The internet can be a scary place, and with web3’s increasing decentralization, you are your only line of defense — and recourse to scammers is often near-impossible. With such a buffer to legal recourse, scammers have grown more and more sophisticated and more patient (which is perhaps more terrifying). This means they’re willing to put in the time to gain someone’s trust or to lay in wait for the first sign of a vulnerability.
Because recovering stolen cryptocurrency and assets is such a rare blessing, it’s important to never find yourself in such a position.
In today’s article, we’re going to lay out the best practices and red flags you must be aware of when interacting on Discord, which is the most common attack vector in all of crypto.
Don’t let scammers slide into your DMs
The quickest and easiest way to get a scam started is through phishing in DMs. Always vet requests from strangers — this applies to Discord, Telegram, Signal, Twitter, and Instagram as well.
For this reason, we recommend turning off Discord DMs from anyone but your Friends. With the Global Setting, you can turn off DMs for all future servers you join. When using the Global Setting, you need to manually turn off DMs for servers you’re already in.
For the Global Setting, go to:
User Settings > Privacy & Safety > Server Privacy Defaults > Toggle off “Allow direct messages from server members”
If there are individual servers from which you’d welcome a random DM from a stranger, you can go to your privacy settings to toggle on “Allow Direct Messages.” To switch individual server DMs on and off, go to:
Settings > Privacy Settings > Toggle on/off “Allow direct messages”
With DMs turned off, you can still chat with anyone you’ve friended. The reason this step is important is that users cannot include a message in a friend request, so any social engineering they plan to attempt is buffered by your due diligence.
Don’t click on unfamiliar links or download unknown files
Internet 101, I know, but always worth reiterating. Avoid clicking unfamiliar links or downloading files which may carry malicious scripts that will compromise your account or device.
It’s probably not an overstatement to assume that every high-ticket crypto project has had its Discord infiltrated by malicious actors.
When you arrive at any site that prompts you to connect your wallet, your feelers should pop up. Prepare yourself for an investigative turnaround as though you were Columbo stopped in his tracks with just one more question. This is where you bust the baddies.
If anything is hyperlinked, copy and paste it into a plain text document to investigate. Keep an eye out for misspellings, alternate spellings, or switched letters (like the ol’ capital I replacing a lowercase l, which is especially tricky with sans serif fonts).
Be extra-extra suspicious of any request that requires you to install or run any program.
Turn on 2FA
Again, leaning on web2 security best practices, two-factor authentication exists for a reason. Websites are compromised all the time. Passwords are stolen. If you have two-factor authentication turned on — however much an “inconvenience” it may be — you can be sure that your security and privacy are safely in your hands.
On Discord, verify your email address and turn on 2FA right now if you haven’t already.
Settings > My Account > Enable 2FA
For extra protection, add SMS backup authentication in case you lose your 2FA codes or an authentication app.
Use multiple accounts & devices
If you’re a member of different web3 communities, it might be a good idea to open multiple Discord accounts and dedicate them to specific servers.
The weakest link in all of security is the human element.
Social engineering leverages your emotionality against you to trick you into forgetting your best practices. Social engineering attacks will use urgency, FOMO, curiosity, and lack of attention. While it’s still pretty impossible to guess a seed phrase, it’s not impossible to build a website or social account that looks so real that you’ll happily just hand it over.
For a full rundown of security best practices across web3, read our article “Staying Safe with NFTs and Web3.” While you should definitely read it, remember this in the meantime: Never ever ever ever give anyone your private seed phrase.
Types of Scams & Red Flags to Keep an Eye For
Scammers’ high hunting season is when projects are about to mint. Here are some red flags to keep an eye out for.
No team member of an NFT project will ever DM you to share a mint link. If you’d like to pat yourself on the back, check the screen name in the DMs against the actual person on the server. It will almost always be different. If you got a mint link from the actual account, then the server has been hacked, and you should let the rest of the server know. If you’re still unsure, tell the person that you’d prefer to chat on Twitter.
Keep an eye out for typos and weird word usage.
If messages appear engineered to evoke an emotion — urgency, FOMO, fear — it’s a scam. A popular project would never send hard-sale messages.
Don’t click links from DMs unless you are 100% positive you know who it’s from, and even then, read the link closely for any misspellings. We would suggest messaging the person in a server to verify that they are the same account.
It’s not uncommon for hackers to get control of admin rights in a Discord server. An admin can shut out team members and post announcements that look legit — these could be flash mints or requests for personal information.
Scammers know you are likely to have your guard down when reading messages from read-only announcement channels because you innately trust them. Whenever something seems too good to be true, it probably is.
Take a pause and seek outside confirmation on Twitter and other official channels. Unless it’s an inside job, it’s unlikely that a scammer will gain access to all of a project’s channels at the same time.
Impersonating Server Members
Distinct from server hacks are impersonators who go to great pains (more or less, depending) to create a profile that looks identical to that of server admins or project heads. These impersonators typically operate in servers that aren’t frequented by those they’re imitating. They primarily target through DMs where they only need to contend with one person’s skepticism.
If you’re not sure you’re in conversation with the genuine article, click on the profile name to see their credentials.
Do the servers they belong to make sense, considering who they claim to be? Search their profile name.
What’s their message history in your mutual servers? Any server admin or project lead will have lots of messages in their project’s servers.
Then, of course, study their words. Do they sound human? Do they make bonkers grammatical and spelling errors? Is their message history rife with urgency and FOMO? These are clues.
If you’re still unsure, you can always ask the person to message you from their Twitter profile and compare it to see if it’s the real Twitter account of the person you suspect them of impersonating.
The Discord Safety Checklist
- Turn off your DMs
- Turn on two-factor authentication
- Don’t click suspicious links
- Be suspicious of links
- If it’s too good to be true, it is.
- FOMO and urgency are your own worst enemies
- Verify identities every time
- Double-check with a project’s Twitter, Discord, and official channels before connecting your wallet
For more information and tips on staying safe when interacting with web3 technology, please read “Staying Safe with NFTs and Web3.”
MakersPlace Discord Safety
Here’s a list of things we will NEVER do:
- We will never send you a DM with links
- We will never ask you to connect your wallet anywhere
- We will never ask for your crypto wallet seed phrase.
- We will never ask to see your crypto wallet QR code.
- We will never ask you to scan a QR code for collection verification or technical support.
- We will never ask you to sign any message with your wallet or send you to a link that asks you to sign a message with your wallet.
- We will never invite you to a different Discord server.
- We will never ask you to transfer cryptocurrencies or NFTs on our behalf.
- We will never ask to enable team viewer or screen share.
If you’d like to make suggestions or discuss this article, please contact email@example.com