Imagine that you were a scammer trying to target a particular group of people… let’s say people who like to spend their days at the lake relaxing with a fishing pole hanging in the water. Who knows why – maybe you are trying to sell counterfeit lures? Coordinate putting out some AI-enabled fishing rod that’s collecting fingerprint data while they laze their days away? Motivations are rather inconsequential for this example.
You could pay for a big list of dark web data, but you could also just insert yourself into that community. You can hop on message boards, join chat groups, heck you could even go hang around local bait shops. Before long, you’ve got a lot of useful demographic data on people that are part of that group. Maybe all you have is some emails and IP addresses… but that’s enough to start refining your list and getting more information.
The same is true with Discord. The Gala community is a great place for the latest news and robust conversation about every aspect of the Gala Ecosystem. The popularity and richness of social connections that are forged on our Discord server or Telegram channel, however, also make them a popular destination for another type – scammers. It’s important to know and understand the tactics of these digital miscreants to keep your digital assets safe while still participating in any digital community.
Welcome to the 8th installment of The Guardian Papers, where we try to impart the wisdom that everyone should have to start a successful journey through the world of digital ownership. The blockchain world is still in its infancy. We here at Gala believe that empowering each and any member of our community makes us stronger as a whole.
Miss an issue of the Guardian Papers!? Check out past editions below!
It is our hope that this series has and will continue to present foundational information that will not only provide a base understanding of how to keep your blockchain footprint secure, but will also help inform your journey through this digital adventure so you can ask better questions, do better research, and make better decisions to help guard your entire community.
The Dark Side of Community
Discord was originally made for gamers. As the scope of the platform has grown to include countless massively popular communities, however, it has also attracted the riffraff that stalks digital space for the opportunity to steal from the unwitting. Because Discord servers categorize people into common interests, it’s easy for scammers to get inside groups and represent themselves as just another member – or even an authority figure – within that community.
The same is true for Telegram or other messaging apps where people commonly gather in like-minded groups. In these spaces, the community itself has already done the work to compile victims for all the villains in the cryptoshadows. Communities are welcoming because that’s the point of community. By simply being in these groups, however, you’ve done part of the scammers research for them… they know that you are part of their target audience.
Make sure you customize your privacy settings in Telegram… or else you’re about to get a whole hornet’s nest of attention from all the wrong people!
Community messaging apps like Telegram and Discord are third-party platforms that are utilized by Gala, but these can have their own security issues that are simply beyond any community’s ability to control. The scammers thoroughly know the shortcomings of these apps, and can exploit them to attempt to scam thousands of members of a community within minutes. Even one success will show them this pond is well-stocked with easy catches for their future fishing endeavors.
Any community where the digital villains see opportunity isn’t going to get rid of them without a fight, however. We can only turn the tide against the scammers by making sure that each and every one of us is ready to defend against them.
Don’t forget to customize your exceptions as well! By default, any member of Telegram’s premium subscription can contact you regardless of your settings 😱
Don’t forget to customize your exceptions as well! By default, any member of Telegram’s premium subscription can contact you regardless of your settings! 😱
How Scammers Prey on Communities
It’s hard to build and feel community if you’re always suspicious of your neighbors. The scammers are counting on this, because that’s not how defenses work. When you perceive yourself as ‘among friends’ your defenses naturally go down. You want to be helpful – after all, that’s what building community is all about.
That’s why they’re here. Community is a group trust that we build up over time with likeminded people. We can’t simply turn it off and on. It’s not like we recognize every member of the community, we just recognize that they are part of the community.
We’ve discussed impersonation before, so you’re all very well aware that there are people out there who will pretend to be Gala customers or community support. You need to stay vigilant for these types of things… these apps are where the scammers find their marks.
This isn’t to say that community itself is bad. In fact, it’s very very good. Community standards and best practices are how we combat these scammers. Building a community is too important to let scammers stop us. We have to build a better community to make it outlast the villains.
Trust is Earned
Just because someone is part of your community does not mean they’ve earned trust, and it’s not an insult to tell them so. Caution is admirable… and part of the point of web3 is to establish systems that don’t rely on trust.
First off, please adjust your privacy settings on Telegram, WhatsApp, Discord or similar apps if you have not. In Telegram, for instance, you can be contacted by anyone by default. If you don’t change that it’s only a matter of time before you are getting blown up with spam and scams. Similarly WhatsApp will show your personal phone number to anyone who comes looking if you don’t change the security settings… make sure to get this done or you’re wide open to an attack from a crytpovillain.
Even on Discord you can customize your security settings to control who can reach out to you. As we’ve discussed before, don’t trust a display name… that can be easily changed. Put people you trust on your friends list. Consider changing your settings so friends can message you. That way any new friend requests are where you know you need to be vigilant, and anyone on your friends list has already been vetted.
Trust, but verify
-Old Russian proverb
Don’t trust these security measures to be the end all be all of your defenses, however! People can get hacked or lose access to their accounts. Sometimes the attack could come from someone you know… albeit not them actually sitting in front of their keyboard.
Community Strong
With so many threats among communities you trust, the fight against bad actors in digital spaces can seem hopeless. Fortunately, community is also the cure to this malady.
⬆️ Not a great way to seek help from the community. Not only does anyone watching now know this user’s needs, but also their urgency. I bet their DMs blew up.
⬅️This is a great way to utilize the knowledge of the community. Tons of eyes can get on the deceptive scam attempt right away to verify if it’s legitimate or not. HINT: This one was not legitimate.
No one person can be entirely vigilant all the time. We get tired. We get distracted. Our guard comes down for a moment here and there… and that’s when attacks happen. Talk to your community. Educate each other and call out the tactics that scammers are using so that everyone can learn to avoid them. Alone an attack is inevitable. Together we’re strong.
