How to Buy & Sell NFTs (And Stay 100% Safe) in 2024

Katarina Glamoslija

Online hackers are heavily targeting NFT artists and collectors, sometimes scamming users out of millions. Many NFT exchanges build their platform using high-level security, but cybercriminals use many different strategies to target exploits and vulnerabilities.

Also, users who aren’t aware of the risks of buying and selling NFTs can fall victim to many different scams if they don’t follow proper cybersecurity protocols.

In this article, I’m going to cover how to stay safe when buying, selling, and storing NFTs, plus the most common risk factors users must know before venturing into the world of digital assets.

Please note: None of the information in this article should be construed as or used as financial advice. If you’re considering trading NFTs as an investment vehicle, you should speak to a professional financial advisor with knowledge on digital assets, including NFTs and cryptocurrencies. Also, you should always do your own research before investing, buying, selling, or trading NFTs and cryptocurrencies, and you should understand the risks associated when dealing with the aforementioned assets.

What Is an NFT?

An NFT is like a digital signature (referred to as a “Token”) that verifies ownership of an asset — anything from digital art and collectibles to real estate. You can think of NFTs like the deeds to a house. The deeds aren’t the house itself, but proof of ownership of the house. In the same way, an NFT isn’t the piece of digital art, but rather a token that proves ownership of the digital art.

NFTs operate using blockchain technology, which is the technology responsible for transacting and storing NFTs. Using cryptography, blockchain networks enable trusted transactions without the need for an intermediary (like a middleman) and ensure all records are stored securely.

NFT stands for non-fungible token. “Fungible” refers to the ability to easily transact one asset for another like-kind asset. For example, dollars are fungible as you can easily exchange one dollar bill for another one dollar bill without the value being affected. An asset that is “non-fungible” means there aren’t any like-kind assets for which it can be easily exchanged. Non-fungible items are typically unique, like bespoke watches, collectible figurines, and original art pieces. So, as an NFT is unique, it cannot be directly exchanged for another NFT. The “token” part of non-fungible token simply refers to the digital signature that proves ownership — if you have the unique signature or “token” associated with an asset, you can verify that you own the asset.

But are NFTs 100% safe?

Common Threats Affecting NFT Users

While the blockchain technology that’s used to power NFTs is safe, there are still a few ways NFT users can be at risk, including wallet hacks, NFT platform vulnerabilities, malware exploits, phishing attacks, and social engineering scams.

Hidden Malware Downloads

NFT platforms have had security flaws exposed that allow hackers to “airdrop” NFTs with malicious attachments to users’ wallets. “Airdrop” or “airdropping” means sending an item to a user’s crypto wallet for free, which is a common and legitimate promotional tool used by cryptocurrency and NFT projects. However, when an airdropped NFT is bundled with malware, unsuspecting users can accidentally download the malware and have all of their private data stolen, including crypto wallet passwords, private keys and backup phrases, personal information, and more.

Phishing Attacks

NFT users can become targets of various phishing attacks, from email phishing attacks to fake web pages that mimic legitimate NFT platforms. Hackers use phishing to deceive NFT users into giving away their crypto wallet private keys or backup phrases, which are then used to steal the user’s wallet funds and NFT collections.

Phishing attacks have become more advanced, with users also being affected by “smishing” — a form of phishing where hackers send deceptive SMS text messages to a user’s phone, encouraging them to click on a malicious link or convincing them to send two-factor authentication codes that are protecting their NFT wallets or online accounts.

Also, hackers create fake web pages that look like NFT platforms or like the official website of a popular NFT collection, and then publish ads encouraging users to click onto the fake site. From there, users are encouraged to enter sensitive information (like recovery phrases) so hackers can access their crypto wallet and steal NFTs and cryptocurrency funds.

Social Engineering

Cybercriminals can convince users into giving away their private details by using techniques like social engineering. Social engineering requires scammers to dig deep into the target’s personal life to find the best ways of interacting with them. For example, scammers might look at a target’s personal interests and play on them to build trust during initial discussions.

There are more crude forms of social engineering, such as scammers creating fake customer support Twitter accounts for top NFT platforms like OpenSea, or posing as employees on a legitimate platform’s Discord server. But social engineering attacks can be highly sophisticated and well organized to the point that hackers can scam proficient NFT users.

Some examples include scammers posing as a legitimate business wanting to partner with well-established NFT traders, with whom they build a rapport, and eventually deceive the target into sending cryptocurrency funds to a scam wallet.

Wallet Hacks

Crypto wallets can be vulnerable to hacking if the user doesn’t follow the best security practices. Hacks usually occur as a result of phishing, but hackers can also use malware such as spyware and keyloggers that covertly track a user’s activity on their device in order to steal their sensitive data.

