In the world of Web 3, crypto and NFTs, prioritizing security is the most important move you can make. There is a ton of malware that users are susceptible to every day that they are using their phones and computers.
If your devices and wallet are compromised, you will lose everything, so it is important to take the necessary precautions to secure them.
And above all else, you must protect your seed phrase.
Be vigilant. Every time you log on to your computer, expect an attack. There is always someone searching for vulnerabilities, and who is willing to take advantage of the platforms users interact with daily.
Phishing is a fraudulent practice wherein cybercriminals pose as legitimate institutions or companies, usually via email.
These emails will often solicit you for sensitive information that can be used to access your personal accounts, and they often contain links to malicious websites and malware.
Always confirm the sender’s email address is from a verified domain, regardless of how “official” an email appears. When in doubt, obtain contact information for the company from an alternative source, and call them to verify the authenticity of the communication.
Bad links will often navigate you to a malicious website, or prompt you to download a file that contains a virus or malware. Bad links can be found anywhere, including emails, websites, advertisements, Twitter, and Discord.
The safest way to protect yourself is to assume every link a stranger shares is bad. Request a screenshot of the information you need, instead.
Only interact with links shared from official NFT project Twitter accounts or from people you trust.
In addition, Discords for various NFT projects often have an “Official Links” channel, which you should use on a routine basis.
A verified checkmark on Twitter means nothing. Those accounts can be purchased by scammers on the black market.
Fake accounts on Twitter and Instagram will look extremely convincing. Oftentimes, their account names, profile pictures, banners, tweets, and handles will seem identical.
Only interact with accounts you previously trusted and followed. Furthermore, you can cross-reference the accounts with the social links contained on official websites and Discords.
People often trade NFTs on third-party websites and platforms to avoid the trading fee on centralized NFT exchanges, such as OpenSea.
The downside to this practice is the increased risk of being scammed. The most common scenario involves a person sharing a link to a fake trading website that mimics the look and feel of the actual site.
Upon interacting with the malicious website or approving a transaction, a victim’s wallet is subsequently emptied of all their cryptocurrency and NFTs.
Have a deep understanding of how these third-party trading platforms function, and only navigate to them through trusted links and bookmarks.
Discord scams often manifest after an NFT project team member has their login credentials compromised.
The scammer will then try to pose as the team member, like a moderator, and share malicious links or make false “Announcements” that lead people to harmful websites.
Other times, a scammer may simply drop into the “General” chat of a Discord and share bad links, or attempt to solicit a fake trade.
Never trust a “surprise mint” or announcement that seems wildly unexpected. Take your time to evaluate any strange behavior from Moderators or Team members, and ask other people in your community to validate news before taking action.
Bottom line: Never share your seed phrase with anyone. It’s the equivalent of giving someone full access to your bank account in perpetuity.
So unless it’s a close friend or family member you trust to have unlimited access to your digital assets, never share your seed phrase with anyone.
Make sure your seed phrase is written on a piece of paper, and keep more than one copy as an emergency backup.
For additional security, you can split your seed phrase in half and store it in two separate locations. That way, if one location becomes compromised, no one will be able to access your wallet.
Never store your seed phrase on a computer or cloud storage where hackers can access it, and never screenshot or take a photo of your seed phrase.
Never type in your seed phrase. Never share your seed phrase with anyone.
You can also store your seed phrase using something more resilient than paper—like a cryptotag: https://cryptotag.io/
In Metamask, there are three ways to externally access/import full control of your wallet.
-Private Key QR code.
They can be found in your Metamask settings. Never share them with anyone.
In Discord, go to your “Privacy and Safety” settings.
Under “Server Privacy Defaults,” disable the “Allow direct messages from server members” setting.
On rare occasions, an official Moderator may request that you re-enable this feature so they can contact you to help resolve an issue. Also, an official server verification program may need to contact you via DM.
In these instances, you can temporarily toggle this setting back on, but remember to turn it off once your issue is resolved.
The most secure way to secure your crypto is by using a hardware wallet.
If you are buying/selling/creating NFTs, cryptocurrency or any digital assets, the most secure place to store them is in a hardware wallet. Buy one or more hardware wallets.
Suggestion: Ledger Nano
Read more here.
Never buy a hardware wallet from secondary vendors or Amazon. These are susceptible to supply chain attacks in which hackers compromise the wallets when someone purchases a resold wallet. Always buy directly from the website.
Never store your passwords on your browser. When a site asks you to save your password, never accept.
The best way to protect your passwords is to write them down and store them offline. If you are using a password manager, never store your recovery data on your computer. Always print out or write down all recovery data on multiple copies of paper and place them in more than one safe place.
Using 2FA (two-factor authentications) is the best way to make sure no one can access your accounts without your permission.
Do not use SMS authentication if possible. Sophisticated attacks can compromise your phone. Read more on why here.
Sharing your computer screen through a live feed or screen shots can make you vulnerable to a variety of attacks.