NFT

Web3 Era: Scam Prevention Knowledge Every Discord User Should Know

share
Web3 Era: Scam Prevention Knowledge Every Discord User Should Know

As a public chat platform, Discord is one of the breeding grounds for scammers.

(This article is authorized to be reprinted from BlockBeats. Original article here)

Original link: https://mp.weixin.qq.com/s/pj-c_C5t7-N6U1kBCtQnOA
Original author: Alpha Rabbit, Alpha Rabbit Research Notes

Advertisement - Please scroll down for full content

With the rapid growth of the NFT market, the trading volume of the NFT market in 2021 reached nearly $44.2 billion. The huge amount of money has tempted professional scammers and fraudsters in the digital world to infiltrate the crypto world. These scammers in the crypto world target inexperienced crypto newbies, providing an opportunity to offer some useful security guidelines to everyone.

This article is mainly divided into the following parts:

  1. What should beginners be aware of as Discord users or those interested in NFT projects?
  2. Current status of the Discord environment
  3. Security guidelines from Discord officials
  4. Reiteration

NFT Scam Prevention Guide

First, provide some safety operation guides that ordinary users need to remember. We will further analyze later.

First, we need to pay attention to: The essence of scams usually lies in exploiting human hopes and greed, such as announcements of good fortune (Congratulations, you've won a big prize!) and fear (We are official personnel, you've been caught cheating, provide your ID and bank card password quickly).

0. Do not trust any DMs (Direct Messages) with links attached, it is recommended to turn off DMs directly.

This is also a more frequent occurrence, because if it's not a friend you have in real life, a Discord private message is likely from a malicious stranger, posing a risk of fraud.

Some possible suspicious points about NFT projects (to pay attention to)

  1. No public chat room on Discord
  2. No comments on Twitter
  3. Non-original design
  4. Can mint in presale without whitelist
  5. Team is completely anonymous, especially the designer
  6. Very few core members, MODs are volunteers found online
  7. Never held an AMA (Ask Me Anything)
  8. Giveaways always only offer WL or free NFTs of the project
  9. Almost no activities besides giveaways
  10. High emphasis on referral in WL requirements
  11. Presale is very rushed
  12. Higher mint quantity per wallet (3 is considered high)
  13. Short project cycle (2 weeks is considered short)
  14. Very low activity in General channel (precisely harvesting domestic investors)
  15. Little attention on Twitter, minimal comments and retweets
  16. No collaboration with other projects (riding the coattails of blue-chip holders does not count as collaboration)
  17. Do not trust any DMs with links attached, it is recommended to turn off DMs directly

(The above is for reference only)

The consequence of a decentralized system is: no one can be fully responsible for something. Is Discord responsible for the security of its users? Or is it up to the server owners to protect user security? Or do users need to learn all security knowledge themselves, such as not clicking on links sent by strangers?

Note: From the perspective of security experts, the quantity of scams is just one aspect; more importantly, many scam methods are becoming increasingly complex. Just like how the immune system works: although NFT holders have developed some immunity to common scams, such as not trusting any unfamiliar information and protecting their mnemonic phrases, due to limited security functions, more and more new methods are beginning to emerge to deceive Web3ers.

Background

Let's start with a story:

In July 2021, Heart, a 50-year-old part-time outdoor coach, lost all her property when her house burned down due to a short circuit, and her home insurance had expired. Later, through a gift from the blockchain company Nametag, Heart received a Bored Ape Yacht Club NFT.

The brand attributes of the Bored Ape Yacht Club NFT are like LV Chanel in the consumer goods world, and the current price in the secondary market can reach millions of dollars. When Heart received this monkey, it was worth about $35,000, and later rose to $80,000.

However, in August of last year, Heart received a link to a VeeFriends gift, which was sent directly by a stranger on the chat platform Discord. Everything seemed more reasonable, as the URL pointed to the official website of the project. However, when she was ready to claim the gift, the website asked her to enter her mnemonic phrase, and when she did:

All her Eth and monkeys in her account disappeared.

Data shows that in January 2022, at least 44 Discord servers were attacked, with losses exceeding $1 million. As an arena that is highly tempting for scammers, NFT projects have begun to attract industrial-scale fraudulent teams into the NFT field.

