Metamask 101: Protect your users and community from common crypto scams.

by
Joshua Yap
March 15, 2023

Scams are everywhere on the Internet, but they're especially prevalent in cryptocurrencies' ecosystem within EVM chains like Ethereum, Binance Smart Chain (BNB), Polygon and more, because there aren't many rules around how you can do business online. The decentralised nature of blockchain technology makes it easy for scammers to operate under the radar until someone becomes a falling victim. In this article, I'll discuss some ways you can help your users to avoid falling victim, protect yourself and your community against these common scams so people don't get burned when using Metamask.

Here's how scammers can target you and your customers.

1) Fake websites pretending to be MetaMask

There are lots of sites out there claiming to be from MetaMask but actually trying to steal your coins instead! Some of them even appear to be legitimate, making it harder to spot the scam; even the Google ad system has been used by scammers. If you see one of these fake sites, here's some examples of what to look for:

  • Improperly spelled words (e.g., 'MetaMask' vs. 'meta mask')
  • Unusual formatting (e.g., strange spacing between lines)
  • Poor grammar and spelling errors
  • Links that lead nowhere
  • Incorrect URLs
  • Sites that require you to download software before accessing content
  • Links or representatives asking for your wallet's seed phrases

These kinds of sites often ask you to click on links, approve transactions from your Metamask, or request your wallet seed phrases. More uncommon methods are web plugin tools. These plugins (secretly keyloggers) are usually malicious, since installing them gives attackers full control over your computer without your knowledge. Remember, the MetaMask wallet doesn't need any third party to run and every smart contract transaction requires manual approval from you. Plus, the wallet runs inside your own web browser. (E.g., Google Chrome, Brave, or Firefox)

2) Websites asking for personal information or private information

When browsing the internet, never enter your login credentials into a website or browser extension unless you've verified that they're genuine and secure via their social media account. Personal data or digital assets isn't always stolen through hacking, either. Sometimes, hackers will send phishing scams like emails to thousands of random addresses, hoping to find one person who responds and then give away their crypto details.

If you receive an email from a company that asks for sensitive information, verify its legitimacy first. MetaMask will never request nor retrieve your data via email, so if you ever get a message like this, ignore it immediately and do not interact with the smart contract or send any transaction.

Also remember that you shouldn't share any personal information on public networks. Hackers can easily intercept traffic sent over insecure or hacked connections, meaning they could potentially read everything you type. Even though MetaMask encrypts all communication with HTTPS, avoid logging in to accounts or sending messages while connected to unsecured Wi-Fi hotspots.

It is also essential to back up your Secret Recovery Phrase regularly and store copies offsite in case anything happens to your device or Ethereum wallet funds. We recommend storing backups offline by writing your seed phrases on paper and keeping them away from anyone. For more tips on how to stay safe, take a look at our security page.

MetaMask does not control any of your personal or private data on our servers. So, when you lose your MetaMask password, accounts and need to restore MetaMask, you can only do that with your Secret Recovery Phrase. That way, nobody else would be able to recover your wallet address funds except you.

Only you can restore your access to your Metamask wallet. Not even Metamask can provide support if you lose your seed phrases. Thus, it is very important that you keep a copy of your secret recovery phrases somewhere safe (Not within your browser extension). However, please note that the backup file cannot be restored by itself. Once you delete the backup, it is gone forever.

A physical handwritten version of the seed phrases is the most secure option; it protects you from losing your seed phrases due to hardware failures and cyberattacks alike. You can always restore your hardware wallets' crypto holdings even if you lost your existing Ledger since you have access to your seed phrase. Take note, account recovery is impossible without the original seed phrases, so it is extremely important to store them safely. Your wallet seed phrase must remain completely confidential.

3) App permissions

A lot of dApps (Decentralized Applications) like DeFi (Decentralized Finance) or NFT would ask their users' permission to approve smart contract interaction with your address. Sometimes those requests seem harmless, but they could potentially expose your crypto wallet to getting hacked.

