdrops Don’t Always Mean ‘Free Crypto’ — Many Airdrop Giveaway Promotions Are Looking to Rob You
Free crypto funds have long been associated with airdrops. A rising scam, called “airdrop phishing”, has made it a common term for this type of fraud. If you are a participant in the crypto community and use social media platforms like Twitter or Facebook, you’ve probably seen a number of spam posts advertising airdrops of all kinds.
A lot of people follow popular Twitter accounts that are tweeting crypto. They then get followed by scammers who advertise airdrop phishing schemes and claim they’ve received no money. Most people won’t fall for these airdrop scams but because airdrops are considered free crypto, there’s been a bunch of people who have lost funds by falling victim to these types of attacks.
A number of social media bots and people shill the link to lead you to the scam web page. While the suspicious website might look legitimate and may have elements that are similar to those found in popular Web3 projects like SHIB, DOGE, etc., it is a scammer’s attempt to steal money. It could be a new crypto token or a well-known digital asset such as BTC, ETH and SHIB.
The first attack usually shows that the airdrop is receivable but the person must use a compatible Web3 wallet to retrieve the so-called ‘free’ funds. The website will lead to a page that shows all the popular Web3 wallets like Metamask and others, but this time, when clicking on the wallet’s link an error will pop up and the site will ask the user for the seed phrase.
To get support, open MetaMask and navigate to “Support” or “Get Help” within the dropdown menu. You should never trust someone who sent you a message directly. NO CONDITION should your Secret Recovery Phrase be given to any person or entered into any website.
— MetaMask Support (@MetaMaskSupport) April 29, 2022
The Web3 wallet does not ask for the seed nor the 12-24 Mnemonic Phrase unless the user actively restores a wallet. However, some users might mistakenly believe that the error was legitimate. They may enter their seed on the page and lose any funds in the wallet.
This basically means that the user simply gave his private keys to the attackers when he fell for the Web3 wallet warning page that requested a mnemonic word. A person should never enter their seed or 12-24 mnemonic phrase if prompted by an unknown source, and unless there’s a need to restore a wallet, there’s really never a need to enter a seed phrase online.
It’s not the best idea to grant Shady Dapp permissions
It’s a little more difficult as the attacker uses code to rob Web3 wallet users. Similarly, the airdrop phishing scam will be advertised on social media but this time when the person visits the web portal, they can use their Web3 wallet to “connect” to the site.
The attacker made the code so the site does not have read access to the balances. Instead, the user gives the site permission to take the Web3 wallet funds. Simply connect a Web3 wallet and give it permissions to access a fraud site. You can avoid the attack by simply not connecting and then walking away. But, this is a common phishing scam.
Here’s the latest phishing scam
1️⃣ Airdrop a token
2️⃣ Build a website with same name so it’s easily found
3️⃣ When you find what appears to be staking for this token, the Approve txn gives unlimited spending of other tokens (ie SNX)Then, they take your token out of your wallet. pic.twitter.com/vICIeC5rGk
— DeFi Dad ⟠ defidad.eth (@DeFi_Dad) December 20, 2021
Another way to secure a wallet is by making sure the wallet’s Web3 permissions are connected to sites the user trusts. If there are any decentralized applications (dapps) that seem shady, users should remove permissions if they accidentally connected to the dapp by falling for the ‘free’ crypto scam. However, usually, it is too late, and once the dapp has permission to access the wallet’s funds, the crypto is stolen from the user via the malicious coding applied to the dapp.
It is best to avoid entering your seed phrase online, unless you’re restoring a wallet. This is in addition to the fact that it’s a smart idea not to give Web3 wallet permissions for shady Web3 websites or dapps you do not know how to use. Investors who aren’t aware of current trends in airdrop-phishing can suffer serious losses.
Know anyone who is a victim of this type phishing scam. What are your tips for identifying crypto-phishing scams? Please share your views with us in the comments.
Image creditShutterstock. Pixabay. Wiki Commons
DisclaimerThis article serves informational purposes. This article is not intended to be a solicitation or offer to sell or buy any product, service, or company. Bitcoin.com is not a provider of investment, tax, legal or accounting advice. This article does not contain any information, products, or advice that can be used to cause or alleged result in any kind of damage.