Imagine – your favorite brand on Instagram just announced a giveaway. You’ll receive a free gift! All you have to do is provide your credit card information. Sounds easy, right? This is a brand you’ve followed and trusted for a while now. You’ve engaged with them and even purchased some of their items. The link comes directly from their official page, so you don’t think to question it.
This is the same mindset that led to several Bored Ape Yacht Club (BAYC) NFTs being stolen by a cybercriminal who had hacked into the company’s official Instagram account. Let’s dive into the details of this scam.
Sneaking Into the Bored Ape Yacht Club
Bored Ape Yacht Club, the NFT collection, disclosed through Twitter that their Instagram account had been hacked, and advised users not to click on any links or link their crypto wallets to anything. The hacker managed to log into the account and post a phishing link promoting an “airdrop,” or a free token giveaway, to users who connected their MetaMask wallets. Those who linked their wallets before BAYC’s warning lost a combined amount of over $1 million in NFTs.
Despite the large price tag attached to NFTs, they are often held in smartphone wallets rather than more secure alternatives. MetaMask, the crypto wallet application, only allows NFT display through mobile devices and encourages users to use the smartphone app to manage them. While it may be a good method for display purposes, this limitation provides hackers with a new and effective way to easily steal from users’ mobile wallets.
BAYC does not yet know how the hacker was able to gain access to their Instagram account, but they are following security best practices and actively working to contact the users affected.
N.F.T. – Not For Taking
This scam was conducted through the official BAYC account, making it appear legitimate to BAYC’s followers. It is incredibly important to stay vigilant and know how to protect yourself and your assets from scams like these. Follow the tips below to steer clear of phishing scams and keep your digital assets safe:
Ensure wallet security
A seed phrase is the “open sesame” to your cryptocurrency wallet. The string of words is what grants you access to all your wallet’s assets. Ensuring that your seed phrase is stored away safely and not easily accessible by anyone but yourself is the first step to making sure your wallet is secure.
Protect your privacy
With all transactional and wallet data publicly available, scammers can pick and choose their targets based on who appears to own valuable assets. To protect your privacy and avoid being targeted, refrain from sharing your personal information on social media sites or using your NFT as a social media avatar.
Look out for phishing scams
Phishing scams targeting NFT collectors are becoming increasingly common. Be wary of any airdrops offering free tokens in exchange for your information or other “collectors” doing the same.
Phishing scams tend to get more sophisticated over time, especially in cases like the Bored Ape Yacht Club where the malicious links are coming straight from the official account. It is always best to remain skeptical and cautious, but when in doubt, here are some extra tips to spot phishing scams:
- Is it written properly? A few spelling or grammar mistakes can be common, but many phishing messages will contain glaring errors that professional accounts or companies wouldn’t make. If you receive an error-filled message or promotion that requires giving your personal information, run in the other direction.
- Does the logo look right? Scammers will often steal the logo of whatever brand or company they’re impersonating to make the whole shtick look more legitimate. However, rarely do the logos look exactly how they’re supposed to. Pay close attention to any logo added in a message or link. Is the quality low? Is it crooked or off-center? Is it almost too small to completely make out? If yes, it’s most likely not the real deal.
- Is the URL legit? In any phishing scam, there will always be a link involved. To check if a link is actually legitimate, copy and paste the URL into a word processor where you can examine it for any odd spelling or grammatical errors. If you receive a strange link via email, hover over it with your mouse to see the link preview. If it looks suspicious, ignore and delete it. Even on mobile devices, you can press and hold the link with your finger to check out the legitimacy of the URL.
As crypto and NFTs continue to take the world by storm, hackers and scammers are constantly on the prowl for ways to steal and deceive. No matter the source or how trustworthy it may seem at first glance, always exercise caution to keep yourself and your assets safe!
Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.