The general rule is to never connect and approve malicious smart contracts on the Ethereum blockchain (Or even any chains regardless EVM or non-EVM tokens) if you are unsure who owns and secure the dApps. Users should be aware of the fact that every time they interact with a dApp, they risk exposing themselves to potential attacks.

Be mindful of what you're agreeing to whenever you grant permission to an app, especially if it is downloaded from outside the official app stores. When possible, stick with reputable developers, and make sure you understand why each app needs certain privileges. Your crypto transactions may become vulnerable to hacks if you don't follow the best practices.

For example, some token sales allow investors to purchase a new coin using your tokens (ETH, BNB, SOL). In these cases, you'll likely encounter a few apps requesting permission to execute code on your behalf. Don't hesitate to review the list of permissions requested by these apps and deny them if necessary.

4) Email Scams (Attentions Metamask Users)

MetaMask has no affiliation with any email service provider, including Gmail, Yahoo, Outlook, Hotmail, and iCloud. It's a standard phishing scam that utilises the moniker MetaMask to lure victims into handing up their credentials.

As previously stated, MetaMask does not gather personally identifying information about you and does not send emails. However, there are other forms of email frauds including MetaMask.

The primary goal of phishing attacks is to trick you into approving harmful transactions through your Metamask. To obtain access to your money, the attacker may require your Metamask recovery phrase or private key in addition to your email address and password.

Phishers may also act as MetaMask customer service agents in order to persuade you that your account has been hijacked and request further personal information. Do not respond to these emails, and never click on any links contained inside the body of the message, nor reveal any confidential information. Some might provide a plausible scenario and request a single piece of information, such as a confirmation code, or sell you cryptocurrency at a "cheaper" price. They'll have enough information to hijack your account after you've interacted with the email.

Remember that your MetaMask private key, recovery phrase, and any other sensitive data should only be shared with you. Never respond to emails asking for this type of information. Crypto users have recently lost thousands of dollars as a result of phishing scams. When interacting with unknown parties, please be careful and watchful.

5) Airdrop Scams

A stranger approaches you in the street and offers you free money. What do you think? Most likely, you'd be raising your red flag and be skeptical—and rightly so. But that same tactic is increasingly being used to swindle unsuspecting individuals out of their cryptocurrency.

Airdrops are giveaways of coins to new investors. To participate in one, you need to sign up for the giveaway in advance, usually by providing your email address and other personal information. Then you wait for the company to distribute the token (s), typically through a distribution event. At that time, you can claim your portion of the coin pool.

However, some companies use a similar technique to acquire large numbers of email addresses without actually releasing the cryptocurrency. Instead, they promise that the recipient will receive a gift card or other item upon signing up. In exchange, the user provides his or her contact details, which the company can then sell to spammers.

In fact, many airdrop scammers offer "free" items in return for your email address. Of course, these gifts aren't really free—you're paying with your personal information and possibly even your money. Worse still, the "gift" could be a virus, malware, or another form of fraud.

While it's true that you can get lucky and win a prize from an airdrop, it is extremely unlikely. Many legitimate airdrops take place over long periods of time, so it takes a while for everyone who signed up to receive anything at all. Even when prizes are distributed quickly, they rarely go to random participants. Most winners are chosen based on how much attention they paid to the terms of participation.

So why would anyone bother participating in an airdrop scam? Well, because it works by making you give away valuable information in exchange for the hope of winning a small reward. The promise of getting something for nothing makes it very easy to part with your info, especially since you probably won't notice if the promised gift never arrives. That means the scammer gets your information, which he can either use to steal from you directly or resell for profit.

Thus, the best way to avoid becoming a victim of an airdrop scam is simply not to enter contests promising rewards in exchange for your personal information. If you absolutely must join, only provide the bare minimum of information necessary to qualify for the contest. Don't share your email address or phone number unless you trust the site entirely. And remember that once someone has your information, it can always be sold again down the line.