If you see something sus, reach out! Ask the community you trust whether you should be engaging. Don’t be embarrassed. A simple question could save you a lot of hassle.
Guarding Each Other
When we work together, the community really shows its strength. Those who seek to exploit communities of common interests in the web3 space are counting on us not following through with our commitment to a solid community. If a victim doesn’t use the community resources at their disposal to help themselves, what can a community do to help?
That’s why it’s so important to share tips and educate fellow community members about security culture. If we all get a little better at spotting bad actors, we’ll all be a little less likely to get scammed. If we all get a little better and share a little more of that culture with each other, we’ll be exponentially more protected from those who seek to do us harm.
That’ll do it for this week’s Guardian Papers, but we’ll be back! Next time, we’ll be breaking down multi-factor identification and how it can help protect your digital sovereignty in this new age.
Stay safe Galaxians… and always have your shield ready!
You sit down at the breakfast table with your coffee. As the yawns squeeze out of you and you wipe the sleep from your eyes, you pull out your phone to catch up on your emails.
Just routine stuff… spam, spam, free offer, Amazon invoice – wait, what’s this? Your cuteandreallycuddlyfluffypuppies.com account has been compromised and needs your immediate attention! 😱 You click the link to reset your password, glad you caught this email before it was too late.
You follow the prompts on the next screen and fill out your new password… little do you know, your cuteandreallycuddlyfluffypuppies.com account has been compromised. By you. Right now. That was a fake link from a fake address, and they got exactly what they wanted out of you!
Sound familiar? This is one of the most common tales of how scammers find their way into someone’s defenses. As digital security continues to improve, there is still one glaring vulnerability to even the best system – the human behind it!
Welcome back to The Guardian Papers, where digital heroes can get the base training they need to thwart villains’ underhanded attacks against them across the web3 world.
Email is often where scammers have a chance at getting directly to you. One miscalculation or momentary lapse of attention to detail could cause you a lot of hassle, so you’ve got to know how to keep yourself safe.
Miss a previous edition of The Guardian Papers? Catch up below!
First off, we definitely don’t want to imply that email is inherently insecure – many email providers have excellent security protocols put in place, and there are tons of tools out there for anyone who wants to beef up the actual protections in their email. The problem with email security is the person behind the keyboard… and it’s a vulnerability that isn’t going away.
Your email is a direct line to you. No matter your security infrastructure, if you’re getting a scammer’s email in front of you, you’re probably going to read the words they wrote. This direct access is the dream of all those fake Discord admins and help desks. They want that direct line so they can exploit your trust… because your security systems work for you. If they convince you, your security isn’t an issue.
For most people, email is the height of routine. When you are checking emails, you’re performing the same ritual you’ve done thousands of times. You may have many email accounts, only adding to the volume and frequency of your email checking ritual. When you do something day in and day out, over and over, you eventually become less attentive to the process overall.
As something becomes part of your routine, you eventually sort of automate it in your mind. How many things do you automatically do throughout the day without any real conscious thought? It’s the same for email. While the part of your brain that reads and parses the information in the emails may be present, other parts of your mind have moved on to other tasks.
This leads to some easy wins for scammers that would never work on your while at full attention.
How Did They Find Me!?
Honestly, how wouldn’t they find you? It’s important to remember that our data is everywhere, and we don’t typically consider email addresses private data. If it’s ever been out there, it’s still out there probably.
Let’s say Billy has a private, personal email address that he typically only shares with family and close friends, then he has another that he uses for work. Billy’s dad is fond of forwarding emails on occasion, and so drops a long chain email forward into Billy’s inbox once in a while. Billy’s friend Sally CCs him into a monthly newsletter that she sends out for their Karaoke Club. One day, Billy starts seeing large amounts of spam coming into his personal email account! 😨
What happened? Well you see, Tyrone from Karaoke Club was trying to get his friend Trevor to come to last month’s championship, so he forwarded him the newsletter. Trevor’s email account was compromised and the inbox contained Tyrone’s address, along with the CCd address of every other member of Karaoke club. Welcome to a list, Billy.
Let’s be honest though, it’s probably not the first time Billy has gotten scam emails at that address. He used to have it visible in his Facebook about section for years, and it’s still listed on an ancient and forgotten DeviantArt portfolio along with his real name. Also, he’s had this account for a long time and emailed lots of people. Each of those is a chain that connects to his email address. If any one link is discovered by the bad guys, the whole chain is in the open.
After that they can do a surprising amount to learn your behaviors. With a full-feature email service, they can theoretically tell exactly when you open the email, your operating system, your geolocation… all sorts of stuff that isn’t exactly secret, but gives you the shivers that they could know. Once they have this, it’s not hard to generalize demographics and predict who would be receptive to what scams.
Wolves Dressed as Sheep
Many of the ways people will attack you through your email fall right in line with our previous discussion about The Impersonator. In your email they know they have you in a format that you’re likely to overlook small details. If they know they can get past your spam filter, then they know there’s a good chance that you’ll at least click on their email.
They’ll try to mimic emails that you are likely to be receiving. There are lots of ways they could get an idea about what email lists you may be on, and not all of them are data breaches. A tracker in your browser could be feeding info about your behavior without necessarily doing anything nefarious to be flagged as malware by your safeguards.
Remember, legitimate businesses and individuals assign cookies and trackers all the time without any ill intent. We all click “Accept All Cookies” once in a while. Even if there’s just a .01% chance that any of those you click on has something harmful coming across, it’s just a matter of time.
Also consider that people are quite predictable with a large enough sample size. For every well-timed scam email you’ve ever received that seemed like they must be actually watching you, you’ve probably received two dozen weird ones that seemed to come out of left field. It’s just a numbers game. They’ll get it right sometimes.
