What is a MetaMask Scam?
Scams are everywhere, and there is one type that’s disturbingly common: MetaMask scam. MetaMask is a self-custody Ethereum wallet that integrates into and runs on a variety of internet browsers, such as Chrome, Brave, Microsoft Edge, and Firefox. MetaMask wallets give people a user-friendly entry point into the blockchain ecosystem, a place where they can buy, store, and trade cryptocurrencies on a variety of blockchains. Below are some lightning-fast facts about MetaMask to give you a bit of context.
- MetaMask is classified as a ‘software’ crypto wallet because it is a computer program run on your browser, as opposed to an offline, often physical ‘hardware’ wallet.
- ‘Software’ wallets are typically less secure than ‘hardware’ wallets because you must connect to the internet to use them, increasing your vulnerability to hacking.
- MetaMask wallets are ‘self-custody.’ This means you, and you alone, own and control your wallet and the crypto therein. You are solely responsible for your crypto’s safety.
Now that you know what MetaMask is, let us look at MetaMask scams.
The term “MetaMask scam” is a bit of a misnomer as I have not found any scams that are specifically created for MetaMask. The phrase encompasses a whole host of common crypto scams targeted towards MetaMask because of MetaMask’s massive user base and well-established name. The scams are modified to target MetaMask, but the scammers have not created anything new; they’ve merely repackaged old tricks. The goal of the scammers is still to steal your login credentials (email, password, or the ultimate prize, your 12-word secret recovery phrase) to gain access to your wallet and drain your cryptocurrency.
Is MetaMask Safe?
Before we dive in, I want to address a question you may have if you are researching MetaMask scams. Is MetaMask safe? The answer is yes, as safe as software wallet providers come. MetaMask is trusted by over 30 million users and is dedicated to protecting those users from loss of assets. They encrypt user information, require seed phrases for the wallets, and do as much as a provider can to ensure user safety. But they cannot guarantee a user’s safety. Your wallet belongs to you, and it is your responsibility to protect your sensitive wallet information (password, recovery phrase) because if it leaks, MetaMask cannot prevent a scammer from accessing your wallet with your credentials and stealing your crypto.
Common MetaMask Scams
Some common MetaMask scams include things like:
- Airdrop scams;
- Fake MetaMask extensions; and
- Fake support scams.
Phishing Scams
One phishing trap to watch out for is the old classic that involves sending an email appearing to be legitimately from MetaMask. It will inform you of some issue with your wallet or some great financial opportunity and practically beg you to click a link. If you are unsure if an email is from MetaMask, check the sending email address carefully for typographical errors. MetaMask has published an article on how to identify their legitimate emails, listing certain criteria that a legitimate email will adhere to.
Another phishing trap involves fake websites. Scammers are scarily good at recreating legitimate websites that rank highly on Google’s search engine, with domains that look that close to correct you may pass concerns off as your eyesight failing. First of all, grab your glasses. Second, it is recommended for maximum safety that you manually type the domain into the web browser. For MetaMask specifically the domain is metamask.io.
Airdrop Scams in MetaMask
Free money. That is what airdrop scams promise. A benign airdrop is marketing. Free tokens are distributed among wallets to increase awareness about a new crypto coin, or to reward new or early investors. Airdrop scams mimic this by mass sending amounts of new and mysterious crypto tokens among MetaMask users. When you attempt to use these coins – swap them, trade them, or sell them – the transaction will fail, and you will be sent to a third-party website and asked for your wallet login or recovery phrase. Once you have given your personal information, the scammers have access to your MetaMask wallet, and your funds are vulnerable. You should never input your wallet credentials into a third-party app or website, only into MetaMask itself.
Fake MetaMask Extensions
MetaMask runs as a browser extension on whatever internet browser you happen to use. I cannot imagine it would be any sweat for a scammer to build a fake MetaMask extension and prompt you to download it, perhaps under the guise of an app update. They will likely ask for you to log in to your MetaMask wallet to capture your details and recovery phrase. There will be tell-tale signs, scammers cannot use the proper MetaMask domain: metamask.io. Be careful when downloading or updating, and only do so from the verified website. Simply double-checking could save you a good deal of grief.
Fake Support Scams in MetaMask
If you are having trouble with your MetaMask wallet, where is the first place you are likely to go? Some go to Google, a techy friend or family member, or the MetaMask support chat for direct help. Scammers targeting MetaMask users want you to talk to them, to have their number be the one you call when you need help, so they can social engineer you into giving up the keys to your cryptocurrency. They are particularly good at spreading themselves, their numbers, and their emails, in Discord groups or social media. If you need help from MetaMask, and a number of us do because blockchains can be confusing, go to their website and find a verified MetaMask number, email, or support chat to help you.
How to Protect Your Wallet from MetaMask Scams
Now we have looked at a couple of the different scams, I want to condense the general principles you can take away on wallet protection.
- First: do NOT share your private keys or secret recovery phrase. This applies across the board. If you share your keys or recovery phrase with anyone online, the chances rise significantly that a scammer will find it and use it to compromise your wallet. If someone asks for your sensitive wallet information, run. MetaMask will never ask you for your secret recovery phrase.
- Second: be careful when visiting the MetaMask website that you are on the correct domain (metamask.io). If in doubt, enter it manually into the web browser. Double-check the URL before entering sensitive information such as emails, passwords, or your recovery phrase.
- Third: be wary if you happen to receive an email claiming to be from MetaMask. MetaMask is aware of phishing attacks and has an article written on how to identify their legitimate emails. Check the email you received against their listed criteria and see how it stands.
- Fourth: all updates, downloads, and general MetaMask business should be conducted from the MetaMask website. This should reduce your risk of falling for malicious material that could give scammers opportunities for hacking.
What if I am Scammed in MetaMask?
Scammers are wily. They are there, actively fighting to find a chink in your armor, a crack in the security. Be careful. No one is above being scammed. But you can significantly reduce your risk by taking care, doing due diligence, double-checking web domains and email addresses. And if you do make a mistake and fall prey to a scammer, there are people to help you. MetaMask has an article on options for victims of scams on their site. They list steps such as reporting the suspected scammer’s public blockchain address, website, and/or email to MetaMask and contacting the local law enforcement authorities, all of which are good steps to take in the event of a scam.
In addition, Rexxfield has been aiding the victims of scams and cybercrime since 2008. If you have been the victim of a MetaMask scam, please contact Rexxfield immediately to discuss your options. We are first responders and can trace your lost crypto across the blockchain. We also use OSINT (Open-Source Intelligence) to analyze emails, phone numbers, and web domains to uncover the scammers’ online footprint, and identify witnesses both on and off the blockchain that can provide crucial identifying information to law enforcement. Scams are everywhere, and every day more people fall prey to heartless scammers looking for another big payday without regard for those they hurt. While it may seem otherwise, if you have been scammed, there are always options. Rexxfield is at your service.