And then you’re confronted with dubious pop-ups, insistent signature requests, dodgy emails calling you to update your details… so much that it becomes hard to tell what’s legitimate, and what’s a fraud - for very good reasons.
Sadly, web3 and the crypto space are still fraught with scammers, grifters, and all sorts of bad actors. Many of these target users that are new to the space and are still getting familiar with how it all works.
But fear not. The best way to fight scammers is precisely by educating yourself on their practices. Amongst our team, we’ve years of experience in dealing with fraud, hacks, and deceit.
We hope that by reading this article you’ll be able to avoid the most common crypto scams, both old and new.
It’s easy to believe that all crypto scams are elaborate or technically sophisticated operations like rug pulls or Ponzi schemes - but that’s just not what happens in the vast majority of cases.
The truth is that many users fall for scams that take very little effort to implement, and that exploit common human blindspots: distraction, unfamiliarity, or simple lapses in judgment.
Most of these crypto scams take place as a form of social engineering where the victim gives the attacker access to their private keys or signs a malicious transaction, unwittingly.
social engineering (noun)
1. management of human beings in accordance with their place and function in society : applied social science
2. social methods (such as phishing) that are used to obtain personal or confidential information which can then be used illicitly
“social engineering.” Mirriam-Webster. 2022.
In practice, these “social methods” prey upon certain patterns of interaction that might seem innocuous at first sight. Anybody who is distracted while using an application interface — or unfamiliar with web3 good practices — may easily take these as legitimate and fall for the trap.
Here are some examples of classic scams that are also widespread across web3.
One of the most common scams in crypto (and finance in general) is phishing, whereby a malicious party tries to trick you into giving away your private keys by masquerading as a legitimate website or service.
Don't take the bait, dear crypto fish
For example, you might receive an email that looks like it’s coming from your crypto exchange asking you to click on a link and enter your login credentials. But upon closer inspection, you might notice that the URL of the sender’s email address (the part that comes after the “@” symbol) is slightly different from the official domain of that service.
To prevent this from happening to you, always confirm that you're accessing any crypto tool — not just exchanges — from the correct URL. The best practice is to bookmark official links and always go through your bookmarked link when accessing them, and avoid clicking any links that have typos or variations of a known website’s name.
Everybody loves a good giveaway, most of all scammers. And thus, hoax giveaways are very popular type of scam in crypto as much as elsewhere.
These usually take the form of social media posts promising to give away free crypto if you send a small amount of crypto to a specific address.
Of course, there is no such thing as a free lunch, and these giveaway scams are simply trying to steal your crypto. So if you see a crypto giveaway that looks too good to be true, it probably is.
Be especially wary of crypto giveaways that are promoted by celebrities or public figures, as these are often used to add legitimacy to the scam. If you take a minute to look closely into the account you’ll find out that it’s an impersonator.
Report these impersonators on social media platforms and do everybody a favor.
This is a replay of the age-old “naïve money” skit.
Some fake account on social media (often sporting an attractive profile picture) messages you and ask for help to purportedly “recover” some funds they have in their wallets.
There usually is enough tokens to draw some attention. They then proceed to offer you their seed words - that is, full control over the account.
The catch is, there’s not enough base currency to pay for a transaction to move the funds to another account. For example, the honeypot account may have $800 USDC but no ETH.
Alas, when a good samaritan (or opportunist) tries to send in enough money to pay for the transaction fee to transfer said funds, their money is gone faster than you can say “scam!”
Behind the act, malicious actors monitor these honeypot accounts and, as soon as any amount of ETH (or other base currency if not in Ethereum) comes in, it’s instantly drained by a bot that was lurking - and it's gone faster than the eye can see.
Lesson: humans can be awful. Watch out if someone asks for your help - especially if it requires sending money to an account that anyone can access.
And if you instead see these requests as an opportunity to score some free coins from a naïve stranger, you’ll get what’s coming to you. Santa’s got you in his naughty list.
Malicious wallets or dApps
Scammers will also try to get you to install a malicious crypto wallet or use a malicious dApp.
In the case of wallets, they will often look identical to legitimate ones. The problem is that they’ve been specifically designed to steal your private keys and take control of your funds.
DApps, in particular, work by asking the user to sign a harmful transaction. This transaction is then handled by a smart contract that’s been programmed to take advantage of the user’s wallet in some way.
You can check out some technical examples on how these smart contract attacks work on Ethereum, courtesy of Consensys.
Just like phishing scams, it’s important to be extra careful when downloading any crypto wallet and to only do so from official websites. Likewise, be sure to do proper research before using a dApp. You can even go as far as doing test transactions from a dummy wallet.
On the rise: fake customer support
The above are all the bread and butter of scammers. However, at Ramp, we've detected that there’s another kind of scam on the rise.
Some cases of this have been reported by our own customer service representatives and partners, and the trend seems to be increasing.
Fake customer support
There are two main flavors of this scam, but the gist of it is usually the same: an impersonator tries to get you to share your personal and financial details so they can steal from you.
By far and large, crypto communities revolve around instant messengers (like Telegram and Discord) or social media (especially Twitter). In many cases, a company representative moderates the community or has otherwise an active presence in responding to customer questions.
The most common approach is that impersonators copy the official company member's details and profile picture, create a very similar username (usually with an extra letter or slight typo), and approach unsuspecting victims offering help with a question a user has, or with some bogus fake issue they make up.
They then proceed to ask for passwords, seed words, or even for the user to share their screen to solve the purported problem.
Or, in a more recent variation of this, a user is led to believe that they are on the phone with a customer support representative from a reputable company, say Amazon or Facebook. The scammer then asks the user to share their screen, download a crypto app, buy crypto and then send it out.
No legitimate company representative would ever require you to do something like that, particularly when sharing your screen - so don't comply.
DO NOT SHARE YOUR SCREEN WHEN HANDLING FUNDS, EVER! (Sorry for the caps, but we need to seriously get your attention this time!)
We're doing our best to educate users and raise awareness of these scams. Some of our partners have even implemented restrictions on screen-sharing apps to help prevent or at least hinder these scams.
However, education might be the best solution here. These scams are particularly targeted at people who are new to web3 and are in their early on-ramping journeys.
We want to disclose this new tactic and how it works so you're up to speed and don't fall prey to any of these scams.
Staying safe: general rules
There are general rules that apply to almost any interaction you have with crypto and web3 that’ll keep you safe. Most experienced web3 users already know these, but they beg repeating:
- Never share your private keys with anyone
- Never share your mnemonic seed words/phrase with anyone
- Read UIs carefully and look for suspicious details
- Do your own research (DYOR) and check every wallet, dApp, and protocol before trusting it with your money
- Double-check addresses and recipients
- Use block explorers
- Bookmark trustworthy sites
- Check on dApps connected to your wallet
- There’s no free lunch! If something looks too good to be true, it is.
If you’d like to count on an easy and safe way to purchase crypto and enter web3, we’re here for you. We’re open and transparent, and our security has never been breached.
Ready to join the crypto revolution?