If they’ve identified your email and the most likely services and addresses that can trick you, it’s only a matter of seeing what they can slide by.
In the case of this above example, the fake may seem obvious. After all, we’re here stretching our brains and thinking about scammers, but when someone comes across this email they may be distracted or in a hurry. Then, they could feel panicked that their MetaMask wallet has been compromised.
Notice that they color the email to draw the eyes directly to what they want you to see. The large notice at the top, and the button to “update now”. While we didn’t click that link, a quick mouseover revealed the target to be a proxy site, with a slug pointing to a long string of characters for a dAPP command. This link almost surely goes to a fake service site where you will be immediately asked to connect your wallet.
Oh, and also –“MҽtaMask”? That’s not an E. That’s an Abkhazian Che, a Cyrillic character that is entirely different from the latin “e”. If you’re not paying close attention though… it may be enough to not get them flagged for impersonation, while your eyes simply autocorrect that to “MetaMask”.
Also, check out that XM over there. That’s called a BIMI or Brand Indicator for Message Identification. These are verified trademark spaces, so a brand can submit a BIMI that won’t be copied anywhere else. This is a relatively new system that only works with some email providers, so you may notice a difference between impersonators and the emails they’re impersonating based on their mark. This isn’t always the case though, as some brands have not yet adopted BIMI… our emails here at Gala, for instance, do not ever use a BIMI.
That verification check mark doesn’t mean anything, it’s just part of the display name – like we saw with fake help admins in our imposter profile.
The dead giveaway is the return email though. Even half redacted, it should be pretty easy to tell that’s not from MetaMask. Why would MetaMask not send emails from their domain that users know and trust?
Straight to the Source
The important part here is that your email usually has your attention. If they can slide into your inbox, half their work is done. If they send out 10000 emails, what do you suppose the chances are that no one is careless enough to click without thinking?
That’s the end goal for these scammers. They know that most people in the digital world are protected in some way from bad actors, but they also know that you hold the keys to your security mechanisms. The best defenses in the world don’t mean much if you willingly click to their site and give them your information.
This is why The Guardian Papers are here. These scammers know that there is always someone to prey on because people aren’t informed. If we all know what to look for, the fruit they’re looking for gets waaaaay higher in the tree. Maybe they’ll just go find another tree to climb.
Digital Guardians
No one is going to ensure your security on the web. You have to take matters into your own hands and change behaviors if you want to be safe. While it may seem overwhelming to think of all the ways the bad guys can get to you, it’s really not that hard. If you learn the ways that they come at you, before long it’ll be easy to spot the attackers long before they breach your walls.
We learn. We teach. If everyone is equipped to deal with them, digital villains don’t stand a chance.
That’ll do it for this week’s Guardian Papers! We’ll be back though as we dive into common ways people use Discord and other messaging apps to prey on the unaware!
Imagine that you own a castle. As a proud owner of such an impressive, shiny fortress, you’ve likely got defenses – a sturdy wall and a heavy gate to protect your valuables. When an advancing army approaches, however, you don’t necessarily want them to test that security. You wouldn’t even lower the drawbridge!
Your passwords function the same way and are your first line of defense to keep bad guys from ever even getting a foothold near your digital hoard.
Welcome to the 6th installment of The Guardian Papers, where we walk you through how you can protect yourself from the digital miscreants who seek to steal, cheat, and otherwise destabilize our beloved community.
As the blockchain revolution continues to provide opportunities for people all over the world, those who lurk in the shadows are always eager to prey on the unaware. It is our goal with this series to educate and empower our community to resist and repel the monsters who hide out there in the digital darkness, so that we all can be safe, secure and more prosperous as we build a better future together.
Miss an issue of The Guardian Papers? Catch up below!
In the next few articles, we’ll be talking about security fundamentals that apply to all aspects of digital defense. We’ll rotate back to the Gala community specifically soon, but for now these are fundamentals that everyone should learn, and that are often highly exploited in the blockchain world.
What Makes a Password Secure?
Nearly everybody has countless passwords across their digital profile, so you’d think that creating secure passwords is a skill that everybody just picks up early on in life. Unfortunately, despite most people knowing better, many people are still using incredibly unsafe practices with their passwords that can leave your digital assets vulnerable to the bandits of the blockchain frontier.
Increases in technology bring many extra tools to help keep your assets secure, but also give your enemies more sophisticated weaponry to use against you, which makes it more critical than ever to use strong and secure passwords throughout your entire online ecosystem.
Length and Variety
Different platforms have differing minimum criteria for the length and character variety of passwords, and it’s never a bad idea to go overboard. With current computing power, a cybervillain could potentially attempt billions of passwords per second. While this may be limited somewhat by network security features on some platforms, longer and more varied passwords mean more combinations will be required to guess yours.
If you were using a 7-digit password that consisted only of numbers, that password would have 10 million possible combinations (0000000-9999999). Take that same 7-digit password and include capital and lowercase letters as well– now you have 62 possible characters per digit. This would increase the possible combinations of correct answers to a little over 3.5 trillion, still with only 7 characters in the password.
Uniqueness
Not only do you want your passwords to be unique for each of your accounts, but ideally you want them to not be a combination of characters that no one else would have ever thought of in their wildest dreams. Including dictionary words or common mnemonics like a year could leave you vulnerable to hackers looking for low hanging fruit.
Your password shouldn’t be something familiar or easy to remember– the entire point is to make it something that only you know.
This may seem like common sense to many digital veterans, but repeatedly data breaches have shown that things like “password”, “123456” and “qwerty” are the most commonly used passwords throughout the world. Using any common phrases in your passwords makes you the nice, soft target that the enemies of digital sovereignty are after.