However, this has not dampened Discord's growth. In September, Discord raised $500 million in funding, doubling its valuation to $15 billion in the huge growth. Chat services have long been a popular platform for video game players, but over the past year, it has become a virtual city square for the crypto community. Every major NFT project and decentralized autonomous organization now has a Discord server.

At first glance, Discord does not offer anything fundamentally different from traditional enterprise messaging platforms like Slack or Telegram, which mainly provide voice and text chat tools. The company was founded in 2015 and was initially a platform for communication among video game players, but over the past year, it has become an active gathering place for the crypto community. However, Discord does not provide any value that is completely different from traditional enterprise messaging platforms like Slack or Telegram; it mainly offers voice and text chat tools.

Discord mainly provides a place for hanging out, but gamers have been replaced by crypto prospectors. Many believe in the arrival of the decentralized internet era, and with the soaring prices of NFTs, Discord provides a ready-made venue for DAOs and NFTs, a free club without gatekeepers, and a meeting space large enough to accommodate thousands of people.

From 2019 to now, Discord's MAU has grown from 56 million to over 150 million, posing significant security challenges, and there has been no iteration of governance rules for individual Discord servers, thus, the responsibility for maintaining platform security mainly falls on the individual server owners, some of whom are volunteers, while others are in a relatively chaotic division among DAOs and NFT projects.

Although Discord has introduced new management tools such as blocking a user and has employed a full-time security team, when scammers start scamming in a channel, moderators are often the first line of defense.

Nicholas Ptacek, former computer security expert at SecureMac, believes:

Discord's operation (being able to send messages casually, change usernames and avatars at will) is a bit like a scammer's paradise.

Even in the internet age, phishing schemes frequently occur, but because the NFT industry is still in its early days, with valuable digital anonymity, large assets, mysterious technology, the influx of newcomers... it truly is a playground for criminals.

However, victims are basically unable to recover their losses. Although OpenSea will flag stolen items and prevent them from trading on the platform, it cannot reverse transactions, meaning it cannot return stolen NFTs to their rightful owners. Jonathan, an intellectual property lawyer at Chilton Yambert Porter, believes that in most cases, victims can only write to those who inadvertently purchased stolen NFTs and repurchase the artwork at full price. Because there is no clear regulation in this world, most of the time it's a gamble.

Security Recommendations from Discord Official

First, when we are about to click on a link to join a server or welcome a new airdrop, there may be situations where, even though the link seems correct, something still feels off.

Characteristic one, the way the other party speaks is not humane, such as threatening you with certain matters and a deadline, warning you to join a project or link, otherwise you will miss an opportunity. One of the characteristics of these scammers is that they have never posted any information in any shared servers with users, nor have they shared servers with you, but suddenly they will approach you.

According to the Federal Trade Commission, internet scams surged in 2021. Although Discord's mission has always been to make Discord the best place on the internet for people to find a sense of belonging, we are happy to see interest-based communities bringing people together, but we also see some dangerous people trying to take advantage of these communities.

Therefore, here we share some additional measures we are taking and introduce some methods to protect yourself on Discord. We hope you keep these security skills in mind:

For Ordinary Users:

  • Do not click on links from unknown senders or those that look suspicious.
  • Do not download programs or copy/paste code you don't recognize.
  • Do not disclose your password to anyone!
  • Do not share or screen share your authorization token.
  • Do not scan any QR codes from people you don't know or cannot verify their legitimacy.
  • Enable 2-Factor Authentication to ensure the security of your account as much as possible.

For Server Owners:

  • Review server permissions, especially advanced tools like webhooks.
  • Keep official server invitations updated, especially if most of your new server members come from communities outside of Discord, please update in real-time.
  • Similarly, do not click on suspicious or unknown links, as if your account is compromised, it can have a greater impact on the communities you manage.

Internet Safety Checklist

Respecting internet safety is important, here are some simple and effective methods that can help ensure your safety in DMs, and even outside of Discord.

