Web3 Scam Prevention Guide: Essential Security Skills for Discord Users

Author: Alpha Rabbit Mona

With the rapid growth of the NFT market, the trading volume in 2021 nearly reached $44.2 billion. The enormous financial temptation has led to a significant infiltration of professional scammers and fraudsters into the crypto world. These scammers often target inexperienced crypto newcomers, which serves as the impetus for providing some useful safety guidelines in this article.

This article is mainly divided into the following parts:

1) What should newcomers to Discord or those wanting to participate in NFT projects pay attention to?

2) The current state of the Discord environment

3) Safety guidelines from Discord officials

4) A reiteration

NFT Scam Prevention Guide

First, here are some safety operation guidelines that ordinary users need to remember, which we will analyze further later.

First, we must note: the main deceptive nature of scams often exploits human hopes, greed (for example, "Congratulations! You've won a grand prize!") and fear (for example, "We are officials, you have been scammed, you need to provide your ID and bank card password immediately").

0. Do not trust any DM (Discord Message) that includes links; it is recommended to turn off DMs altogether.

This is a common occurrence because if the person DMing you is not a friend you have met in real life, they are likely a malicious stranger with a risk of scamming.

Some Possible Red Flags Regarding NFT Projects (Things to Watch Out For)

1. Discord does not open public chat rooms

2. Twitter does not allow comments

3. Non-original designs

4. Non-WL can also mint in Presale

5. The team is completely anonymous, especially the designers

6. Very few core members, MODs are mostly volunteers found online

7. Never held an AMA (Ask Me Anything)

8. Raffles only ever give away WL or free NFTs of the project

9. Besides raffles, there are basically no other activities

10. The WL requirements heavily emphasize referrals

11. Presale is very rushed

12. The mint quantity per wallet is quite high (3 is already considered a lot)

13. The project cycle is relatively short (2 weeks is considered short)

14. General channel activity is extremely low (precisely harvesting domestic investors)

15. Very few followers on Twitter, minimal comments and retweets

16. No collaboration with other project parties (riding on blue-chip holders does not count as collaboration)

17. Do not trust any DM that includes links; it is recommended to turn off DMs altogether.

(The above is for reference only)

The consequence of a decentralized system is that no one can be fully responsible for any particular issue. Does Discord have a security responsibility for its users? Or do the heads of each server need to protect user safety? Or do users themselves need to learn all safety knowledge, such as not clicking on links sent by strangers?

Note: From a security expert's perspective, the number of scams is just one aspect; more importantly, many scamming methods are becoming increasingly complex. Just like how the immune system works: although NFT holders have developed some immunity to ordinary scams, such as not trusting any unfamiliar information and protecting their seed phrases, due to limited security features, more and more new methods are emerging to deceive Web3 users.

Background

Let's start with a story:

In July 2021, 50-year-old part-time outdoor coach Heart lost her home to a fire caused by a short circuit while training children outdoors. Her home insurance had expired, resulting in the loss of all her possessions. Later, through a giveaway from the blockchain company Nametag, Heart received a Bored Ape NFT.

The brand attributes of the Bored Ape NFT are akin to luxury goods like LV and Chanel, with prices in the secondary market reaching millions of dollars. When Heart received the ape, it was valued at about $35,000, later rising to $80,000.

However, in August last year, Heart received a link to a VeeFriends giveaway sent directly by a stranger on the chat platform Discord. Everything seemed reasonable, and the URL pointed to the project's official website. But when she attempted to claim the giveaway, the official website requested her seed phrase, and after she entered it:

All the Eth and the ape in her account disappeared.

With the rapid growth of the NFT market, the trading volume in 2021 nearly reached $44.2 billion. The enormous financial temptation has led to a significant infiltration of professional scammers and fraudsters into the crypto world, targeting inexperienced crypto newcomers.

As a public chat platform, Discord is one of their breeding grounds.

Data shows that in January 2022, at least 44 Discord servers were attacked, resulting in losses exceeding $1 million. The NFT project, as a highly attractive arena for scammers, has seen the emergence of industrial-scale scam teams entering the NFT space. However, this has not affected Discord's growth. In September, Discord raised $500 million, more than doubling its valuation to $15 billion. The chat service has long been a popular platform for gamers, and over the past year, it has become the de facto town square for the crypto community, with every major NFT project and decentralized autonomous organization now having a Discord server.

