How to avoid common NFT scams and phishing links? (Safety checklist)

Recognize Fake Marketplace Domains

1. Legitimate NFT platforms use verified, consistent domain names—scammers often register lookalike URLs with minor spelling variations or swapped characters.

2. Always double-check the address bar before connecting a wallet; a single typo can route users to malicious clones.

3. Bookmark official sites instead of relying on search engine results or social media links, which are frequently hijacked for impersonation campaigns.

4. Hover over hyperlinks in Discord or Twitter DMs to preview destinations—malicious links often redirect through URL shorteners hiding phishing endpoints.

5. Verify SSL certificates and padlock icons; absence or browser warnings indicate unsecured or spoofed environments.

Verify Wallet Connection Requests

1. Never approve wallet connection prompts from unsolicited pop-ups, email banners, or third-party ads—even if they mimic familiar interfaces.

2. Check the dApp’s origin in your browser extension; mismatched origins signal injected scripts or compromised frontends.

3. Reject any request asking for full wallet access when only read-only or limited transaction approval is needed for viewing or listing.

4. Use hardware wallets for signing; software wallets with auto-sign features increase exposure to unauthorized approvals.

5. Review transaction details on-chain via Etherscan or Solscan before confirming—abnormal gas fees or unknown contract calls warrant immediate cancellation.

Spot Impersonated Community Channels

1. Scammers create fake Discord servers or Telegram groups mirroring real project branding, often promoted via paid tweets or comment spam.

2. Cross-reference server invite links with those posted on the project’s official website or verified Twitter bio—never trust links shared in random replies.

3. Look for missing verification badges, inconsistent moderation, or sudden spikes in bot-like activity such as repetitive giveaway messages.

4. Official teams rarely DM users first; any private message promising free NFTs or urgent wallet recovery is almost certainly fraudulent.

5. Check member count history and join date distribution—newly created servers with thousands of recent joins often indicate coordinated scam operations.

Identify Fraudulent Airdrop Traps

1. Real airdrops never require sending ETH, SOL, or tokens to receive assets—any “gas fee” or “activation deposit” demand is malicious.

2. Legitimate projects announce airdrops across multiple trusted channels simultaneously—not exclusively through DMs or unverified influencers.

3. Airdrop claim pages hosted on non-HTTPS domains or lacking smart contract verification on blockchain explorers should be treated as hostile.

4. Fake airdrops often ask users to connect wallets and then trigger hidden transactions transferring ownership of existing NFTs to attacker-controlled addresses.

5. If an airdrop requires installing unknown browser extensions or granting screen-sharing permissions, it violates fundamental security hygiene.

Frequently Asked Questions

Q: Can I recover funds sent to a phishing wallet?Recovery is virtually impossible once confirmed on-chain; blockchain transactions are irreversible by design.

Q: Are Discord moderators always trustworthy?No—scammers routinely bribe or compromise low-level moderators to gain verification roles and distribute fake links.

Q: Does MetaMask’s built-in phishing detector catch all malicious sites?No—it relies on community-reported domains and cannot detect newly registered or zero-day phishing infrastructure.

Q: Why do some scams use real-looking NFT previews?They embed static images or cached metadata to simulate legitimacy while the underlying contract points to counterfeit or empty token standards.