How to Avoid NFT and Crypto Scams on Discord

By Dušanka Seratlić, contributions bobp & Karina Rafaella

As we get closer to mint day, we want to go over Discord safety with you. For many of us, Discord is a new platform, which makes it particularly important to get up to speed on the best safety practices. 

We suggest reading this list thoroughly and making sure to secure your account, both in Surge Discord and other servers. If you need some general advice on how to set up your Discord, read our guide on using Discord.

How to Boost Your Discord Security in Under 5 Minutes

Almost every NFT project has a Discord server where the community hangs out. Because of that, scammers have developed a lot of different ways to scam you on Discord. 

Now, before we get into the safety steps you can take, remember this: scammers succeed when they are able to provoke FOMO (fear of missing out) and get you to take action that you might otherwise not take if you were calm and rational. This type of hacking/scamming is called social engineering, but more on that later. 

Right now, you should… 

Turn off your Discord DMs

Discord DMs (direct messages) are the most common way people (and bots!) will try to scam you. From obvious DMs that try to get you to click malicious links to more elaborate social engineering attempts, Discord DMs are rife with potential dangers.

Discord offers two options for turning off your DMs:

1) Global setting: You can turn off Discord DMs for all future servers you join. However, this rule doesn’t apply to servers you’re already in, so you’d have to go back and turn off DMs individually for those. 

2) Individual servers: You might want to keep your DMs open in some servers and close them in others. Generally, we’d recommend turning off your DMs for all crypto servers you’re in. You can do so from server settings, but remember: when you turn off DMs like this, they’re off only in that particular server. You will have to go and turn off DMs for every server individually.  

Remember that Discord keeps DMs open by default, so double-check that your DMs are off where you want them to be. 

“But, how do I talk to people if my DMs are closed?”

You can always chat with other community members in the server’s channels. You can continue your conversation in the DMs if you add someone as a friend. This step is advised only if you can reliably confirm the person you’re chatting with is honest and well-intentioned, but even then, stay alert. Yes, we know, it all sounds paranoid, but keep in mind: Discord is the most common attack vector in crypto.

A good rule of thumb to remember in this space: if it sounds too good to be true, it probably is. 

Here’s how to turn off your DMs:

Globally:

User Settings > Privacy & Safety > Server Privacy Defaults > Toggle off “Allow direct messages from server members”

For individual servers:

Settings > Privacy Settings > Toggle off “Allow direct messages”

Turn on 2-Factor Authentication (2FA)

2FA adds a layer of security by requiring two verifications before you can log in. So, for example, once you enter your password, you would also have to enter a code you receive on your mobile phone. 

While a scammer could get your password, 2FA makes it more difficult to break in because the hacker likely doesn’t have your phone and can’t enter the 2FA code.

On Discord, we’d advise you to verify your email address and turn on 2FA as soon as possible. Two-factor authentication is also available on numerous other websites and is generally considered good cybersecurity practice. Turn it on wherever you can. 

Here’s how to do it:

Settings > My Account > Enable 2FA 

NOTE: To enable 2FA, you will need to add your email and phone number to Discord. Discord lets you create an account without that information, but it’s not safe - plus, a lot of servers require you to have a verified email address to join.

ANOTHER NOTE: Add SMS backup authentication in case you lose your 2FA codes or the authentication app. 

Now… What Is Social Engineering?

Keep in mind that sometimes even friendly messages take the scammy route given enough time. Only a small number of hacks and scams come down to technical aspects - most of it is social engineering.

Social engineering is a way for hackers and scammers to trick you into willingly giving them the info they need to break into your accounts. 

These tactics are insidious and rely on our curiosity, FOMO, and lack of attention. They don’t need to guess or figure out your seed phrase (and they probably can’t), but they can design a website that looks so real you give it out yourself. 

Social engineering is designed to get you emotional enough to forget best practices - human nature is infinitely hackable. 

How to avoid falling victim to social engineering?

