At OpenSea, we’re constantly taking steps to improve trust and safety in the NFT space and ensure users feel confident connecting with us in all of our community channels. However, safety in web3 also requires users to stay vigilant and protect themselves on Discord and other third-party community platforms.
How to stay safe on Discord
In OpenSea’s Discord server, you’ll find several channels where you can hang out and discuss the latest NFT trends with your fellow community members – and we encourage you to engage! That said, when seeking help from OpenSea support reps, we recommend reaching us through our official OpenSea support channel, support.opensea.io.
When engaging and asking questions of the broader community on Discord, always be cautious. All OpenSea staff and official Discord moderators can be identified by a green checkmark in front of their username (see below).
And again, for official customer support, please contact our 24/7 support team at support.opensea.io.
As a general reminder, OpenSea staff will NEVER:
- Send DMs to you first.
- Ask for your crypto wallet seed phrase.
- Ask to see your crypto wallet QR code.
- Ask you to sign any message with your wallet or send you to a link that asks you to sign a message with your wallet.
- Ask you to verify your identity in any capacity, eg. no links to an external website to login to.
- Invite you to a different Discord server.
- Ask you to transfer cryptocurrencies or NFTs on their behalf.
- Ask you to click on any links besides support.opensea.io, twitter.com/opensea and twitter.com/opensea_support.
- Ask you to scan a QR code for collection verification or for technical support.
If you have received one of the requests listed above, it is likely a suspicious request. Please report the sender to Discord.
Safety First: Best Practices
Below you’ll find a series of operational security (opsec) best practices that users of all backgrounds should maintain on a regular basis. With bad actors constantly on the move – even the most experienced web3 users can fall victim to scams and phishing attempts across the community ecosystem.
1) Avoid DMs
We recommend that you block DMs for Discord. To do so:
- Right-click on the server logo.
- Click on “Privacy Settings”
- Disable DMs.
- If you want to take extra precautions, you can disable all direct messages by default in servers.
In general, most scam and phishing attempts begin through DMs. Be suspicious of any requests from strangers and always vet them. This applies to other chat apps frequently used in the web3 community like Telegram and Signal.
2) Be cautious of friend requests
Most popular Discord servers in web3 will have DM’s turned off by default. In this situation, the only way DM’s can take place is if users are already connected through an existing conversation, or if another member (nefarious or not) issues a friend request.
If you need to connect over DMs, it’s best to vet and confirm if the other party is who they say they are. You can screenshot their request and confirm its authenticity directly with that party over Twitter or email.
3) Don’t click on unfamiliar links or download unknown files
This tip is as old as the internet but just as relevant in web3.
Whether in Discord or elsewhere, avoid clicking on unfamiliar links and downloading files as they may have malicious scripts which will compromise your account (or worse, your device). Be highly suspicious of any request that requires you to install or run any program. Even an action as simple as installing a bookmark may compromise your Discord account.
4) Use timestamp-based Two-Factor Authentication (2FA)
Discord offers SMS as a method of 2FA. However, receiving 2FA via SMS is a possible risk vector if your phone’s SIM card has been compromised. It’s best to use a timestamp-based method of 2FA with apps like Google Authenticator. You can toggle this in your Discord settings.
In general, you should apply timestamp-based 2FA to all of your main web3 apps, if possible.
5) Use multiple accounts & devices
Discord recently released a new feature that lets you manage multiple Discord accounts on one device. If you are a member of different web3 communities, using dedicated accounts for specific servers is an effective way to reduce risk. One step further is to use a dedicated device for Discord. For example, you can install Discord on an older smartphone and log in to your Discord account via your browser.
What should I do if I have been compromised?
If your Discord account has been affected, please contact Discord and create a new account.
If you think you may have clicked a link to a malicious website or scanned a malicious QR code, we recommend installing a new wallet, and moving your items to it ASAP.
Please contact OpenSea at support.opensea.io for official customer support.
If you see something suspicious, please let us know.