On the surface, Discord does not offer anything fundamentally different from traditional enterprise messaging platforms like Slack or Telegram, which primarily provide voice and text chat tools. Founded in 2015, it was initially a communication platform for gamers, but over the past year, it has become an active organization hub for the cryptocurrency community. However, Discord does not provide any value that is completely different from traditional enterprise messaging platforms like Slack or Telegram, mainly still serving as a voice and text chat tool.

Discord mainly provides a place to hang out, but gamers have since been replaced by crypto prospectors, many of whom firmly believe in the arrival of a decentralized internet era. With NFT prices skyrocketing, Discord has provided a ready-made venue for DAOs and NFTs, a free club without doormen, and a meeting space large enough to host thousands of people.

From 2019 to now, Discord's MAU has grown from 56 million to over 150 million, which brings significant security challenges, and the governance rules for individual Discord servers have not iterated. Therefore, the responsibility for maintaining platform security mainly lies with the individual heads of servers, some of whom are volunteers, while others are employees of DAOs and NFT projects with relatively chaotic divisions.

Although Discord has launched new management tools, such as blocking certain users, and has hired a full-time security team, when scammers start scamming in a channel, moderators are often the first line of defense.

"The way Discord is set up, it makes it really easy to fall for those scams between notifications flying in every five seconds and the way you can change your avatar, your username," said Nicholas Ptacek, a former computer security specialist at SecureMac who now writes about NFTs and crypto. "It's kind of a scammer's paradise."

Former computer security expert Nicholas Ptacek believes:

"The way Discord operates (with messages being sent freely and usernames and avatars being easily changed) is somewhat like a paradise for scammers."

Even in the internet age, phishing schemes frequently occur, but because the NFT industry is still in its early, wild stage, with valuable digital anonymity, large assets, mysterious technologies, and an influx of newcomers… this truly is a playground for criminals.

The consequence of a decentralized system is that no one can be fully responsible for any particular issue. Does Discord have a security responsibility for its users? Or do the heads of each server need to protect user safety? Or do users themselves need to learn all safety knowledge, such as not clicking on links sent by strangers?

From a security expert's perspective, the number of scams is just one aspect; more importantly, many scamming methods are becoming increasingly complex. Just like how the immune system works: although NFT holders have developed some immunity to ordinary scams, such as not trusting any unfamiliar information and protecting their seed phrases, due to limited security features, more and more new methods are emerging to deceive Web3 users.

However, victims generally have no way to recover their losses. Although OpenSea can mark stolen items and prevent them from being traded on the platform, it cannot reverse transactions, meaning it cannot return stolen NFTs to their rightful owners. Jonathan, an intellectual property lawyer at Chilton Yambert Porter, believes that typically, victims can only write to the person who inadvertently purchased the stolen NFT to repurchase the artwork at full price. Because there is no clear regulation from authorities in this world, most of the time, one can only accept the loss.

Safety Recommendations from Discord Officials

First, when we are about to click a link to join a server and welcome a new airdrop, there are possible situations where, despite the link appearing correct, something still seems off.

Feature 1: The other party speaks in an inhuman manner, such as threatening you with certain matters, with a deadline, warning you that you must join a certain project? Link? Otherwise, you will lose the opportunity. One characteristic of these scammers is that they have never posted information in any shared server with the user and do not share a common server with you but suddenly come to chat.

According to information from the Federal Trade Commission, online scams surged in 2021. Although Discord's mission has always been to make it the best place on the internet for people to find a sense of belonging, we are happy to see interest-based communities bringing people together, but we also see some dangerous individuals trying to exploit these communities.

Therefore, we would like to share the additional measures we are taking and introduce some ways to protect yourself on Discord. We hope you keep these safety skills in mind:

For ordinary users:

· Do not click on links from unknown senders or those that appear suspicious.

· Do not download programs or copy/paste code you do not recognize.

· Do not disclose your password to anyone!

· Do not share or screen share your authorization token.

· Do not scan any QR codes from people you do not know or cannot verify their legitimacy.

· Enable 2-Factor Authentication to ensure your account security as much as possible.

For server heads:

· Review server permissions, especially advanced tools like webhooks.

· Keep official server invitation links updated, especially if most of your new server members come from outside the Discord community; update in real-time.

· Similarly, do not click on suspicious or unknown links; if your account is compromised, it could have a greater impact on the community you manage.

Internet Safety Checklist

It is important to maintain a sense of awe regarding internet security. Here are some simple yet effective methods to ensure your safety in DMs and even outside of Discord to some extent.

1. Only open trusted links from people you know

Many security issues arise from users clicking links before verifying their authenticity. Always carefully check the links you are about to click; link shortening services can easily conceal unsafe websites or programs. It is recommended to check it through resources like VirusTotal to see if anyone has flagged it as potentially dangerous.

