How to stay protected in web3
November 3, 2022

Web3 technology is still new, and it’s constantly evolving, so while there’s no single action that guarantees protection, there are best practices that can help. Never share your wallet’s seed phrase, be careful when taking actions using your wallet, and make sure to thoroughly evaluate NFTs before buying. The best rule of thumb is that if something looks too good to be true, it probably is.

How can I protect my crypto wallet?

Let’s start with wallets. A crypto wallet is a program that helps you buy, sell, and store your cryptocurrency and (in many cases) your NFTs. Think of it as your address on the blockchain — you can send and receive items from it, it stores your items, and you want to keep it locked and safe. 

There are many kinds of wallets: custodial and non-custodial, hardware and software, and some wallets that are only compatible with specific chains. 

Non-custodial wallets will provide you with a seed phrase, which is your unique access key. Some wallets call this a backup phrase, secret recovery phrase, or even a mnemonic sentence, but they all operate on the same concept: your seed phrase will appear as a string of words in a specific order. 

Once you receive your seed phrase, you’ll need to store it in a safe place that no one else will be able to access. This may mean writing it down on a piece of paper, analog style, and keeping it somewhere safe, or even keeping it in more than one safe location. Never share your seed phrase with anyone — verbally, visually, digitally, or otherwise — because it will give them access to your wallet and everything it holds. 

As a reminder, after creating your wallet, you only need your seed phrase to recover your wallet or create a hard copy backup of your wallet. (You will choose a password for your wallet for more regular use.) If you’re asked for your seed phrase in any other context, the safest thing to do is not to provide it to avoid being hacked.

What is an NFT scam and how can you spot them?

NFT scams can look like many things. For example, they can work by deceiving you into buying something that isn’t what it seems, or by gaining direct access to your wallet(s). Unfortunately, it can be hard to get your money back if you fall victim to an NFT scam because blockchain transactions are irreversible, so the best way to stay protected is to learn how to spot them. As when making any purchase, consumers should use their own best judgment when evaluating and vetting NFT projects. 

How can I vet an NFT project?

Vetting an NFT project is one of the most effective ways to avoid falling for a scam because it gives you insight into the creators, community, and additional details behind a project.

OpenSea has an icon that’s visible via a blue checkmark badge on a collection or account. When you see this, it means the collection belongs to a verified account and has significant interest or sales. 

Account verification brings greater trust to the NFT ecosystem by helping the community identify authentic creators and content. As a reminder, verified accounts are not endorsed by OpenSea and OpenSea makes no representations regarding the NFTs in a verified account. You should feel free to explore all NFTs on OpenSea, but account verification is one useful tool to use when vetting a project for authenticity.

You can also evaluate the project’s creator by clicking into the NFT you’d like to buy and looking under “Description.” There you’ll see text that reads “By” and then the creator’s name. The name is linked to the creator’s OpenSea page, which allows you to see what other NFTs they’ve collected, created, favorited, made offers on and received offers on.

After looking into the creator on OpenSea, you can take your evaluation a step further by searching for their name online. See where other conversations are happening around them, including on Twitter and Discord, but be careful when visiting or connecting your wallet to any site. 

If they’re a prominent name in the web3 space and the project is legitimate, you should see active conversations about the creator and their project online. For example, people might Tweet about their anticipation surrounding the drop, or show off previous work they own from that creator. Keep an eye out for any negative chatter that uses terms like “scam” or “rug pull.” 

On the collection page, you may also see links out to the project’s social media accounts. Check to make sure that these are the correct and official accounts. 

You can also click into the “Activity” section on the project’s OpenSea page to see total volume, sales, listings, offers, collection offers, and transfers. 

There are some types of activity that should raise a red flag when seen in conjunction with other factors. For example, if none of the NFTs in a collection have sold for a very long period of time despite being available to buy and then suddenly one sells for a very high price, or if you see a sudden spike in sales after months of no activity, it should raise some suspicion. 

In general, it’s a good idea to be aware of any activity that can be seen as sharply deviating from the normal pattern, but remember: none of these factors are wholly indicative of a scam on its own. They’re simply factors that help you make educated decisions based on available information before making a purchase.

Tips for NFT buyers and sellers

Web3’s decentralized nature means NFT buyers and sellers are responsible for maintaining its safety. This also means that when the potential of being targeted by a bad actor presents itself, users can take tangible steps to protect themselves and others. 

Both buyers and sellers should be aware of the potential of malicious entities in this ever-evolving space and, from there, learn the ways they can fortify themselves against attacks.

So, before we dive into tips that can help buyers stay safe when purchasing NFTs, here are a few tips to remember if you’re creating your own collection on OpenSea. 

