How to Spot Common NFT Scams Before They Cost You

This article covers the specific scam patterns that cost NFT buyers the most money: phishing sites, rug pulls, fake collections, social engineering, and malicious smart contract approvals. Each section explains how the scam works mechanically, what makes it effective, and exactly what to check before you interact.

NFT scams aren't sophisticated in concept — they're sophisticated in presentation. The underlying tricks are recycled from decades of internet fraud, adapted for a system where transactions are irreversible and wallet addresses (your unique account identifier on a blockchain) don't have customer support lines.

Phishing Sites and Fake Minting Pages

The most common NFT scam is also the simplest: a website that looks like a legitimate project's minting page (the site where you'd pay to create or claim an NFT) but is controlled by a thief. When you connect your wallet and approve a transaction, you're not minting anything — you're authorizing the transfer of your assets to someone else. These sites appear in Discord DMs, fake Twitter/X posts, Google ads, and even compromised legitimate project channels.

The URL is almost-but-not-quite right: one letter swapped, a hyphen added, or a different domain extension (.xyz instead of .com)

The site asks you to connect your wallet before showing any project information — legitimate mints usually explain what you're getting first
The transaction your wallet asks you to sign involves setApprovalForAll, a function that grants another address permission to move every NFT in a specific collection out of your wallet
You arrived via an unsolicited DM, an "urgent" announcement, or a link in a Discord channel that doesn't match the project's official communications
The site creates artificial urgency: countdown timers, "only 3 left" warnings, claims that the mint is closing in minutes

What this means practically: Before you sign any transaction, read what your wallet is actually asking you to approve. If it says "approve all" or references a contract you don't recognize, reject it.

By the numbers

~$100M+

Lost to NFT phishing in 2022–2023

~80%

Of NFT scams start with phishing

<2 min

Time to drain a compromised wallet

Transactions reversed after signing

Rug Pulls

A rug pull is when a project's creators take buyers' money and disappear. The mechanics vary. Sometimes the team collects mint revenue and shuts down. Sometimes they hold a large supply of the NFT, let the price rise, then sell everything at once — crashing the price. The term covers any scenario where the people behind a project intentionally extract value and abandon it.

Anonymous teams with no verifiable history and no accountability structure

Roadmaps packed with ambitious promises (games, metaverse land, token launches) but no evidence of technical progress or working prototypes
All community discussion is hype-focused; genuine questions about the team's background or technical plans get deleted or go unanswered
The smart contract is not verified on a block explorer like Etherscan, making it impossible to audit what the code actually does
Liquidity or royalties are controlled entirely by a single wallet with no multisig (a wallet requiring multiple people to approve a transaction)

What this means practically: A rug pull is a trust failure. If you can't verify who's behind a project and what constraints exist on their access to funds, you're trusting strangers with no accountability.

Fake Collections and Counterfeit NFTs

Anyone can create an NFT collection and name it anything. Scammers clone popular collections — copying the art, the name, sometimes even the description — and list them on marketplaces. The NFTs look identical in thumbnail view but come from a completely different smart contract (the on-chain program that defines the collection). Buyers think they're getting a deal on a well-known project and end up holding a worthless copy.

The collection lacks a verification badge on the marketplace, or was created very recently

The contract address doesn't match the one listed on the official project's website or verified social accounts
The floor price is suspiciously low compared to the real collection
Trading history is thin or shows wash trading patterns — the same wallets buying and selling to each other

What this means practically: Always verify the contract address. Go to the project's official site, find the contract address they list, and compare it character-by-character with the listing you're about to buy from.

Before buying any NFT listing

✓

Verify the contract address matches the one on the project's official website

✓

Check for a verification badge on the marketplace

✓

Look at the collection's creation date and total trading volume

✓

Review trading history for wash trading patterns (same wallets trading back and forth)

✓

Compare the floor price against the real collection — steep discounts signal counterfeits

✓

Search the collection name on the marketplace to see if duplicate listings exist

Scammers don't just build fake websites — they build fake relationships. Common tactics include impersonating project moderators in DMs, creating fake "support" channels, and posting announcements through compromised admin accounts. The attack vector isn't technical; it's psychological. You're targeted when you're excited, confused, or asking for help.

No legitimate project will DM you first to offer minting links, support, or airdrops

Compromised Discord servers may post "surprise mint" or "airdrop claim" announcements — cross-reference any announcement against the project's Twitter/X and other official channels before clicking
Fake customer support accounts on Twitter/X reply to people who publicly post about wallet issues, offering to "help" through a link that drains the wallet
Friend requests or DMs from accounts mimicking well-known NFT figures, often with a username that's one character off

What this means practically: Treat every unsolicited link as hostile until you've verified it through a second, independent channel. This isn't paranoia — it's the base-level operational security that the environment requires.

Malicious Smart Contract Approvals

This is where most explanations go wrong. People focus on not clicking bad links, but the actual damage happens at the approval step. When you interact with a smart contract, your wallet shows you what permissions the transaction requests. A token approval grants a specific contract permission to move tokens or NFTs from your wallet. Scammers exploit this by requesting broad approvals — permission to move all assets of a certain type — then draining wallets hours or days later.

A legitimate NFT mint requests permission to take your payment and send you one NFT. It does not need blanket access to your entire collection.

Tools like Revoke.cash let you review and revoke existing approvals you've previously granted
If a transaction requests approval for a token or collection you didn't expect, that's a red flag regardless of how trustworthy the site looks

What this means practically: Every approval is a standing permission until you explicitly revoke it. Periodically audit your active approvals, especially after interacting with new contracts.

⚠

Approvals persist until you revoke them

A token approval you granted six months ago to a now-compromised contract can still be used to drain your wallet today. Use Revoke.cash or Etherscan's token approval checker to audit and remove permissions you no longer need.

Protecting Yourself: Wallet Separation

The single most effective defense isn't a tool — it's architecture. Use separate wallets for different purposes: a hot wallet (connected to the internet and used for daily transactions) with small amounts for minting and trading, and a cold wallet or vault wallet where you store valuable assets and rarely connect to any site.

1. Create a dedicated minting wallet. This is the wallet you connect to new and unproven sites. Fund it with only what you're willing to spend on that specific transaction. If this wallet gets compromised, your main holdings are untouched.

2. Transfer valuable NFTs to a separate storage wallet. This wallet never connects to random minting sites or DeFi apps. The isolation is what makes it safe.

3. Verify before you sign, every time. Read the transaction details in your wallet popup. Check the contract address, the function being called, and the assets involved. If anything looks unfamiliar, reject and investigate.

What this means practically: You can't prevent every scam attempt from reaching you. But you can make sure a single mistake doesn't wipe out everything you hold.

Setting up wallet separation

1

Create a minting wallet

Use a fresh wallet address funded only with what you plan to spend on a specific mint or interaction.

2

Create a vault wallet

This wallet stores your valuable NFTs and tokens — never connect it to unverified websites or new contracts.

3

Transfer assets after minting

Once you've minted or purchased an NFT through your minting wallet, move it to your vault wallet for long-term holding.

4

Audit approvals regularly

Check both wallets for lingering token approvals using Revoke.cash and revoke any you don't actively need.

Quick Recap

Most NFT scams reuse the same mechanics: fake sites, broad approvals, impersonation, and manufactured urgency — learn the patterns and they become obvious
Always verify contract addresses against official sources and read what your wallet is asking you to sign before approving any transaction
Wallet separation — keeping a low-value hot wallet for interactions and a vault wallet for storage — limits the blast radius of any single mistake
No legitimate project, moderator, or support agent will DM you first with links; treat every unsolicited message as a scam until proven otherwise