Fun Fact: According to a study last year by NordPass, here are the top 10 passwords used worldwide:
1. 123456
2. admin
3. 12345678
4. 123456789
5. 1234
6. 12345
7. password
8. 123
9. Aa123456
10. 1234567890
Don’t be like these people. Make your passwords secure.
Anonymity
If someone is going to try to penetrate your personal passwords, the best place to start is often for them to know their enemy– you! If personal information that they can glean from public records or social media gives them insight into what your passwords may be, they may be able to breach all of your security before you even see them coming.
Using your birth year, your pets’ names, your children’s names or anything simple to guess with just a little information about you is incredibly unwise. Especially if you use similar mnemonics on all your passwords, one glance at your Instagram profile may have given a hacker all they need to clean out your digital hoards.
Common Password Vulnerabilities
Constructing strong and secure passwords certainly helps keep your defenses high. Secure passwords can still have vulnerabilities, however, and it’s extremely important to know all the angles that your password security could potentially be attacked from.
The Human Element
While many insecure passwords are often “brute forced” by miscreants with a program that can guess combination after combination, some are obtained through phishing attempts as we’ve discussed in our previous Guardian Papers profiling the common scams in the blockchain world. This is never to be taken lightly, as criminals will continue to develop new ways to trick your information out of you.
Your passwords are yours, and should never be shared. Even here at Gala, we’ll never ask for your password or keys– anyone who does is up to no good.
Even if you have excellent security and top-notch passwords, one error in judgment can still be exploited to ransack your digital fortress. There is no reason to share personal data or password information with anyone over email, Discord or any social media.
The scammers multiply because their methods get results. This is why it’s absolutely critical that the community here at Gala and throughout the entire blockchain frontier helps educate and empower their fellow digital pioneers. Once every member of the blockchain world is familiar with and prepared to fight off these attacks, these monster’s food source will dry up.
Even the best password hygiene is no substitute for caution when connecting to unknown networks!
Data Breaches
As massive data breaches have repeatedly shown in recent years, even secure information can be compromised and leaked when the defenses of organizations that you trust are compromised. If your passwords are stored with an organization who has been breached, you need to consider that password or any variation on it compromised forever. After a breach, that information is compiled in lists and distributed all over the dark side of the digital world, and information is forever.
In 2020, white hat hacking group FireEye identified a worldwide breach in the SolarWinds software. SolarWinds was a network management company with a global presence, and over 18,000 compromised clients were identified in the breach. FireEye noticed the breach quite by coincidence, but the systems had been compromised for more than a year.
This breach was later determined to be coordinated by the Russian Foreign Intelligence Service, and by leveraging the breached systems within SolarWinds for many months, they were likely able to access a significant portion of protected information across the entire global internet.
Read more about the breach from the US Government Accountability Office.
To limit your vulnerability to data breaches that are beyond your control, never use the same password on more than one account. If one of your accounts is compromised, the last thing you want is for that to just open the door to all your defenses. Changing your password frequently will help you stay ahead of any breaches that may happen.
Most importantly, don’t trust your password information to entities when you don’t have to. Always think critically about whether you really want to share sensitive information with organizations before you have a chance to regret it. Rather than having a device remember your sensitive passwords, store them offline whenever possible– an old fashioned paper and pencil is about as unhackable as you can get.
Password Managers and Single Sign On
Password managers and single sign on (SSO) can be a great way for people to securely protect their individual credentials without getting lost in the tangle of hundreds of secure and confusing passwords.
These tools crucially only work, however, if you use them securely. If you aren’t going to follow good security practices without a password manager, then putting all your credentials into one could just be shoving your eggs all in one basket for a scammer.
If you choose to use a password manager, make sure that you follow all recommended precautions and protect your credentials to that password manager. Make sure you are choosing a reputable and well-known password manager to use… the last thing you want is to try some brand new password manager, only to find that you’ve been had by a phishing attempt that now has all your passwords!
Hold the Line
Most of the time that digital defenses are infiltrated, it’s through the front door– a password. How secure can you expect your personal estate on the blockchain to be with a wimpy lock on the front gate? Even with the extra layers of security we’ve discussed throughout this series such as private keys, and the precautions we’ll discuss moving forward (looking at you 2-factor authentication!), if your passwords are penetrated the enemy is already inside your defenses.
The best way to make sure you stay entirely secure is to keep that gate locked tight.
Maintaining secure passwords and protecting them from the grips of the enemy prevents any part of your digital profile from being compromised. Even one account being breached represents a chink in your armor that could then give way to other vulnerabilities. Keep your defenses battle ready at all times and don’t let anything past your guard.
The Advance Guard
As we continue to advance through The Guardian Papers, it’s our hope here at Gala Games that we’re contributing a collection of resources for the community to reference and share, so that we can all power-up our defenses against those who would do us harm.
For our next installment, we’ll stick to fundamental security and discuss 2-factor authentication and multi-factor authentication. As this series progresses beyond this module, we’ll rotate to an increasing focus on issues that are incredibly relevant to not only the community here at Gala Games, but the entire cryptoculture as well.
It is our sincerest hope that this series not only empowers you to defend your sovereignty on the blockchain, but also inspires you to empower others throughout our beloved community.
Welcome back to The Guardian Papers, the series where we help bolster the security super sense of our community on GalaChain and beyond! Today we’re continuing our dive into the world of cons and villainy as we explore the methods that scammers use to deceive unwitting marks. Educate yourself on their methods, and soon you’ll be a defender of others rather than a target!
Scam Profile: Too Good to Be True
Hey there! Would you like to amass riches without any effort whatsoever?
If you answered yes to this question, you may be a human being!