Tips for staying safe when selling NFTs

For starters, phishing scams aren’t only email-based. A potential scammer can also make contact through messages or DMs on social media platforms, privately or publicly. Recently, more phishing attempts have occurred through social media DMs using fake accounts from those pretending to be interested buyers. From there, they may try to get the target to share sensitive information, send ETH, or email information to a malicious email address. Here are some steps you can take to avoid falling prey to a phishing scam of this kind:

Understand OpenSea’s contact policy 

OpenSea will not initiate contact via private message on any social media platform. When OpenSea does reach out to you regarding support tickets, the email will come from help@support.opensea.io. No other opensea.io email variations will be used. Always check the address an email purporting to be from OpenSea comes from to ensure it matches.

Stay away from any “OpenSea” account that asks you to transfer ETH or any cryptocurrency

OpenSea will never ask you to transfer ETH to resolve a support issue. Accounts or messages that ask you to transfer ETH as a part of a support issue may be a bad actor trying to coerce you into forfeiting your cryptocurrency or giving them access to your crypto wallet, as mentioned above.

Know when and how to contact OpenSea

Should you ever need to reach out to OpenSea with inquiries or concerns, go to opensea.io, click “Help Center,” and on the top right of that page, you will see the button “Contact Us.” Once you click that button, you can select from a list of options the one that best describes your issue.  You will also have the opportunity to send a message to our team directly from the OpenSea website. 

We recommend following these steps rather than sending an email directly from your email client because this is the safest way to ensure your message is going to the right place.

Trust your instincts

While this isn’t a hard-and-fast rule, it’s a good adage to keep in mind. If an interaction you’re having with someone purportedly from OpenSea feels fishy, trust your instincts and stop interacting. Go directly to the Help Center in the way that’s outlined above and submit a ticket.

Tips for staying safe when purchasing NFTs

Be wary of unsolicited airdrops and unlockable content

If you receive an NFT for free in your wallet from a creator you don’t recognize, be wary of it. Creators will sometimes airdrop free NFTs as a way to promote a new project, but they aren’t always what they seem. It’s possible to stumble into a scam by clicking the creator’s links. These links may send you to a website designed to drain your wallet, and once your cryptocurrency and NFTs are gone, they’re unfortunately gone for good. 

Scams in which a user is airdropped an NFT with “unlockable content” to download is similar. Often that content turns out to be a malicious file. The best way to protect yourself from this kind of scam is to never open any content or click on any links sent to you via an airdropped NFT from an unknown address.

Evaluate the NFT’s authenticity

In the same way buyers of physical fine art need to be aware of counterfeit artwork, NFT buyers need to do the same. But while there are experts who can authenticate and appraise physical fine art, buyers of NFTs are responsible for evaluating projects using their own criteria.

Counterfeiters may steal images of NFTs and use them to create an entirely new collection. But while a piece of art minted as an NFT can be stolen, the original NFT’s contract address cannot be. The provenance of an NFT is permanently and publicly solidified on-chain at the original contract. Unfortunately, because the counterfeiter never owned the original content for the NFT to begin with, the buyer will only end up with a counterfeit copy. 

OpenSea takes measures against counterfeiting and has implemented two systems to improve authenticity on the platform: image recognition technology and dedicated human review

Our new copymint (that’s what we call these pesky copies of legitimate NFTs) prevention system leverages computer-vision tech to scan all NFTs on our platform and match them against authentic collections. But what makes this even more effective is that we have a dedicated human review system that allows us to review removal recommendations and train our technology continuously. This system helps remove counterfeits from OpenSea. Of course, you still need to evaluate projects yourself using your own criteria to determine whether an NFT is authentic.

You can also always report fraudulent content if you find it on OpenSea.

Examine a collection’s “Activity” and “Analytics” before purchasing

When vetting an NFT, you should always review the collection details, description, volume level, “Activity” history, and connected official social media accounts. For more detailed data on the collection, you can view the “Analytics'' tab which allows you to see data about the collection in various time ranges. When evaluating, be sure to review these details about both the collection and the creator of the item to get a well-rounded view. 

There are a few scams that relate to pricing, the first of which occurs when someone bidding on an NFT switches the preferred cryptocurrency without alerting the seller. Cryptocurrencies vary in their value, and because of this, a large quantity of a certain currency can actually be less than a lower quantity of another currency. This is why it’s extremely important for sellers to carefully review all details of a bid before accepting it.

When viewing the “Activity” section, if you see that multiple NFTs in a collection have been transferred to famous NFT collectors from the same address, it could be an attempt to make the project look legitimate or important. It’s important to remember that these NFTs could have been transferred to their wallets without consent.

Another common scam relating to pricing occurs when a group of people buy NFTs (in some cases ones they already own) within a project to artificially increase the volume and make the project appear as if it’s in high demand. This can also be spotted by checking the project’s “Activity” section on OpenSea. If the collection has a high volume of low price transactions, especially between a group of the same users, it should be closely inspected.

