NFT

Common NFT scams and how to avoid them

Warning: Coinbase will NEVER ask you for your Private Keys or Recovery Phrase. Do not share these with any person or site, or you could lose access to your wallet, or have your digital assets moved out of your wallet by an attacker. 

You only need your Private Keys or Recovery Phrase when you sign into your self-custody wallet for the first time on a new web browser or mobile app. You won't need to enter this information when signing in or completing transactions on any NFT marketplace.

Coinbase NFT does not have a presence on Discord currently. Beware of any threads or users claiming to work for Coinbase.

These platforms are a great place for NFT collectors and creators to come together to share new projects and discuss digital art. It’s also a place where you could lose your digital assets - including NFTs - if you’re not vigilant about protecting your sensitive information. As a standard practice, legitimate projects on Discord, Twitter, or Reddit will not DM you directly, and especially not to request any personal information. You can always disable your direct messages to avoid phishing scams.

Ensure that you’re interacting with a verified NFT collector or creator. To check if you are on the official Discord server for an NFT project, visit the creator's verified Twitter page or website to confirm if the same link to their DIscord server is featured there. 

If the Discord server you are accessing is not highlighted on the creators Twitter page or website, you should be cautious about using it.

Never enter your private keys or Recovery phrase on any site, or give them away, ever. You could risk losing everything in your wallet.

Discord Trust and Safety

Twitter Safety and Security

Before you buy an NFT, make sure you’re buying your NFT from a verified or reputable seller. 

Smart Contracts

Attackers can write NFT smart contracts in such a way that it deposits the NFT to a wallet address that the platform claims to be independent, but is actually just another address owned by the seller or accomplice. From there, they can simply decide to keep the NFT after they receive your funds.

Tip: Look on etherscan first to see if a smart contract associated with an NFT is verified.

Phishing is a type of fraud where a perpetrator assumes the identity of a reputable person or company in order to extract personal information from their contacts that can be used to commit identity theft or steal funds.

Email, Twitter, Discord and other communication platforms are popular places where phishing attempts occur. Perpetrators can also use fake website URLs to lure people into mistakenly submitting personal information like a password that can be used to steal funds or approve malicious DApps and smart contracts.

Always verify that you are on the correct website before entering personal information or approving connection to a smart contract or DApp. Additionally, be mindful of unsolicited messages and pay close attention to the sending wallet address. If the sender claims to be someone you know but the message seems strange, do not respond or click on any links shared. Reach out to the real person via another means to first confirm if they sent the message before proceeding further.

Posting support questions on public platforms like Twitter or Discord can often attract impersonators pretending to work for Coinbase. If you need to get in contact with us, please reach out directly through our support contact page.

Not all NFT projects are created with the intent to build a community or offer long term value. Many projects are launched as a way to quickly enrich the creators at the expense of buyers. In the beginning, creators might make big promises about the project's potential in order to lure buyers in even though they do not intend to fulfill those promises long term. 

While it is difficult to know for sure whether an NFT project is potentially a pump and dump scheme, there are a few signs you can point to:

  1. The project is announcing partnerships with major brands or influencers who have not announced these partnerships themselves. 

  2. The project creators do not provide clear timelines for when certain products will be released or do not provide regular updates on their progress (if the creator does not post updates about their project on any of their social media channels at least 3 times per week then it is potentially a red flag).  

  3. The transaction data for the project suggests that there may be signs of wash trading (this is when a creator buys and sells an NFT to themselves through different wallet addresses they own in order to manufacture a high trading volume)

  4. Promises have been made to deliver a technical product, yet there is no link to their Github or other codebase where you can verify that updates have been made to the codebase. 

  5. While this is a gray area, extra scrutiny should be put towards projects with anonymous teams. Before buying a project's NFT, you should be able to point to at least a handful of credible individuals or organizations whose identities are known that have publicly endorsed the anonymous teams.   

  6. The project appears to be a clear imitation of an already popular NFT project or it seems like there was very little effort put into the project (this is very subjective, which is why before buying an NFT, it is important to first research and understand why people are interested in the project and also why some people may be hesitant. Use platforms like Twitter, Reddit and Discord to understand the social sentiment behind the project).

Airdrops are a convenient way to receive NFTs, however, they are also a convenient attack vector for scammers. In the rare case that an unknown sender attempts to send you an NFT you were not expecting to receive, it is recommended that you don’t attempt to claim the airdrop.

If you think you’ve accepted a NFT airdrop you weren’t expecting, you may want to consider moving everything out of your self-custody that you had pre-airdrop to a different self-custody wallet, depending on the current value of the crypto assets and NFTs in that wallet. Please note that additional fees (such as transfer fees) will incur from your wallet service provider. 

The easiest way to verify whether a discord server is the official one is to access it through the project's official twitter page, which should show the Verified badge next to their Twitter handle.

Tip: Check the url before you click or tap on it to make sure you’re routed to the official site. If the link looks unfamiliar, make sure it’s been published on the announcements channel so you know if it came from one of the admins. 

Most credible discord servers should also have a channel titled Official links. You can reference that channel to confirm if you are visiting the official pages of the NFT project

Only accept airdrops from verified profiles:

  • With  blue checkmarks next to the profile name.

  • From profiles you absolutely trust.

An airdrop is the distribution of a token to multiple users' self-custody wallets, usually for free. Airdrops are seen as a marketing tactic for new projects to quickly gain user adoption by providing a large number of users with tokens as an incentive to interact with their DApp or Blockchain. Airdrops are typically also distributed to users who have already interacted with a project as a way to reward them for being early adopters.

