From advance fee emails to phishing attacks, the Internet is awash in scams. And despite built-in cryptography, blockchains suffer their fair share of nefarious attempts to gain access to accounts. Fortunately, most scam attempts exhibit certain red flags that savvy users can look for to keep their online activities safe.

The difficulty of true hacking attempts on blockchains means most scam attempts rely on convincing users to willingly hand over account access, known as social engineering. These attacks can range from scammers offering a user an exceptional opportunity to posting confusing links that gain a user's confidence and compromise their account security. 

Here are some red flags to watch out for online. Some are specific to blockchain, although most apply everywhere.

• Unrealistic returns: If an investment promises extraordinarily high returns with little risk, it's likely a scam. Remember, high returns often come with high risks.
• Unsolicited requests for personal information: Never share sensitive information like private keys, passwords, or personal details in response to unsolicited messages or emails.
• Phishing links: Double-check links before clicking them. Scammers use deceptive links to steal login credentials or install malware. Instead of clicking a link in a message or email, search for a legitimate company site through a search engine.
• Pump-and-dump schemes: Be cautious of projects that promise rapid price increases. They may be an attempt to inflate the price of an asset so early investors can sell, quickly deflating the asset's value.
• Suspicious requests: If something feels a little off or seems suspicious about an online opportunity, it's best to err on the side of caution and do more research.

The image above shows a website that purports to be about Mysten Labs' Quest 3, yet there are a few red flags that indicate it's a scam. First, the website hosting this content is not the official website associated with the Mysten Labs Quest: quests.mystenlabs.com. Additionally, the Quest campaign and SuiFrens do not use the term "airdrop". Third, the only action a user can take on this website is to connect their wallet, and upon doing so, the site immediately asks the user to approve a transaction. 

Finally, the wallet transaction dialog box shows that one of the coins is “unrecognized,” meaning the transaction is attempting to take real SUI from the user's wallet and give fake SUI in exchange. For this scam campaign, the malicious actor initially sends NFTs to people’s wallets in hopes of directing them to this site, a common scam tactic. 

A few red flags indicate the message shown above is a phishing attempt. First, the recipient did not solicit it, and did not report any issues. Second, it includes a link to "SUI Support". The term "SUI" is only used for the token, while "Sui" is the term for the protocol. And the Sui Foundation does not maintain a support link or live chat, as builders typically use Sui Forums or Discord to get help from the community. Individual projects may offer their own user support services, but those would be connected from the project websites.

Do your research

Beyond maintaining an awareness of these specific red flags, users can protect themselves by conducting research before engaging with an online entity. While some of these research strategies apply everywhere, such as ecommerce sites and ads, others leverage the specific qualities of blockchain technology.

• Investigate the project: Look for information about the project team. Scams often use anonymous teams or fake profiles. Legitimate projects usually are transparent about their teams.
• Verify official channels: Always check official websites, social media accounts, and communication channels for announcements and updates. Scammers often impersonate official sources.
• Seek community feedback: Engage with the community and see what others are saying about the project. Be cautious if there are many negative reviews or warnings.
• Check for verified contracts and addresses: Ensure that the contract addresses and official links are verified on reputable platforms.
• Check smart contract audits: Verify if the project's smart contracts have been audited by reputable third-party firms. This can provide assurance of security.
• Look for red flags in whitepapers: Read the project's whitepaper for a detailed understanding of their goals and technology. Watch out for poorly written or vague documents.

The Sui community can help combat scams and phishing attempts by reporting them through the Sui Foundation security issue reporting form.