Seriously, everyone wants this. This is what the scammers out there are counting on, and how they reliably reel in their prey.
Rather than exploring how scammers deceive you like last time, today we’re getting a bit more cerebral. We’re talking about the bait – the incentives that scammers will use to get you to throw aside caution and logic to dive head first into their trap.
If something seems too good to be true… it probably is.
Common Motivations
We’re living in a material world… and the vast majority of us are material people. That doesn’t mean we’re obsessed with our stuff or money hungry, but most people live in a state where an infusion of money could totally change their lives. Whether it’s an increase in living standards, a better life for our kids or simply a way out of debt, most humans have an amount of money that will reliably spur their motivation.
The amount of easy money that may light a fire under us may differ, but the important thing is that the scammers know there is likely an amount that will push caution and logic out of your head and replace it with dreams of escaping whatever financial situation you’re worried about or transforming your life for the better. This is exactly what they’re counting on.
Once they’ve got you dreaming about easy money, they can count on your critical thinking skills being less engaged. After that, all they have to do is keep you on the line and let you dream.
Preying on Need and Greed
We all have needs to survive. The scammers out there can capitalize on this to make you justify some degree of trust or risk. Sometimes, they get you in the door with only fairly unbelievable claims… the level where your curiosity is piqued, but your brow may still be furrowed.
We don’t know what your job searching experience is… but from the writer of this article’s perspective, tech jobs at major metropolitan competitive prices don’t just drop into cold calls without some major strings attached.
The wages given are very high for someone sliding in to mass announce job openings. That having been said, they are not high for competitive jobs within the industry for the very qualified. The intention is that your brain says it’s implausible… but not impossible. So you DM out of curiosity. Then they have a direct line to work on you hard.
At the point they get you into their DMs or on their site, there are any number of scams that they could attempt to run on you. The important thing is that they now have you where they want you, thinking about what that money could do for you.
Sometimes these types of scams run a little more flagrantly too good to be true. As the reward is cranked up however, our mind has a way of justifying a greater amount of perceived risk.
In the case of this DM (that I received four of at the exact same time from four different accounts 🙄) they’ve abandoned the idea of believability. Instead, they’ve employed several ‘hard sell’ techniques to make the target careless enough to slip up.
First, there’s the ludicrous amount of free money they’re offering. They temper this free thousands of dollars worth of ETH by having the target ranked third… leaving a quiet voice in the back of your head saying, “Surely if it was a scam they’d have put me in first.”
Then there’s the time sensitivity. You only have 24 hours to activate your code! Oh no! No time to hesitate!!! Your decision-making reactively goes into high-pressure mode, making quick decisions with less information than it normally would. Of course once you go to their site, you’ll be asked to connect your wallet to get your winnings. Then they have access, and you are drained.
Note the inconsistencies across the messaging. “You have been RANDOMLY selected among users of Crypto Discord Servers.” AND “If you don’t know what is crypto and how to use it – ignore this message”. But how can both those things be needed? Why would they send this to someone who didn’t know ‘what is crypto’ if they selected participants from among crypto communities only? 🤔
Think about that… selected from “Crypto Discord Servers”. That makes sense for an airdrop of some new token from a brand new ecosystem trying to get its name and token out there… but what would a trading platform have to gain by giving away so much to people who are NOT already part of their platform?
There’s no CTA to sign up. No email opt-in to enter. No marketing win for the company who fronted the prize… big red flag. At best, they’re getting 3 new users out of this ~13.9 ETH prize. That’s not how marketing budgets work.
Also, did you notice how seemingly random words were capitalized throughout the message? The capital words in the first section act as subconscious triggers for your brain, priming you to follow through on the scam. When you scan the text, your brain automatically considers the capitals more important. If you’re old enough to remember the classic tag cloud on websites, think of it as that… except it’s logging keywords with your brain instead of AOL Search and AskJeeves.
Scamming Human Nature
You may be reading this and nodding your head thinking, “This kind of stuff would never work on me!” You’re probably wrong. It can work on anybody.
The reason that scammers use these tactics is that they do work. Everybody has an instinctive reaction when presented with these kinds of stimuli. We are able to overcome them by informing ourselves, but the instinct is still there. That is what scammers exploit.
If you are informed, however, you usually cease to be a target. Notice how the last example above said to ignore the message if you didn’t know what crypto was? They don’t want difficult onboarding. They want people to slide through their trap easily with just a little butter. If you are a difficult mark, you are no longer worth their time.
Most people are familiar with the classic Nigerian Prince con… again, a ‘too good to be true’ type of scam. In this type of advance payment scam you’ll often see the scammer deliberately misspell words, punctuate awkwardly or more or less just fail to perform the language they are typing in. This is because they don’t want people who think too critically to respond.
If you overlook all those obvious errors and their inconsistency with the idea of wealthy, well-educated royalty… you’ll probably overlook other things. If you spot the signs right away, the sharks don’t smell blood in the water.
Fun Fact: The ‘Nigerian Prince’ scam is actually a very old form of advance payment scams, most notably going back to the “Spanish Prisoner” scam in the 18th and 19th centuries.
The con man tells the mark that they represent a wealthy noble who has been imprisoned in Spain. The noble is under a false name for fear of political persecution, etc. If the mark can give bail money, the noble can reward them handsomely upon their return home.
Once the mark gives the bail money, the con man comes back saying that the noble needs money for passage to his homeland where the treasure awaits. Then there will be storms and delays, extra costs. The con man keeps pumping the mark for money until the well runs dry, but the prisoner never brings back riches. They don’t exist.
