How to do your due diligence when connecting your wallet to new platforms
Staking platforms, NFT mints and websites alike are prone to have scammers that can take control of your wallet and empty it of all of your coins.
It is therefore, most important to do your due diligence to ensure that these websites are legitimate so that your capital is not at risk.
When you enter a site and unlock your web3 wallet, you give that site access to your wallet address, this provides information on every transaction you have done, the amount and date/time. This is due to the transparency of blockchain, and it is a pretty well-known trait of using blockchain tech. A key thing to know here is that, if your wallet is unlocked and you change to a different network on Metamask for example, the website now has access to that wallet too.
Now as an attacker, I can view your addresses, see your most recent transactions and launch a specifically targeted campaign to trick you or control your assets vicariously.
This can be done through a number of ways and, attackers will continue to get more creative to trick you so we urge you to be careful at all times. Firstly, an example is after you complete transaction an attacker can send a fake notification to your tab saying that your transaction failed and to try again — but this time replaced with the attackers address.
Another example is asking for you to sign for transactions that you haven’t done or for incoming transactions. You do not need to sign for incoming transactions, but, these would be often easily overlooked in any scenario.
How do I stop this?
To stop these attackers from being successful some good steps to help are:
1. Check the wallet address you are transacting with several times before completing the transactions. Make a point of writing down or memorising the first four and last four digits of the address to ensure it is going to the correct person. Another way of effectively doing the same thing is sending a test transaction, sending 5$ as a test may seem tedious but it is serving as a 5$ insurance against a possible attack — which is quite cheap insurance.
2. For different platforms, check the domain to confirm that the website is legitimate and not a clone planning a malicious attack. Check the domain for any extra .gift, .io, .xyz endings that look suspicious, confirm that you are getting the URL directly from the websites verified platforms.
3. Lastly, check the permissions the website is asking for when you are asked to sign for something. Make sure that the permissions are typical of the platform you are trying to connect to. Normally, a platform will ask for this:
4. If you are talking to a member of the team, verify they are authentic! Most scammers will try to lure you in by starting conversation, however, this isn’t typical of an established platform — they will not contact you first. For example, with vEmpire we will never DM anyone first but, if we are helping a member of our community, they can verify our position at vEmpire by looking at the starred badge next to our name on Telegram (see below). On our other platforms like twitter, we are verified to show you we are authentic and when you are speaking to a specific individual on the vEmpire team you can verify their socials on our website. Social cloning is probably the most common and easy technique used by scammers, so it is important to follow these steps to avoid an attack.
A little tip: connect a ‘dummy’ wallet to the site before transacting as normal. you can create a new wallet on your browser extension (Phantom, Metamask, etc) and connect that as a test to see what kind of things the website does before using your real one.
Thanks for reading!