First and foremost, social engineering attacks will try to get you to act in urgency. Some examples that are designed to trigger immediate action:

🚩 “Popular project is selling out - this is the last chance to get in - click here now!”

🚩 “Your account has been compromised! Click here to restore your password.”

🚩 “Just one spot left on this allowlist! Connect your wallet now!”

These are just some examples - the point is to provoke fear and urgency so you act in a hurry and disregard the best safety practices. Here’s how you can fight these attempts:

🌱 Count to ten. No, really, we mean it. Step away from your computer, have a glass of water, take a deep breath, and then read the message again. You’re more likely to notice something fishy with a clearer head.

🌱 Stay on top of things. Sometimes, these attacks will offer some new and exclusive information only available to a special few, including you. Scammers will impersonate popular projects like BAYC or Azuki and pretend to drop new merch or do new airdrops. If you’re in the loop, you’ll spot a scam like this a mile away.

🌱 Double-check everything. Before you click any links on Discord or Twitter, make sure the links are legit. For example, if someone is sharing a mint link - don’t click on it. Go to the official website of the collection (or their Twitter or Discord channel with official links) and find the link there.

🌱 Have a solid strategy. Your chances to get scammed decrease when you approach every project you invest in with a strategy in mind. Take the time to think about your portfolio and funds allocation so you can avoid aping into unknown or dubious projects. 

🌱 Find a community. NFT communities are usually very vigilant about current scams and super helpful. Being in a community that puts safety first is a great way to stay in the loop and use the collective brain to avoid the most common scams.

Common Discord Scams and How to Recognize and Avoid Them

Although the scammers find ever new and innovative ways to make us part with our funds, there are some scams that are common. Here we list some of the scams our community flagged in the last couple of months so you can learn to recognize and avoid them. 

Malicious Discord DMs

When a popular project is about to mint, you might see a barrage of DMs or endless spam tags on Twitter that promise to get you on the allowlist. You are among the few lucky winners and they just had to DM you about it.

1. Red flags:

🚩 Language: lucky, don’t miss the opportunity, typos (your’re)

🚩 Impersonation: Invisible Friends (Admin) - not likely. The word “admin” is there to confer authority and convince you this is real, but no team member of an NFT project will EVER DM you to share the mint link. 

2. 🚩 If they “guarantee huge profits if u manage to mint”, rest assured it’s a scam. 

3. 🚩 “How more u holding how more u get rewarded!” Who could resist this airdrop? 

TLDR:

🚩 Team members will never DM you on Discord.

🚩 If there are typos in a message, it’s probably a scam.

🚩 If they’re using “sales speak” to create urgency, it’s probably a scam.

🚩 A popular project would never send messages like this.

NOTE: Sometimes, you will add someone as a friend and they might share an invite to one of their communities. Use your best judgment, but in any case, never connect your wallet to anything or sign any transactions unless you’ve confirmed the website is legit.

PRO TIP: You won’t get these DMs if you turn off your Discord DMs. 

Discord server hacks

These hacks occur when a scammer/hacker gains control of administrative rights in a Discord server. With these rights, they are able to shut out team members and send out announcements that look legitimate. They might direct to a fake minting site or ask for other personal information.

As a Discord server member, you receive notifications from the read-only announcements channel that you trust to be legitimate and secure. But it is easy to be fooled in this instance because the hacker/scammer expects FOMO to take over and have you react to a fake mint announcement. 

Your best line of defense here is to take a pause and seek confirmation. As soon as the team realizes the situation, they will be sending tweets and getting the word outside of Discord.

Impersonating Discord members

There were recent reports of Discord members being approached by another member who is impersonating a moderator from another server. There are also people who will copy the profile of a team member and impersonate them on their server or elsewhere. These impersonators might ask for collaborations or will DM you with phishing links. 

If you’re not sure who’s who, you can always ask the person to message you from their Twitter profile and compare it to see if it’s the real Twitter of the person you suspect they're impersonating.