Receiving an airdrop may be beneficial to you, however you should be cautious about the safety of the smart contracts you are interacting with when claiming an airdrop. Claiming an airdrop requires you to connect your wallet to a smart contract and sign a transaction. This process can leave your wallet exposed to hacks if the smart contract is constructed with malicious intent.

You should always check if projects offering airdrops are verified on multiple social media channels and do your own research to understand what others who have received the airdrop are saying about the project.

Auctions and bidding are not yet available on Coinbase NFT. This section is for security information purposes only.

Bidding scams occur when a potential buyer places an offer in your NFT auction in a different and less valuable currency in order to deceive you into thinking the offer is worth more than it is. 

For example, if your NFT is listed for sale at 10 ETH, you might be compelled to accept an offer of 12 ETH. 

However, if you’re not paying close attention to the currency of the offer, you may end up accepting an offer for 12 DAI or USDC instead, which is just $12 USD. Always double check the cryptocurrency of the bids you receive before accepting them.  

Note: False bidding with the attempt  to defraud and mislead sellers is strictly prohibited. Read our terms of service.

Coinbase NFT strives to ensure that the NFTs sold in our social marketplace have smart contracts owned by the original creator or NFT owner. Please report any NFTs that infringe on copyrights or trademarks so that we can review your claim.

Coinbase NFT takes intellectual property infringement seriously, and repeat infringers who violate the intellectual property rights of a third party risk having their Coinbase NFT accounts terminated .  

A common example of copyright infringement is when someone downloads an NFT or a copyrighted artwork or media from another creator and mints the NFT as their own. When buying an NFT, always make sure it features the same contract address as other NFTs in the collection. 

This is the easiest way to confirm that you are buying an NFT from the official collection.

To find the contract address and token ID for your NFT, visit the web page of your NFT and view the URL.

All NFT pages on Coinbase will have a similar URL format:

[website domain] /nft/ [contract address] / [token ID]

To find the contract page for your NFT on Etherscan, type in the following URL and include the contract address:

https://etherscan.io/token/[contract address].

The contract page on Etherscan is where you can verify the total supply of NFTs in the collection, the current number of unique NFT holders and the transfer history of NFTs in the collection.

It is important to remember that an NFT is just a token with a unique identifier code. What gives the NFT value is the media file that it is linked to (e.g a picture, video document, etc). If your NFT links to a media file that is stored on a centralized cloud server, that file could easily be erased or altered, leaving you with a token that does not link to anything of value. 

Before buying an NFT, always check to see if the digital file the token is linked to is stored on a decentralized file storage service like IPFS. This ensures that the file cannot be removed or altered later by the creator because it also exists on the blockchain.

While you should be cautious of clicking all suspicious links or connecting your wallet to unfamiliar platforms, the most common type of NFT scams occur with links or platforms that advertise the ability to mint a new NFT. 

The allure of being one of the first users to own a potentially high value NFT leads many to ignore potential red flags. 

If a ‘hyped’ project is about to launch an NFT, scammers will often impersonate verified project accounts and create fake minting contracts around the same time to confuse users into connecting their wallets to a malicious contract that steals their funds. 

These impersonations can take the form of fake Twitter accounts, fake admins on Discord or even fake websites. 

There are two ways to avoid this type of scam:

  1. Make sure you are clicking on the official links or connecting your wallet to the official website of the NFT project. If the same links cannot be found on the projects' verified Twitter page, you should be cautious about using them.

  2. Be cautious of what permissions you grant any NFT smart contract you connect your wallet to. 

Certain types of wallet transactions require granting a smart contract permission to access your funds in order to allow you to deposit, swap, or transfer as many tokens as you specify (this may be necessary when minting an NFT that requires you to pay the creator a fee in order to mint). 

An NFT contract will sometimes want you to grant permission to access and spend an unlimited amount of tokens in your wallet, as opposed to the amount specified for a particular transaction (this is not always done for malicious reasons but instead to remove the need for users to continuously approve every transaction). 

If these permissions are not revoked after a transaction is complete, your funds could be put at risk if the contract is ever exploited by a hacker, or if the team behind the contract are bad actros intent on stealing your funds.  

To revoke unlimited token approvals, you can visit revoke.cash, connect your wallet, review each of the tokens listed on the page to see if any have granted permissions to spend unlimited tokens, then select ‘revoke’ to revoke permissions. Revoking permissions will cost a gas fee. You can also revoke token approvals on Etherscan. Please note that Coinbase is not affiliated with, and does not endorse these 3rd party dapps.

Note: Coinbase is not responsible for any lost funds when interacting with dapps.

Your public key is a publicly visible address that anyone can send cryptocurrencies or NFTs to. Oftentimes, creators will promote their NFT project by sending NFTs for free to random wallets (similar to an airdrop). 

Though receiving a free NFT may sound like a great deal, we encourage you to exercise caution about the safety of the smart contracts you are interacting with when claiming an unsolicited NFT. 

Like airdrops, free NFT drops can also be a way for hackers to steal your funds by creating malicious smart contacts that you have to connect your wallet to in order to claim the NFT. It is advised that you ignore any NFT that is transferred to your wallet without your permission. 

If you want to claim the NFT, first check if the team offering the NFT has been verified on multiple social media channels and do your own research to understand what others who have received the free NFT are saying about the project.

footer cta icon

Can't find what you're looking for?

Contact us