A Sensational Win: Mutant Ape NFT! (Phishing Scam Explored)
We have won a Mutant Ape Yacht Club (MAYC) NFT!
The MAYC are being sold for approx. 5.5 ETH in OpenSea, so it is clear that we have hit the jackpot. How lucky we are... Let's claim our MAYC NFT straight away.
We have recorded the process, which you can now watch in this 1-minute video.
Of Course, It Was A Scam
This phishing scam is not sophisticated and easy to spot as a malicious attack.
However, it is worth reviewing the data we acquired from the email and learning as much as possible.
These are the SIX RED FLAGS that anyone with a medium level of crypto and digital safety knowledge should be able to identify:
1st Red Flag: If it is too good to be true... probably it is not true
Scammers use greed as an amygdala hijack mechanism.
In this case, they tempt us with an excellent offer, a very valuable NFT for free.
This scammer could have used an additional amygdala hijack technique, which is scarcity. But it seems that, luckily for us, this scam was put together by someone with minimal scamming experience... or lazy.
In any case, statistically, if enough emails are sent, eventually, someone will fall for it.
2nd Red Flag: The email was sent from a Hotmail account. Opensea or any other reputable website would never use generic email accounts.
It seems that the scammer does not have the means or cash to create a personalized domain for the email address to look more trustworthy.
For us, such an email from a generic account should be an obvious sign that this is a scam.
3rd Red Flag: We can observe that the link leads to a tiny URL web page by hovering over the' Clain Now' button.
TinyURL is a legitimate business that can be used as a marketing company's tracking mechanism. But, it also can be used by scammers.
We have grayed out part of the URL to protect our identities, but the URL looked like something similar to the following:
- tinyurl.com/yahy7uj0
Once again, OpenSea or any other reputable website would not use a TinyURL to contact their subscribers.
If you spot a TinyURL in any communication, look for additional red flags that may indicate a malicious usage of this otherwise helpful and valuable tool.
4th Red Flag: 'Flashing' or short-duration web pages may indicate suspicious or dangerous activity.
Once we click over the 'Claim Now' button, the TinyURL directs us to the web page shown below.
The page appears on our screen for less than a second, so it is barely noticeable, and the details cannot be appreciated unless you capture them in video. Like we have done.
By clicking on the phishing URL, we already provide value to the scammer because the scammer is alerted that the email they sent to our email address has been opened and an action taken (clicking over the button).
The scammer has verified that the email address is used by the victim, in this case, us, and can be used as a target for future phishing attempts.
Or, the scammer now has evidence to prove the validity of the email address: This evidence will be used when the scammer sells our email address on the black market.
If you want to learn more about tracking pixels, you may look at the article we have written about this topic: 'Find Out How Invisible Tracking Pixels Invade Your Privacy.'
5th Red Flag: A very poorly constructed phishing website.
After the brief appearance of the TinyURL web page, we are directed to a very poorly designed web page.
- The web page URL has nothing to do with the OpenSea marketplace, apart from the 'OpenSea' word mentioned in the URL.
- Clicking over the OpenSea logo should redirect us to the OpenSea home page. But the logo is just a picture, so it is not possible to click on it.
- The 'Drops,' 'Stats,' and 'Create' words are supposed to be buttons, but they are not. It is not possible to click over them.
But on this page, the scammer uses scarcity as an amygdala hijack: A timer mentions that the offers end in less than an hour.
The scammer is trying to induce urgency, so the victim quickly proceeds to Claim the NFT without taking precautions.
6th Red Flag: The smart contract indicated that only ETH will be sent to the scammer's public address without us getting anything in return.
The smart contract indicates that 0.007 ETH will be taken from our wallet and sent to the scammer's wallet. Most probably, the scammer is just trying to scam a small amount in the hope that the victims will not take any action once they discover that they have been scammed.
- In this case, running the contract through Wallet Guard is a good practice because Metamask or any other reputable wallet will display the same information the Wallet Guard shows.
- But this is an excellent precaution because other malicious smart contracts, written by more savvy hackers or scammers, can be complex to recognize without specialized applications like Wallet Guard.
As a reference, this is an OpenSea transaction example.
In this transaction, an NFT is sent (sold by the seller), and a defined amount of USDC is received in return (bought by the buyer).
To learn more about the Wallet Guard Extension, you may want to have a look at our recent post 'Wallet Guard Extension - How To Proactively Secure Your Crypto Wallet'
_______________________________________________________________________________________
BOTTOM POINT:
ONE RED FLAG SHOULD TRIGGER YOUR INTERNAL ALARM
TWO RED SHOULD TRIGGER YOUR INTERNAL 'STEAR CLEAR' SAFETY MECHANISM.
SAFETY FIRST. ALWAYS.
_______________________________________________________________________________________
How Many People Fall For This Kind Of Scam?
The answer is that far too many people fall for this kind of scam.
The latest Phishing statistics from AAG do give us some clues about the amount of people who fall victim to Phishing Scams:
- In 2021, the average click rate for a phishing campaign was 17.8%. Phishing campaigns that were more targeted and added phone calls had an average click rate of 53.2% – 3 times more effective.
- The US-based IC3 received 300,497 reports from victims of phishing in 2022.
- 91% of cyber attacks begin with a phishing email to a victim.
If you read this article, you are knowledgeable and experienced enough. You will not fall for such a simple phishing attack.
But it is nearly certain that people around you need more awareness and can easily fall from medium or advanced phishing attacks.
Only knowledge in combination with good practices can protect us from hacks and scams:
- Knowledge: As little as a few minutes of learning per week can make a difference
- Good Practices: There are tools and precautions that, combined with knowledge, will protect us from most, if not all, cybersecurity attacks.
_____________________________________________________________________________________________
Congratulations on completing this 5-minute digital safety power-up.
We hope this 5 minutes read was worth the time and that you have learned some valuable information.
