In the world of cryptocurrency, decentralized finance (defi) and Web3 have made airdrops a common occurrence. Although airdrops may sound like they are free money, there is a growing trend in airdrop phishing scams to steal people’s funds when they try to obtain the so-called “free” crypto assets. Here are two ways that attackers can use airdrop scams to steal money and how you can protect yourself.

Airdrops Do Not Always Mean ‘Free Crypto.’ Many Airdrop Giveaway Promotions Are Looking To Rob You

Airdrops are synonymous with free crypto funds. In fact, a growing crypto scam known as airdrop phishing is now common. You’ve likely seen spam messages advertising various airdrops if you’re a member of the crypto community or use social media platforms such as Twitter and Facebook.

Usually, a well-known Twitter crypto account posts a tweet. A slew phishers follow it with a series of attempts to advertise airdrop phishing attempts. There are also many accounts claiming that they have been given free money. Although most people will not fall for these scams, because airdrops can be considered free crypto, many people have lost their funds as a result.

The first attack uses the same social media advertising strategy. A number of people or bots promote a link to the airdropphishing scams website page. Although the website appears legitimate, it may even be a copy of popular Web3 projects. However, the scammers want to steal funds. The free airdrop scam could be an unknown crypto token, or it could also be a popular existing digital asset like BTC, ETH, SHIB, DOGE, and more.

The first attack shows that the airdrop is receivable, but the user must use a compatible Web3 account to receive the funds. This will take you to a page listing all popular Web3 wallets such as Metamask. However, if you click on the link for the wallet, an error will appear and prompt you to enter your seed phrase.

To get support, open MetaMask. Navigate to “Support” and “Get Help” from the dropdown menu. You should never trust anyone who sends you a direct message. You should NEVER give out your Secret Recovery Phrase or enter it into any website.

— MetaMask Support (@MetaMaskSupport) April 29, 2022

This is where things get shady because a Web3 wallet will never ask for the seed or 12-24 mnemonic phrase unless the user is actively restoring a wallet. Unsuspecting users of airdrop phishing scams may believe the error is genuine and enter their seed to the web page. This eventually leads to the destruction of all funds in the wallet.

The user gave their private keys to the attackers simply by clicking on the Web3 wallet error page asking them for a mnemonic. A person should never enter their seed or 12-24 mnemonic phrase if prompted by an unknown source, and unless there’s a need to restore a wallet, there’s really never a need to enter a seed phrase online.

Giving Shady Dapp Permissions is Not the Best Idea

The second attack is more complicated and uses code to rob the Web3 wallet owner. Similar to the airdrop phishing scam, this one will be promoted on social media. However, when the victim visits the Web portal, they can use their Web3 account to “connect” with the site.

The attacker has however written the code so that the user gives the site full access to the balances. Simply connect a Web3 wallet and give it permissions to steal funds. This attack can be avoided by not connecting to the site. However, many people have fallen for it.

Here’s the latest phishing scam

1 Airdrop a token

2 Build a website with same name so it’s easily found

3 When you find what appears to be staking for this token, the Approve txn gives unlimited spending of other tokens (ie SNX)

Then they take your token wallet. pic.twitter.com/vICIeC5rGk

— DeFi Dad defidad.eth (@DeFi_Dad) December 20, 2021

Another way to protect a wallet is to make sure that the wallet’s Web3 permissions connect to trusted sites. Users should delete permissions from any decentralized apps (dapps), if they have accidentally connected to the app by falling for the “free” crypto scam. It is usually too late. Once the dapp has access to funds in the wallet, the crypto is taken from the user by the malicious code.

The best way to guard yourself against the two attacks described above is to not enter your seed phrase online, unless you are restoring a wallet. It is also a good idea to not allow Web3 wallet access to any shady Web3 websites or dapps that you are unfamiliar with. If investors aren’t aware of current trends in airdrop phishing, these two attacks could result in significant losses.

Do you know anyone who has fallen victim to this type of phishing scam? How can you spot crypto-phishing attempts? We’d love to hear your comments.

Image Credits: Shutterstock, Pixabay, Wiki Commons

Disclaimer: This article is for informational purposes only. This article is not intended to be a solicitation or offer to buy or sell any products or services. Bitcoin.com does not provide investment, tax, legal, or accounting advice. The author and the company are not responsible for any loss or damage resulting from or in connection to the content, goods, or services discussed in this article.

Read More