To prevent hacking, it is essential to securely store your crypto wallet private keys and create a strong wallet password. It’s also important to install a reliable antivirus program like Norton for Windows or Intego for Mac to ensure your system is free of spyware, keyloggers, and other data-stealing malware.

Fake NFTs

Scammers will create fake NFTs that copy popular NFT collections. It’s the equivalent of fake concert tickets. Identifying fake NFTs can be difficult, but most fakes have similar characteristics, including:

• Significantly lower price than original NFTs.
• Not verified (they don’t have a blue checkmark on the listing).
• Not listed as part of the original collection.
• Different contract address from the original (legit) contract address.
• Low trading volume.

Unsuspecting users will purchase the fake NFTs usually because they’re priced a lot lower than NFTs from legitimate collections, leading them to believe they’re getting a good deal. If you’re unsure, only buy NFTs from verified collections (watch for the blue checkmark).

How to Protect Yourself When Buying & Selling NFTs

There are several best practices you should follow to protect yourself when dealing with NFTs and also when you’re simply browsing online.

1. Set Up a Reputable Crypto Wallet

You’ll need to choose a crypto wallet that’s compatible with the NFT platform you want to use. Most wallets come as web browser extensions. Ensure that you’re installing the wallet from a trusted source.

Here are some of the most commonly used crypto wallets:

• MetaMask (most popular for Ethereum-based platforms).
• Phantom (for Solana-based platforms).
• Galleon (for Tezos-based platforms).

However, if you’re using a cryptocurrency exchange-based NFT platform, like Binance’s or FTX’s NFT platform, you won’t necessarily need a third-party crypto wallet — just the wallet provided with your cryptocurrency exchange account. Once you’ve installed the crypto wallet, you’ll need to follow the next steps to ensure your security.

2. Store Private Keys & Wallet Backup Phrases

Next, you must safely store your crypto wallet’s private keys and backup phrases. You should NEVER share your private keys or recovery phrases with anyone! If someone asks for your wallet’s private keys or recovery phrase online, do not respond. Private keys are needed to verify outgoing transactions from your crypto wallet — no one can send funds from your wallet unless they have the private key to sign each transaction. Recovery phrases are required if you lose access to your wallet.

Storing your private keys is best done offline using a hardware wallet (like a Ledger or Trezor) — a small device that looks similar to a USB thumb drive. You can also print out a “paper wallet” that includes your wallet’s private keys. It’s a good idea to laminate your paper wallet to protect it from damage.

You should write your recovery phrases on a piece of paper, card, or get a metal crypto wallet — a steel device that allows you to store your recovery phrases. I recommend making at least two copies of your recovery phrases and securely storing them in different places. If you want to ensure a trusted person has access to your crypto wallet private keys or recovery phrases in the event you can’t access them, you should give them clear directions on where they can access your safely stored private keys and wallet recovery phrases and what to do with them.

3. Create Strong Passwords

Creating a strong password for your crypto wallet and NFT platform accounts is a must. This is best done using a good password manager, like Dashlane or 1Password.

Using a password manager, you can easily generate passwords that are long, complex, and virtually impossible for anyone to crack. And if you want to change your wallet password (which you should do regularly for maximum security), a password manager will make the process of doing so a lot easier.

For maximum security, you should be using a reliable password manager for all of your online accounts. Password managers help you ensure all of your passwords are secure and that you’re not reusing old passwords that could compromise the security of your online accounts.

4. Enable Two-Factor Authentication (2FA)

Two-factor authentication (2FA) requires you to provide an extra layer of verification to access your online accounts. This means that, if hackers steal the password to your NFT platform account, they won’t be able to access the account unless they have an extra code. There are many forms of 2FA, including time-based one-time passcodes (TOTPs), fingerprint scanning, facial recognition, and SMS codes. For the most security, I strongly recommend avoiding SMS codes and instead opting for TOTP apps like Google Authenticator — it’s the most commonly offered 2FA option, secure, it’s easy to set up. The best password managers on the market also include various 2FA options.

5. Install an Antivirus & Internet Security Protections

Top antiviruses like Norton help protect your system from both known and emerging malware, including data-stealing malware files bundled with malicious NFTs. However, it’s also a good idea to run a full system antivirus scan before dealing with crypto wallets and NFTs to ensure there is no spyware or keylogging malware hidden on your device that is secretly recording your every move.

Internet security protections are just as important as antivirus scanning, as they will protect you from phishing pages, email phishing attacks, and other online threats. Some mobile antivirus apps even offer scam SMS protection (click here if you’re interested in Android antivirus apps, or here if you’re looking for an iOS security app). The best antiviruses in 2024 all include advanced security features to keep your system (and your sensitive data) protected from all kinds of threats, including ransomware, spyware, keyloggers, phishing attacks, and more.