You can also do some light stalking in Discord to confirm identities. Here’s how:

1. In the channel you can click on the person’s name and see their credentials in the server. 

2. See that “NOTE” field above? You can add a note for any server member. For example: “real”, “fake”, “not sure” to keep track of people and verify they are who they say they are.

3. You can also copy the Discord ID (username) and search the user’s history in any particular server. Legit community members will often have lots of messages in the server and when you read through them, you can recognize the person is a human engaged in organic discussion rather than a spamming bot or a scammer. 

The Discord Safety TLDR

☑️ Close your DMs.

☑️ Turn on 2FA.

☑️ Don’t click suspicious links.

☑️ Verify everything and everyone.

☑️ If it’s too good to be true, it is.

☑️ Don’t connect your wallet anywhere unless you double-check the link through the project’s Twitter, Discord, and official channels

☑️ Don’t give in to FOMO.

☑️ Stay in the loop and find a community that will help each other.

Other Scams in the Space and General Security Tips

NFT and crypto scams usually have one goal: they want access to your wallet.

They can get it if:

• They trick you into willingly providing access by entering your seed phrase on a suspicious website.

• You interact with a malicious smart contract that comes in the form of random airdropped tokens or NFTs.

• They get access to your other passwords that might help them hack your cloud to look for the seed phrase (DON’T keep your seed phrase anywhere online or on your computer).

• They get you to download a virus that logs your keystrokes and learn the seed phrase that way. 

• They exploit a bug found in NFT websites and platforms.

• … 

The list goes on and on, but one point is clear:

***NEVER EVER GIVE OUT YOUR SEED PHRASE. REMEMBER THAT YOU WILL NEVER NEED TO GIVE YOUR SEED PHRASE UNLESS YOU’RE RECOVERING YOUR WALLET.*** 

Other general security tips:

☑️ Use 1Password to secure all passwords.

☑️ Use random password generators and use 24-character passwords.

☑️ Update your wallet passwords regularly.

☑️ Don’t interact with random NFTs and tokens in your wallet.

☑️ Double-check all links, whether they come on Twitter, Discord DMs, or even your email.

☑️ If a renowned company emails you anything that might compromise your funds, seek confirmation through multiple channels.

☑️ Practice general cybersecurity and keep your system updated and protected against viruses.

☑️ Don't share your screen with anyone with your wallet open.

☑️ Verify a collection is real on OpenSea (go to the collection's website and social media sites to ensure the link is correct).

☑️ Protect your wallet with a hardware wallet like Ledger.

☑️ Make sure the amount you're paying is in the right currency (don’t mix up ETH and WETH and pay attention to decimals! 

These lists are not exhaustive - our best general advice is to follow trusted people on Twitter, stay in a good community for the latest updates, and double-check everything.

The Surge Discord Safety

We will NEVER DM you or urge you to take any action. Before the mint, you could see us connecting with people in channels and adding friends, DMing about specific topics. 

Now that we’re closer to mint, we have stopped all communication with our community in DMs. This is for everyone’s safety.

To get in touch with the Surge team, tag us in the channels or open a support ticket for a direct and verified line of communication.  

Keep in mind: 

💥 We will never send you a DM with links

💥 We will never ask you to connect your wallet anywhere

💥 We will never ask for your seed phrase

💥 We will never ask to enable team viewer or screen share

If we do, something is wrong --- sound the bells in the community and let us know on Twitter!

And Finally… 

Remember that in Web3 your only line of defense is yourself. Should you be scammed or hacked so that your crypto tokens including NFTs are stolen, there is no one authority or organization who can help or reimburse you. This is by design - decentralization is a core tenet in crypto.

Don’t look at this as a disadvantage - everything you do in crypto will ultimately empower you and make you more knowledgable, adept, and skilled over time. You are the only one in charge here, and that’s a good thing!

Keep in mind that this article, as well as any and all Surge articles, are purely educational and not to be taken as financial advice.