1. Only open trusted links from people you know

Many security issues arise from users clicking on links before verifying their authenticity. Always carefully check the links you are about to click on; link shortening services can easily mask unsafe websites or programs. It is recommended to check them through resources like VirusTotal to see if they have been marked as potentially dangerous.

2. Pay attention to URL spelling

3. Do not download programs or run code you do not understand

4. Do not download or run software from unknown sources

5. Be cautious of programs sent to you by strangers

If someone claims to have "a particularly exciting software" that needs you to run it on your computer, it is highly likely that they are misleading you to obtain your personal information through phishing programs.

Discord Safety Checklist

Decide on the list of people who can send you DMs: Disable DMs from specific servers to prevent scammers hidden in large communities from contacting you.

Settings: To adjust who can and can't DM you, head into User Settings > Privacy & Safety, then scroll down to “Server Privacy Defaults.” From there, you’ll find the option to “Allow direct messages from server members.”

Note that this new status only applies to servers joined after changing the settings; it will not affect your existing servers. If you turn off this option, members of newly joined servers cannot contact you through DM unless you are friends with them in advance, receiving suspicious messages from people you don't know carries a certain risk.

If you are in a server you trust and do not mind receiving messages from people inside, you can switch privacy settings on a personal basis.

Review Server Permissions

Understanding the permissions of templates and server members is crucial to keep each member safe inside. If you are a server owner, have you recently checked the permission list? Who has what permissions? Do you know they have these permissions, for how long?

Make sure that only moderators you trust have the power to change powerful server tools, including any bots you may have added to the server. Be vigilant against bots that impersonate well-known bots.

Keep the invitation links updated. If the server's links have been updated, make sure your community and new users are aware of these changes, and always update any social media pages where you share these links. If possible, quote the old invitation links and let everyone know that these links have been updated.

Attention! If someone gains control of your Discord account, they can change your username, password, email associated with the account, and any other information related to your account. Once the thief enters your Discord account, they can see all your personal information.

From server layout to server permissions, to bots, and even kicking all your users out of the server, if your account is targeted by hackers as a server owner, or your account is used as a stepping stone for further destruction within the community, impersonating you to deceive unsuspecting members, all professional scammers might also target Discord accounts with unique non-replicable badge files, such as early supporter badges, etc. If you have one of these unique badges, you should be extra vigilant about your account.

It is recommended to enable 2-Factor Authentication for your account, as scammers attempting extortion also need to provide a 2FA code to change your password (there will be related articles explaining this later).

Reiteration

For Ordinary Users:

  • Do not click on links from unknown senders or those that look suspicious.
  • Do not download programs or copy/paste code you don't recognize.
  • Do not disclose your password to anyone!
  • Do not share or screen share your authorization token.
  • Do not scan any QR codes from people you don't know or cannot verify their legitimacy.
  • Enable 2-Factor Authentication to ensure the security of your account as much as possible.

For Server Owners:

  • Review server permissions, especially advanced tools like webhooks.
  • Keep official server invitations updated, especially if most of your new server members come from communities outside of Discord, please update in real-time.
  • Similarly, do not click on suspicious or unknown links, as if your account is compromised, it can have a greater impact on the communities you manage.

Regarding Some Possible Suspicious Points about NFT Projects (to Pay Attention to)

  1. No public chat room on Discord
  2. No comments on Twitter
  3. Non-original design
  4. Can mint in presale without whitelist
  5. Team is completely anonymous, especially the designer
  6. Very few core members, MODs are volunteers found online
  7. Never held an AMA (Ask Me Anything)
  8. Giveaways always only offer WL or free NFTs of the project
  9. Almost no activities besides giveaways
  10. High emphasis on referral in WL requirements
  11. Presale is very rushed
  12. Higher mint quantity per wallet (3 is considered high)
  13. Short project cycle (2 weeks is considered short)
  14. Very low activity in General channel (precisely harvesting domestic investors)
  15. Little attention on Twitter, minimal comments and retweets
  16. No collaboration with other projects (riding the coattails of blue-chip holders does not count as collaboration)
  17. Do not trust any DMs with links attached, it is recommended to turn off DMs directly

Wishing all friends who see this article a safe journey!

NFT