6. Enable Crypto Wallet Security Settings

Reputable crypto wallets include extra security protections to keep you safe when buying and selling NFTs. For example, MetaMask’s wallet has phishing protections enabled by default, and it also alerts you to incoming transactions (like airdropped NFTs).

Be on the lookout for incoming notifications that require you to sign for an unexpected transaction, or random pop-ups prompting you to input your wallet passphrase or private key, as it could be a bad actor trying to trick you into giving away your funds or private keys. Most crypto wallets are yet to offer two-factor authentication. But if your crypto wallet does offer a two-factor authentication setting, be sure to enable it.

7. Ensure You’re Using Official Websites & Apps

When you’re accessing NFT platforms like OpenSea, make sure to check the site’s URL. Hackers can create spoof websites that mimic popular NFT platforms and create the website’s URL to look almost identical. For example, instead of OpeSea.io, hackers may put 0penSea.io, ÖpenSea.io, or OpenSeaa.io — subtle differences that can easily be missed. To combat this, I recommend visiting the platform’s official and verified Twitter page and accessing the link in the bio.

Also, be sure that you’re downloading official NFT mobile apps and official crypto wallet mobile apps. Hackers like to populate mobile app stores like Google Play with fake apps, designed to steal a user’s funds. Always make sure the app you’re downloading is legitimate. Apps like Norton Mobile Security can help detect malicious apps on various app stores.

8. Avoid Unofficial NFT Platform Accounts, Pages & Groups

Scammers target NFT users by creating fake social media accounts, Telegram channels, subreddits, and Discord servers. They also pretend to be customer support representatives and often respond to users seeking support from official NFT platform accounts on platforms like Twitter. Users can be fooled into thinking they’re getting a response from the legitimate platform, and the scammers will attempt to gain access to the user’s funds by requesting private keys, passwords, and recovery phrases.

But bad actors can go one step further, creating entirely fake pages and groups, which unknowing users can interact with thinking the page or group is legitimate. The scammers will then attempt to acquire the user’s private keys directly via message or by using phishing attacks. Always verify the authenticity of the page or groups you interact with. Look for verified tags on social media pages or access group chat channels directly from the official website of the NFT platform.

Bottom Line

To stay safe from online threats faced by NFT users, employ the best security practices, like securely storing your crypto wallet private keys and recovery phrases, to make certain your NFT collection and crypto wallet funds are safe from hackers. Creating strong passwords (with a good password manager like Dashlane) across all online accounts is a must, and you should keep your device protected from NFT-bundled malware using a reputable antivirus like Norton for Windows or Intego for Mac. And for maximum safety, you should also ensure you’re using official NFT platforms and buying NFTs from verified collections.

Frequently Asked Questions — How to Safely Buy & Sell NFTs

Are NFTs safe and are there any risks?

Yes. NFTs are safe when bought or sold on reputable NFT exchanges, and they cannot be stolen if users properly secure their crypto wallets.

But there are some risks to be aware of, including fake NFTs, NFTs bundled with malware, social engineering scams, and phishing attacks.

Other risks include users not creating strong passwords, not securing their recovery phrases, and losing access to their wallet private keys. That’s why you should always safely store your recovery phrases and private keys.

How do you keep NFTs safe from hackers?

To keep your NFTs safe from hackers, you need to follow several steps, including creating strong crypto wallet passwords, storing your private keys offline using a hardware wallet, and creating an offline copy of your recovery phrases.

You also need to look out for online scammers that disguise themselves as employees or contributors to legitimate NFT platforms while asking you for your crypto wallet private keys.

To be clear, NEVER share your private keys or recovery phrases with anyone online who asks for them!

Which crypto wallet is best for NFTs?

It depends on your needs, but some of the most popular crypto wallets for NFT users include:

• MetaMask
• Coinbase Wallet
• Phantom
• Galleon

Most crypto wallets offer similar functions, but you’ll need to ensure the crypto wallet you choose is compatible with the NFT platform you’d like to use.

If you decide to buy, sell, or trade NFTs from an established cryptocurrency exchange that offers an in-built NFT marketplace, like FTX or Binance, you don’t necessarily need a third-party crypto wallet, as you have an internal exchange wallet linked to your exchange account.

How does a hardware wallet protect your NFTs?

Hardware wallets store your crypto wallet private keys offline. For example, you can connect a Ledger hardware wallet to the MetaMask software wallet, and then export your MetaMask wallet private keys to the Ledger device, so you’ll be required to confirm all crypto wallet transactions by inserting your Ledger device.

This means that even if a hacker had access to your crypto wallet password, they would not be able to steal your funds as they do not possess the private keys required to send NFTs or cryptocurrencies from your wallet to their hacker wallet.