MetaMask was designed with user safety in mind, so it protects against many of the attacks described above. It uses end-to-end encryption, so nobody can snoop on your connection to MetaMask. And because it runs entirely inside your browser, it won't collect any sensitive data.

Yet despite MetaMask's protections, there are still plenty of ways people can fall victim to phishing schemes. The best defence is awareness, as we have seen with the recent attack on Coinbase.

Some tips for staying away from Bad Actor(s).

In order to prevent this kind of theft, here are three simple steps you should follow every time you use MetaMask:

1) Always refer to the official MetaMask documentation.

As mentioned earlier, MetaMask is open source and is maintained by a dedicated team. Our documentation has been written to ensure everyone understands exactly how MetaMask works and what it can offer. If you want to know something about MetaMask, chances are good that the answer exists somewhere in our docs.

This should be your go-to resource for questions about MetaMask itself, including installation instructions, getting started guides, troubleshooting advice, and more.

Our support forums are another great place to get answers to technical issues. There you'll find discussions related to MetaMask and helpful members of the community eager to lend a hand.

Please do not hesitate to reach out to us directly if you require additional assistance!

2) Never give out your secret recovery phrase

Your Secret Recovery Phrase is used to regain access to your account in the event that your device is lost, stolen, or otherwise compromised. This means anyone who gets their hands on this key could steal your coins without needing to hack into your computer. Since MetaMask never collects any information, hackers cannot gain access through brute force attacks; instead, they must trick you into revealing your Secret Recovery Phrase.

It is your responsibility to safeguard your private key, and therefore your identity, from prying eyes. Make sure you don't leave it lying around on sticky notes next to your monitor or scribbled down on paper under your keyboard; you may think nothing of leaving these things behind, but remember that others will see them too.

In addition, be wary of emails claiming to come from MetaMask requesting verification of your Secret Recovery Phrase. These messages often contain links that lead to fake websites asking for your login credentials. Don't click on suspicious URLs—they're likely part of a phishing scheme.

Be mindful of what you agree to when installing new software, as well. Some apps request access to your contacts, camera roll, or even your microphone. While sometimes this isn't necessarily nefarious, it can allow attackers to gather information about you that they may then leverage for malicious purposes later on.

Scammers and malware authors are constantly looking for ways to take advantage of unsuspecting users. That's why it pays to be cautious and always keep yourself informed.

3) Consider using a physical hardware wallet

MetaMask has no affiliation with any email service provider, including Gmail, Yahoo, Outlook, Hotmail, and iCloud. It's a standard phishing scam that utilises the moniker MetaMask to lure victims into handing up their credentials.

As previously stated, MetaMask does not gather personally identifying information about you and does not send emails. However, there are other forms of email frauds including MetaMask.

The primary goal of phishing attacks is to trick you into approving harmful transactions through your Metamask. To obtain access to your money, the attacker may require your Metamask recovery phrase or private key in addition to your email address and password.

Phishers may also act as MetaMask customer service agents in order to persuade you that your account has been hijacked and request further personal information. Do not respond to these emails, and never click on any links contained inside the body of the message, nor reveal any confidential information. Some might provide a plausible scenario and request a single piece of information, such as a confirmation code, or sell you cryptocurrency at a "cheaper" price. They'll have enough information to hijack your account after you've interacted with the email.

Remember that your MetaMask private key, recovery phrase, and any other sensitive data should only be shared with you. Never respond to emails asking for this type of information. Crypto users have recently lost thousands of dollars as a result of phishing scams. When interacting with unknown parties, please be careful and watchful.

If you are a project builder looking for a design solution for your upcoming product, check out our core UX design agency services or our Blockchain Development Agency page.

Share this post

Let’s talk about your projects

Have a project idea? Tell us more about the details and we'll get back to you within 24 hours

hey@zensite.co
+65 3158 6926 (SG)
+60 3-2935 9156 (MY)
68 Circular Rd, Unit 02-01, Singapore 049422
OUR SOCIALS

By submitting this form, you agree to our privacy policy and allow us to contact you via email

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.