Read more about the history of The Spanish Prisoner swindle in a very interesting deep dive by the Western History and Genealogy Department of the Denver Public Library. ⬇️
The way to fight these scammers is to inform ourselves and those around us. These kinds of cons are not going away as long as there is a gullible audience for them to exploit. While it’s unlikely that we’ll ever be universally free of these types of predators, we can be free of them within our community with education, support and good practices.
That is, after all, what The Guardian Papers is all about. We all come from different backgrounds. Some of this may be little more than review for some members of our community, but there are others that this is all new for.
When it comes to scammers, we really are only as strong as our weakest link. As long as the villains find an easy mark within our ranks, they will be here. With every link strong and resistant against them, they’ll go elsewhere and find somewhere else to practice their evil art. That is the strength of community.
That’s all for us this week, and that will wrap up our second module of the Guardian Papers! We’ll circle back to the methodology of scammers again in a later article, but Module 2 was designed to give you a brief overview of who the villains are and what tools they use. Hopefully you have that context and it helps you in the battle against the forces of darkness.
Next time, we’ll be starting in on Module 3. In this part of the series, we’ll shift back to proactive security and talk in more detail about these mean streets. We’ll dive into the corners of the web3 world where you tend to encounter cyber criminals and talk about how to spot them in their natural habitats.
Until then, stay safe out there heroes! Keep your wits about you, and remember to share your knowledge with your friends… our community is our greatest tool to keep us safe!
Congratulations hero, you’re ready for the second module of The Guardian Papers. In our introductory lessons, we discussed the absolute bedrock fundamentals for safely navigating the web3 frontier. Now that you’ve mastered the basics, it’s time to move on to the basics of digital self-defense in specific circumstances.
If you feel like you need a refresher on any material covered in module 1, don’t hesitate to dive back in!
When you get change back at the grocery store, do you tell them to hang onto it until next time? ...
Prepare yourself to move on from simply scratching the surface. For module 2 we’re going to dive into the underbelly of digital villainy in the web3 world, and talk about some of the most common ways that the good people of the blockchain world are preyed upon.
To protect yourself, you must first understand the danger.
Scam Profile: The Impersonator
Imagine, noble citizen of the web3 world–
You’re minding your own business, heading over to GalaSwap to make a few small trades and maximize your May Mayhem experience.
You click a handy link off Discord to gaIaswap.gala.com. It loads a little slow and the layout looks to have changed very slightly… must’ve been an update. For some reason you aren’t logged in… that’s weird, you were just a little while ago. But that can be easily fixed! Then you notice something weird after you put in your transfer code… you can’t see your balances or accept any swaps!
Suddenly panicking, you switch over to a new tab and open your inventory… oh no! Your wallet is drained! Looking back at that link… an upper-case ‘i’ sure looks a lot like a lowercase ‘L’ 😭
You’ve just fallen victim to an impersonator scam. This one may have been elegantly simple, but they come in all shapes and sizes. Even a small scam can mean total damage.
Did we even have to change the L to an i though? A link can be anything, the text that you see is just an anchor that the real URL is tied to. Case and point — where do you think this leads? Gala.com (I promise that L is not an i!)
This con relies on the scammer earning enough of your trust that you give them sensitive information before thinking twice. These types of scams get easier to recognize and rebuff as you become more experienced in the web3 world. They can also, however, almost always be prevented by maintaining normal security standards, no matter the situation.
The Personal Touch
We’re all humans and that means we’re instinctively social creatures. When a scammer is trying to gain your trust, they have two options. They can either set up an impersonal trap like we mentioned above, or they can reach out more directly to their victims. A wide-reaching trap may catch a few marks for them, but many scammers will target individuals knowing that it’s a faster way to generate the trust needed for the con to work.
Sometimes, even a simple misspelling or low effort fake name may be enough to trick someone.
In this example, someone in a hurry may not even notice that extra s before reaching out to their friendly, neighborhood Taco!
Since this scammer has Taco’s exact PFP, they are counting on the trust that people associate with that image making them let down their guard enough to get sensitive information.
Someone only has to trust the scammer for a few minutes to make a horrible mistake!
We all know to look out for scammers… and we’d all like to think that we’re far too observant for it EVER to happen to us. But it still happens.
Just because someone is a scammer doesn’t mean they’re incompetent. They know what works and how often… after that it’s just a numbers game until we all wise up to their tactics.
Here’s one we’ve all likely seen before, but they’re almost always targeted at someone who needs help and isn’t aware of what proper steps to take next.
When we want help, we want to be helped. The scammers are counting on this. When you can’t figure out what to do to fix a problem, frustration will start to build. A good scammer sees how long you’ve been looking for answers, and understands how frustrated you must be getting with the situation.
After that, it’s just a matter of providing you what you want to see in that moment – someone offering a simple and quick solution. This is the kind of situation that arguably traps the most victims for the web3 bandits.
Humans tend to see what we want to see to some degree, particularly at elevated levels of stress. If you’ve ever fallen for these types of scams, you shouldn’t feel ashamed. Many scammers out there are very good at what they do… which is why we all have to know more so we can fight back better.
This particular scammer seems to have found the ideal mark… the victim announced that they are having trouble sending $GALA and that there’s a problem with their wallet connection.
These are easy pickings for a scammer. Often when they are initiating the conversation, they’ll be attempting to extract very sensitive information, like your seed phase or transfer code. Since they know this person is having trouble connecting a wallet and sending $GALA, the bad guy wouldn’t have to gain full control over the wallet to make a buck off the poor mark. Once they can grab you in DMs, they’ll start “tech support” on it, which will often end with you either sending $GALA to their address or linking your wallet to their dApp surprisingly quickly.
The key here is trust. Once someone has your trust, they can usually make you compromise one security measure or another using some tried and tested methods.