2. Pay attention to URL spelling

3. Do not download programs or run code you do not understand

4. Do not download or run software from unknown sources

5. Be cautious of programs sent to you by strangers

If someone claims to have "a particularly amazing software" that you need to run on your computer, it is highly likely they are misleading you to obtain your personal information through their phishing program.

Discord Safety Checklist

Decide who can DM you: Disable DMs from specific servers to prevent scammers hiding within large communities from contacting you.

To adjust who can and can't DM you, head into User Settings > Privacy & Safety, then scroll down to "Server Privacy Defaults." From there, you'll find the option to "Allow direct messages from server members." Note that this new setting only applies to servers you join after changing the settings; it will not affect your existing servers.

If you turn off this option, members of newly joined servers will not be able to contact you via DM unless you are already friends with them. Receiving suspicious messages from people you do not know carries certain risks.

If you are in a trusted server and do not mind receiving messages from people inside, you can switch privacy settings on a personal basis. Head to that server on desktop or mobile, select its name to open the server's settings, and choose "Privacy Settings." Once there, you'll find the "Allow direct messages from server members" option. Turn that on, and you're free to receive all sorts of DMs from everyone in that server, regardless of whether you're friends or not!

Review server permissions

· Understanding the permissions of templates and members within the server is key to keeping each member safe. If you are the owner of a server, have you recently checked the permissions list? Who has what permissions? Do you know how long they have had those permissions?

· Ensure that only trusted moderators have the authority to change powerful server tools, including any bots you may have added to the server; be vigilant against bots impersonating well-known large bots.

· Keep invitation links updated**

If the server's link has been updated, make sure your community and new users are aware of these changes, and continuously update any social media pages where you share these links. If possible, reference the old invitation links and let everyone know that these links have been updated.

(This is doubly so for Partnered, Verified, or Level 3-boosted servers that utilize a vanity URL: if your server loses or changes its custom invite link, nefarious communities may swoop in and claim your old one. If this happens before you update your public-facing invites, people trying to join your community may instead join a server that's looking to cause trouble.)

Warning! If someone gains control of your Discord account, they can change your username, password, the email associated with your account, and any other information related to your account. Once a thief accesses your Discord account, they can see all your personal information, from server layouts to server permissions to bots, and even kick all your users out of the server. If your account is the target of hackers, they may even use your account as a stepping stone to further disrupt the community, impersonating you to deceive unsuspecting members.

All professional scammers may also target Discord accounts with unique profile badges that cannot be replicated, such as early supporter badges, etc. If you have one of these unique badges, you should be especially vigilant about your account.

It is recommended to enable 2-Factor Authentication for your account, as scam extortionists also need to provide a 2FA code to change your password (more articles will follow to explain this further).

A Reiteration

For ordinary users:

• Do not click on links from unknown senders or those that appear suspicious.
• Do not download programs or copy/paste code you do not recognize.
• Do not disclose your password to anyone!
• Do not share or screen share your authorization token.
• Do not scan any QR codes from people you do not know or cannot verify their legitimacy.
• Enable 2-Factor Authentication to ensure your account security as much as possible.

For server heads:

• Review server permissions, especially advanced tools like webhooks.
• Keep official server invitation links updated, especially if most of your new server members come from outside the Discord community; update in real-time.
• Similarly, do not click on suspicious or unknown links; if your account is compromised, it could have a greater impact on the community you manage.

Some Possible Red Flags Regarding NFT Projects (Things to Watch Out For, and More to Add)

1. Discord does not open public chat rooms

2. Twitter does not allow comments

3. Non-original designs

4. Non-WL (W List) can also mint in Presale

5. The team is completely anonymous, especially the designers

6. Very few core members, MODs are mostly volunteers found online

7. Never held an AMA (Ask Me Anything)

8. Raffles only ever give away WL or free NFTs of the project

9. Besides raffles, there are basically no other activities

10. The WL requirements heavily emphasize referrals

11. Presale is very rushed

12. The mint quantity per wallet is quite high (3 is already considered a lot)

13. The project cycle is relatively short (2 weeks is considered short)

14. General channel activity is extremely low (precisely harvesting domestic investors)

15. Very few followers on Twitter, minimal comments and retweets

16. No collaboration with other project parties (riding on blue-chip holders does not count as collaboration)

17. Do not trust any DM that includes links; it is recommended to turn off DMs altogether.

Wishing all friends who see this article safety and smooth sailing!