Lastly, it’s important to look out for projects that have collection offers higher than their floor price. This could be the work of a bad actor. 

Protect your wallet information

There are cyber security scams that have been referred to “hacks”, “phishing”, or malicious attempts to get information or access to a wallet, but there are also steps you can take to protect your wallet information.

Bad actors will use social media to announce what look like free NFT giveaways. Often, they offer people free NFTs for helping them market a project. They’ll make the offer seem time sensitive to push people into accepting before sufficiently researching the project. Then, when it’s time for people to receive their free NFT, they’re asked for their wallet credentials which gives the scammers access to their cryptocurrency and NFTs.

Hacking via direct message will look like someone messaging you directly and either sending a link or requesting your wallet information. If you’re sent a link from someone you don’t know via direct message, never click on it, and similarly, never share your wallet address with anyone within a DM. OpenSea Support will never message you first on a social network or ask for your seed phrase.

Ensure the crypto wallet application and browser extension you’re using or being asked to use is the official application/extension for that wallet. Go directly to the wallet’s website to cross check. And as a reminder, you should always keep your browser updated.

Don’t reuse your passwords. We know that this is a tough one. We’re only human and can only remember so many combinations of words and numbers, but one of the safest ways to maintain your security online is to use unique passwords for each log in.

Try a hardware wallet for long-term storage of your NFTs! While a hardware wallet can’t protect you against the scams listed above, they can help protect the NFTs you care about most. A hardware wallet is ideally not connected to the internet and is used as “cold” storage for your cryptocurrency and NFTs. You can use a separate software wallet to actually transact, which helps keep your most beloved NFTs and cryptocurrency one step removed from possible attacks.

Never share your wallet’s seed phrase. We know we’ve already said that but we’re going to say it again just for good measure. It’s an important one.

Be cautious about who you share information with

There are scams in which a link from an email, social media platform, or embedded user generated content takes you to a website that asks you to connect your wallet or asks for your seed phrase. Often, they use urgent or time sensitive information to coerce you into making a decision quickly. Once the scammer has your information, they have access to your cryptocurrency and NFTs stored there. 

Bad actors can also occasionally buy ads on search engines or social media platforms, allowing them to target the same keywords the legitimate websites are relying on in order to rank in the search results. This may look like a website name or description that looks official but the web address has typos or duplicates. To confirm you’re navigating to the official website, verify that the web address matches the web address listed on the project’s social media accounts. This can help you avoid landing on a malicious website. As a reminder, never give anyone your seed phrase, especially an unknown website.

Find a project’s official links on their OpenSea collection page or Twitter account and then ensure it matches up with the collection you intend to purchase from. 

Scammers have also turned to email in order to gain trust and access to wallets. If an email comes from someone you don’t know, has typos, seems oddly written or phrased, or asks you for your seed phrase or any personal information, your safest option is to simply not respond.

OpenSea Support will never contact you via Discord direct message, ask for your seed phrase, ask you to screenshot your wallet, send you a link in order to fix your wallet, or ask you to screen share. OpenSea will ONLY send you emails from the domain: ‘opensea.io.’ Please do not engage with any email claiming to be from OpenSea that does not come from this email domain.

Don’t click on links sent to you via direct message or shared via tweets, email blasts, or on websites that you don’t know or recognize. Scammers can use phishing tactics to coerce you into connecting your wallet to a website. As a best practice, only engage with official links from trusted accounts that don’t appear to be compromised.

Use your best judgment

Cyber security is both an art and a science. We believe web3 and blockchain technology are the building blocks of the future, but they’re still very new, and as with anything new, the community is still creating the practices and processes that will keep it safe for everyone. In general, navigate this space with your best judgment and remember that if something appears too good to be true, it very likely is.

🧠 Q&A

What is a hardware wallet?

A hardware wallet is a type of crypto wallet that’s a physical device that you plug into your computer to use. Because it’s not always connected to your computer or browser, it’s a great option for long-term secure storage, but is a bit less convenient for fast or frequent transactions.

What do I do if my NFT gets stolen?

The sale of stolen items is against our Terms of Service and is not allowed on OpenSea. When we are notified of potentially stolen items, or the item has suspicious activity in its transaction history, we disable the ability to buy, sell, or transfer the items using OpenSea's services to make sure we’re complying with legal requirements and protecting users. 

If you’d like to report items as stolen—to disable them from being bought or sold using OpenSea's services—please submit a ticket. Our User Safety team will help with disabling the affected items.

How do creators get verified on OpenSea?

Accounts that own collections with at least 75 ETH of volume sold (or equivalent) and meet other criteria like minimum activity levels and social presence are eligible to apply for verification.