Precautions you need to take when buying or selling NFT

In this security series article, we'll cover the most prevalent types of virtual scams and provide tips for safeguarding your NFTs.

We previously explained that the blockchain is a public and unchangeable ledger, offering more security and transparency than traditional banking operations. However, since this is a new technology for many, some dishonest people try to scam others, just like in any other financial sector. Therefore, learning how to protect yourself from cybercriminals is essential to ensure your safety. In this security series article, we’ll cover the most prevalent types of virtual scams and provide tips for safeguarding your NFTs.


This message is scam?

Have you received a message from a buyer or seller who experienced a failure during the transaction? Stay tuned!

If the message looks like a scam, it probably is. Scammers will always try to create exceptional situations, such as unexpected errors, legal procedures with attorneys, and suspicious messages. We are not saying that all unusual messages are scams. Sometimes the seller and buyer face failure and need help figuring out what to do. But before answering these messages, you need to take some precautions. We will teach you how to easily identify a scam by showing real examples of virtual scammers:


The faker sender

Beware of scam messages that may appear as errors or communication issues. These scams can come in emails or messages that claim to inform you of a failure or provide guidance for next steps. It’s crucial to check the sender’s domain of the message to ensure its authenticity. We will only contact you through our domain @kanazawa.io, such as contact@kanazawa.io, mailing@kanazawa.io, nft@kanazawa.io, and more. Likewise, marketplaces like OpenSea.io will only contact you via the @opensea.io domain. Be cautious of messages from unknown sources, as they may be scams. Here are two examples of scam messages to watch out for:

Notice that the URL domain is opeseal-nft.su; the official website of OpenSea is opensea.io. In other words: this is a fake website trying to impersonate OpenSea.

Sites like OpenSea may have subdomains, such as their test area at testnets.opensea.io or OpenSea Pro at pro.opensea.io. Note that all subdomains end exactly in opensea.io, the website’s official domain. Any domain that has a similar spelling is fake. Never click on this links or connect your wallet to fake websites.



This is another example of a scam attempt. It is possible to identify the same issue: the sender is openseaio, not opensea.io. Additionally, be cautious of messages that reference support from outside the legitimate domain, especially if it comes from a Gmail address. It’s important to ignore these scam messages. If you know someone who has received a message like this, inform them it’s a scam and share a link to your item on OpenSea.io or another reputable marketplace.


The QR Code scam

This type of scam is more common among NFT creators than sellers. However, it is important to know how to identify if criminals adapt and try to apply the same scam you.

Usually, this type of scam happens when someone says they bought an NFT. The scammer will send you a message about the transaction (which could be a confirmation or error) and then a QR Code. You should never scan this code under any circumstances. QR Code are powerful tools that store more information than a common link. It can take you to a malicious address or even indicate you install some software or application with a virus.

You should never scan QR Codes or click on suspicious links. Never.

Likewise, OpenSea.io never asks users to scan QR Codes via email in any operation between users.


The ETH-20 error message

As in this previous example someone can say that you need ETH-20.

Be cautious if a buyer tells you you don’t have ETH-20 in your wallet to complete the transaction. This kind of scam can sometimes be very subtle because this type of failure can actually occur.
Scammers might even use a template from OpenSea.io to make the message look authentic. However, this problem usually occurs in auctions rather than standard sales. In standard sales, the seller doesn’t need ETH-20 in their wallet to finalize the transaction.

If you suspect the message is genuine and not a scam, advise the buyer to contact OpenSea support directly. You cannot contact support on behalf of another person. Support will contact you through the official opensea domain (@opensea.io) if there is a genuine error. If you receive a message from someone else, it’s a fake message scam, and you should ignore it.

What is ETH-20? ETH-20 is a smart contract standard, or set of rules that make it easier for contracts to interact, on Ethereum. ERC-20 tokens are the most commonly used tokens on the Ethereum network. They are designed to be used for paying for functions and are known as utility tokens with Ether.


The error message

Platforms fail sometimes; it is possible to happen! These glitches can occur due to heavy website traffic or other technical issues.

However, as mentioned in the previous topic, you do not have the power to open a ticket on behalf of a third party. If the seller or buyer sends an error message, kindly ask them to contact OpenSea.io support directly (https://support.opensea.io/hc/en-us/requests/new) because you cannot manage a ticket on their behalf. Also, if the error was generated during their transaction, it could be a problem with their wallet or a technical problem. In any situation, who should guide this person is the technical support of OpenSea or the marketplace responsible.

However, if this message is a scam, the seller or buyer will insist on the failure and try to maintain communication with you instead of trying to solve the problem with technical support. As this type of message may initially seem genuine, you will be able to identify if it is a scam in the following topics.


The Markeplace scam

If a seller or buyer claims they could not transact with the NFT, direct them to contact marketplace support. However, be cautious if they request that you publish your NFT on another marketplace. As we said in the article about marketplaces, our contract is available on reputable marketplaces like Rarible, x2y2, and LooksRare, even if OpenSea.io is our main one. Avoid lesser-known marketplaces that you have yet to hear of. Instead, suggest one of the other marketplaces we mentioned.

Never connect your wallet to suspicious websites because scammers can steal the NFTs in your wallet. When you connect your wallet to a marketplace and authorize it to trade your tokens, the scammer can move the content to their account. Web3 provides us with security, but it’s essential to be cautious and protect your assets.


The P2P scam

There may be situations where you negotiate directly with a seller or buyer without using a marketplace as an intermediary. This type of peer to peer (P2P) operation is entirely acceptable. But you will be totally unprotected from any help. For this reason, we recommend that you do not carry out P2P transactions with strangers, always use the marketplace.

However, you still want to buy an NFT in a P2P way. In that case, two factors are essential: verifying that the person has the NFT and that the NFT he is trading is authentic. In the following article, we’ll teach you how to verify the authenticity of our NFTs. It’s a simple process that only requires a few clicks.

If you confirm that the NFT is authentic, you must verify that the person trading owns that wallet. You can ask her to send a random and small amount of Ether to your wallet for this. In this way, you confirm that the seller owns that wallet with an authentic NFT from Kanazawa. Note that even following these steps, you are still not protected in the operation. Even if the owner is genuine, he may not send the NFT after you did the payment. Transactions on the blockchain cannot be canceled or reversed. Because of this high-risk, we always recommend using trusted marketplaces such as OpenSea, LooksRare, Rarible, x2y2, or SudoSwap.


Recovery Word or Private Keys

When creating your MetaTask wallet, we mentioned that it is important to never share your recovery words or private key with anyone. While developers may use the private key for tool and API development, regular users engaging in buy or sell transactions will never need access to your recovery words or private keys. Any Ethereum transaction requires this information, and therefore it should never be shared.

If you intentionally share your recovery words or private keys with a scammer, they will be able to gain control of your wallet and steal all of your assets, including NFTs, Ether, and any other information you have stored.



Like any other place outside the internet, scammers can use the blockchain to commit crimes. Criminals can use the anonymity of operations to carry out scams involving cryptocurrencies and NFTs. However, this article provided tips that can help protect your wallet and assets. It’s important to note that blockchain is generally safer and more transparent than a private ledger like banks. Unlike a bank, on the blockchain, your transactions cannot be corrupted or private keys stolen; as long as you understand that you shouldn’t share this with anyone and never connect your wallet to suspicious websites.