Life seems to move exponentially faster with each passing month. And while many recent innovations serve to illustrate that point, few match the nonfungible token (NFT) for the breathtaking speed with which it went mainstream.
The global market for NFTs has grown to over $40 billion in 2021 and attracted stars like Tom Brady and big brands like Coca-Cola and Nike. Meanwhile, many consumers are still trying to figure out what NFTs are and why they even exist.
Cybersecurity always lags behind the digital innovations it's designed to protect – and therein lies the problem. The faster technology innovation becomes, the bigger the window of opportunity for cybercriminals to swoop in and exploit the vulnerabilities. Brands are destroyed, CEOs fired, customer identities swiped and sold on the Dark Web, bank accounts raided, and credit destroyed. With NFTs, we're in that window now and we're seeing seven primary ways that cybercriminals are exploiting the situation.
- Celebrity/brand impersonation: A scammer sets up a social media group or website using the name of a brand or celebrity. They then sell fake or nonexistent NFTs to people or use a fake NFT as a lure to swipe someone’s credentials.
- Counterfeit NFTs: Just like counterfeit currencies, a brand's NFTs can be reproduced without its knowledge or consent and then traded online. In some cases, artists and brands have discovered thousands of fake reproductions of their property in online marketplaces. Some marketplaces have developed tools to spot fakes, but it’s still a tangled mess of copyright issues given all the visuals, music, and logos involved.
- Unprotected marketplaces: Putting aside the irony of relying on centralized players like marketplaces to execute decentralized transactions, these third parties can also introduce significant risk. In the short span that NFTs have existed, more than 200 marketplaces have sprung up, and many lack the security needed to handle the impressive ingenuity of the attackers. In one scam, attackers targeted NFT marketplace users lacking two-factor authentication and used smart contracts to transfer ownership to their accounts.
- Fake platforms: There are so many NFT marketplaces that it’s relatively easy for cybercriminals to build new ones, hide in plain sight, and sell fake NFTs. Another tactic in this category is to create identical replicas of existing NFT marketplaces and use social media or email to lure people in.
- Untraceable payments: Because of the nature of cryptocurrencies, payments are very difficult to follow. The problem with untraceable transactions, in addition to circumventing taxes, is that they can be used for illegal activities – a vulnerability that cybercriminals exploit. By the time a company, artist, or celebrity realizes that something is amiss, the money is safely in the cybercriminal's bank account. It’s nearly impossible to trace and even harder to reverse.
- Cryptocurrency scams: Cryptocurrency, predominantly Ethereum, is the key payment method used in NFT transactions, and cryptocurrency scams are incredibly common. This is especially the case around highly anticipated NFT releases that generate a lot of buzz. In the inevitable buying frenzy, scammers create scam-minting sites that request users' private wallet keys. When customers, often the most fervently loyal and valuable, fall victim to these scams, they may sour on the brand.
- Text or email scams: A cybercriminal sends a malicious email notifying a person of "suspicious behavior" on one of their accounts. As that person logs in and enters their credentials, they are asked for their private wallet keys or 12-word security seed phrases. The scammers then use those credentials to hack into the user’s digital wallet and deplete all of the crypto and NFTs stored therein.
How Should Companies View NFTs Today?
NFTs represent a great opportunity for brands to build lasting loyalty with their customers. Some experts even predict
they will become the central digital touchpoint between brands and their consumers. The possibilities are exciting and perhaps by then, NFTs will be mostly safe. But in this chaotic, early window where vulnerabilities are everywhere, they do pose serious risks.
Companies, as well as executives, would be wise to allocate resources to monitoring and mitigating these types of threats. Employees that handle digital assets should also be trained on how to avoid phishing attacks that target them specifically.
Someday, it will be safer to play with NFTs, but until then, we're living in the Wild West. Brands should be vigilant to ensure sites and listings promoting NFTs for sale are legitimate and not being used as an instrument by fraudsters to swindle customers out of money.