The phrase “con man” or “con artist” comes from “confidence man.” These are criminals that have always existed, though the term first came to prominence in the mid 19th century. Even back then, everyone understood that confidence alone can often be enough to win trust. These scammers sound convincing, because that’s their profession… to be confident and gain your trust.
Here we’ve got a closer look at the profile of one scammer on the prowl. They call themself a dev in their name. Well that settles that!
Notice that “Discord Owner” is in the profile description box, meaning they wrote it in themselves. Since you see it before the “Role” section when you scroll down, however, your mind can easily just associate that name with “Discord Owner” and then Admin and Mod underneath!
They have used emojis in the about me section to make their “Admin” and “Mod” text look more official, as if that were a standard tag to denote role.
As usual, it’s all very convincing until you get down to the stuff you can’t fake. This person has been a server member for a very short time… how likely is it that they are the server owner?
Finally, we come to their role and see a simple member role. Since this info is below the lies above… will a person be more likely to disregard the information they see first or second?
When taken in isolation like this, many of these tactics seem so obvious. A scammer doesn’t have to succeed every time to make off like a bandit though. During the hustle of everyday life, there’s surely a moment or two when you let your guard down. That’s payday for the scammers.
This scammer rolls a lot of the concepts we’ve discussed into one effort. Their name isn’t particularly impersonator, but they’ve included the hexadecimal ETH prefix for a small air of authority.
They see that the victim is having trouble connecting a wallet. As we discussed above, this is a prime moment for these predators to strike.
Realistically, this scammer knows that this user is likely trying to connect the wrong address… time won’t help.
At first, the scammer is just helpful. They don’t try to immediately push too hard, even mentioning that it may just need more time.
After being given a moment to consider the helpful stranger’s advice, the mark comes straight back to the scammer and asks for their help directly. Here again, we see the scammer build trust… they don’t immediately jump on the opportunity to strike but instead tell them they should talk to an admin.
When an admin fails to respond untagged after a few minutes, the scammer is quick to jump in and mention that they’ll send the mark the right way if they’d only DM them. Once the victim has reached out via DM, they’ll likely be sent a link to another user… the impersonator admin. They could also be sent a fake help desk link as we’ve seen above.
We have to stress again… absolutely anyone can fall victim to these kinds of tactics!!! People have used these kinds of cons for generations because they work! The best way to make sure that they don’t work on you is to learn about them and know better.
Did You Know? Victor Lustig famously sold the Eiffel Tower to scrap dealers in 1925… despite not being affiliated with the French Government. Later, he pulled off the exact same swindle a second time. Don’t ever think you’re immune to a good scammer!
Staying Safe and Secure
We’re being a bit drastic because this is a serious issue. Realistically, are there scammers everywhere throughout the web3 world and you should just be suspicious of everyone all the time?
No. That’s not how this goes at all. Scammers are a part of life… wherever there is opportunity for them to make a buck at someone else’s expense, there they’ll be. Once you learn how they exploit people’s trust, however, their methods are much less likely to work on you.
It’s not just about protecting yourself though. These scammers continue to escalate and find new ways to trick unsuspecting people because there ARE people who are unsuspecting. No one should spend their entire existence paranoid that a scammer is coming to get them, but someone without any of the knowledge that we’ve discussed here probably should until they learn what they need to protect themselves.
When everyone knows how these people operate, they cease to operate. Scammers abound in web3 right now because people are not informed. New technology doesn’t only bring new opportunities for the world to culturally, economically and socially advance… it always brings an all you can eat feast to those willing to prey on the uninformed.
Guarding Yourself and Your Community
Education is the answer. There are so many assumptions people have become accustomed to making in the web2 world, where we surrender our trust to corporations in digital spaces.
In the web3 world, you maintain control over your own digital footprint. That responsibility means there’s no corporate office keeping you safe anymore… To some degree, everyone needs to be responsible for themselves and know what they are doing and why.
This is not cause to bemoan that the digital villains will always be around… this is a time to celebrate! All we have to do to get rid of this web3 riffraff is empower each other with knowledge and the tools to protect ourselves. Do your own research (more on that in a future edition!) and share what you learn with your community.
Community is important. Have people you can turn to and ask for a second opinion. Have people who will watch your back and share important information and knowledge. Have a community you trust… without having to trust some faceless corporation with ownership of all your stuff.
When you get change back at the grocery store, do you tell them to hang onto it until next time? No! You put that money in your wallet where you can ensure that your property stays protected. This is the exact same in the world of blockchain. Your wallet allows you to safely store digital items like currencies and NFTs in a private place where you always have control over your property.
Welcome to our 3rd installment of The Guardian Papers – the series where we discuss how best to defend yourself from threats in the digital frontier of blockchain technology.
The revolutionary concepts of blockchain have the potential to create a better world and offer new and exciting opportunities for all its early pioneers. Just as opportunities exist for those noble individuals who champion this fledgling community, however, the villains that lurk in the shadows will also capitalize on weaknesses whenever they can.
The best defense for all of us against the thieves, scammers and general malcontents in this space is to propagate the knowledge and skills that can empower our entire community to feel empowered to defend themselves. Then we can look out for each other, serving as sentinels against all threats that may harm any citizen of the digital world.
What is a Blockchain Wallet?
The idea of a wallet seems simple enough. It’s the place where you put your money. There are certainly nuances that should go into a more formal definition, but that function is consistent with any wallet– from that leather tri-fold in your pocket to that slick hardware wallet that protects your valuable coins, tokens and NFTs.
Unlike those scraps of paper and shiny bits that people may put in a traditional wallet, however, in the crypto world your digital assets exist on the blockchain and can’t be folded up and taken with you. The blockchain itself records the history and protects the security of your transactions, and a wallet gives you your own private parking spot on the chain itself.
A place to put your stuff on the blockchain only fills half the purpose of your wallet though. As we’ve previously discussed in regards to private keys, you need your keys to be able access your assets. What good is a wallet that doesn’t open, no matter how well it protects your money? In addition to offering you an address to store your assets on the blockchain, a wallet must also offer you keys to securely access your digital hoard.
Caption: With a properly secured wallet, you can soar through the blockchain world with confidence!
What’s the Difference Between Wallet Options?
Your wallet offers you the security of having a blockchain address with public keys so you can receive and store your assets, as well as private keys so that you can securely access them.
Beyond those two points, however, there is a wide variety between different wallets and their functionality. Often people will use multiple wallets throughout their financial infrastructure for different types of assets and situations.
Supported Assets
There are many different blockchains out there, and each coin and token functions on a specific blockchain. There are certainly exceptions to this rule when dealing with more complex topics like bridges, wrapping and layer 2 solutions – but no wallet is going to support every chain and asset that exists.
The wallet provided as part of your Gala Games account is based in GalaChain and can support transactions throughout the entire Gala Ecosystem. It is also compatible with the Ethereum Network, and can bridge between the two chains using the Gala platform and hold any Ethereum assets, such as ERC-20 tokens.
It’s important to note that you can’t just send any asset to any wallet. You’ll notice that your Gala Inventory shows a different address for Ethereum and GalaChain. These are not interchangeable! Attempting to send your assets from Galachain to a blockchain address that doesn’t support them could easily result in your treasures being lost in the void of digital space.
Occasionally, you could wind up with more assets in your wallet than you realize. You’ll often need to set up support for a token on a particular wallet. In these cases, even though your items are in your wallet, you won’t be able to see them through your wallet until you follow the wallet’s procedure to add the token.
Hot vs Cold
Whether a wallet is “hot” or “cold” refers to if it has any connection to an external network. A hot wallet is any wallet that is stored on a device connected to the internet or any other network that allows it to potentially be accessed from outside the device itself. This covers most of the widely used wallets out there.
While you may only transmit public keys to sign transactions, your private keys can still be vulnerable to sophisticated attacks from outside forces. Hot wallets can certainly be secure, but also require that you pay very close attention to device security and protection and who you connect your wallet with.
Cold wallets aren’t connected to anything on any network. Your loot exists on the blockchain itself, but cold wallets store the keys to it safely offline where they can’t be accessed unless villains happen to get their hands on not only the physical device itself, but also acquire any needed passwords, PINs, seed phrases, or biometrics to open the vault. These can be set up on any unconnected device, but also includes standalone, dedicated hardware wallets that sign transactions offline within the device itself to access funds.
Features and Opportunities
Many wallets offer specific features and functionality that may make them preferable to use compared to other wallets. You may decide, for instance, that using a multi-chain wallet like Metamask is a better fit for you than another option because its browser extension is convenient to use and it can be used to hold any ERC-20 token, and it supports a ton of other networks.
You may opt instead for a more involved software wallet that offers more onboard analytics and data so that you can use it much more as a one-stop-shop for your asset management.
Just like with the management of physical assets, sometimes what works best for you has more to do with things like location and efficiency. Though the idea of location is a little different in the digital world, thinking of different blockchains as bordering countries may be a useful comparison.
There are usually ways to send your assets from their native chain to another, but it is usually far less convenient than transacting within their ecosystem within the chain. This may mean that a wallet with access to an address on a certain chain could prove more useful to you than another based on what your plans are with your digital treasures.
When Is a Wallet not a Wallet?
Your wallet and the keys that access it are your personal sovereignty in the blockchain world. There are many different types of wallets out there, but it is always important to remember that if you do not control it, it’s not your wallet.
Blockchain technology was founded on the pursuit of trustless systems. While that manifests as a spectrum across different platforms and ecosystems, if it’snot your keys, it’s not your crypto!
While having assets intertwined in curated ecosystems like centralized exchanges happens sometimes, the private keys to these coins and tokens are held by the company who runs the exchange.
A centralized exchange may have a native wallet that allows you control over your keys, but anything on the exchange itself is simply a representation of your share of ownership over the exchange’s wallet. This is often functionally the same… but in a pinch, a corporation is less worried about your interests than their own.
Reinforce Your Wallet
Your wallet is your personal treasure trove in the blockchain world, so you need to fortify it as best as possible. As we’ve discussed previously, this starts with protecting your private keys. If your most valuable treasures are stored in your own private vault, how fervently should you protect that one key?
Protecting your wallet isn’t just about keeping the bad guys out, but also ensuring that you can always get in. Recovery phrases should always be stored offline– preferably in non-digital, non-perishable formats. Getting fancy with spy-like security can be fun, but what good is your super-secure hard drive storing your recovery phrase when you spill your coffee on it?
We’ve covered a lot already in The Guardian Papers, but we’re not through yet. If you’ve missed anything that we’ve covered in our past installments, catch up below:
In our next few installments, we’ll be diving into the mind of a digital villain and breaking down some of the most common scams in the crypto world and their variations. It’s easy to think that you’ll never be fooled by those kinds of shenanigans – countless blockchain warriors have thought the same. Many have fallen to these same tactics.
More knowledge about how these enemies of personal, on-chain sovereignty can only improve your arsenal to both defend yourself and to fight back by helping to educate your fellow citizens of this new world. If you’d like to get started exploring how to get more out of your wallet, you can check out our support article on how to import your Gala Wallet into Metamask so that you can seamlessly tie your GalaChain assets into your profile on multiple chains. While you’re there, check out some other topics. Buffing your knowledge buffs your security, and none of us can let our guard down until everyone is informed enough to be secure!
