Summary
An authorization scam involves tricking users into performing transfers, staking, or similar operations to steal their token transfer permissions. Scammers typically use tactics such as purchasing virtual goods, QR code payments, or pretending to offer "staking mining" opportunities, leading to the theft of tokens from the user's wallet. Users should remain vigilant and properly manage their transfer permissions.
User A: I purchased a TikTok account online, but the payment failed, resulting in a deduction of my TRX. Additionally, my USDT disappeared unexpectedly.
User B: A guy asked me to scan a QR code and transfer 1 USDT to him. I did what he said then all my USDTs were sent out from my wallet without my consent. How did that happen?
User C: Someone told me I could earn rewards by depositing tokens into an address. I did as instructed because it was a good opportunity to grow money. After transferring money to that address, however, my wallet was drained.
How can a scammer drain your wallet without your consent? The answer is token approval.
What is Token Approval?
Google Play offers a family payment method through which your family members’ purchases, such as books and movies, are charged directly through your account. Even if your family doesn't know your Google Play password, they can still use your money.
Token approval is similar. When you unconsciously give a scammer the token approval authority, they can move your funds to their wallets without knowing your mnemonic or password.
And scammers often use virtual items, QR code payment and liquidity mining tricks to scam crypto investors. Let’s take a closer look at each of these tricks.
Inducement to Purchase Virtual Items
When you pay for virtual items such as TikTok accounts or SMS codes online, the scammer will direct you to make the payment through a crypto wallet.
If you are entering a page that "authorizes token transfer authority" during a payment, it indicates that you are authorizing a transaction, not making a regular transfer. If you enter your password and sign in on a fraudulent payment link created by scammers, you will grant them transfer authority for your tokens. With this authority, scammers can transfer tokens from your wallet without your permission.
Additionally, after the payment, the scam website often displays prompts like "payment failed," "insufficient TRX," "network connection error," or "insufficient funds," causing you to mistakenly believe the payment was unsuccessful. This may prompt you to switch to another address or transfer more tokens to continue the authorization. In reality, these pop-ups are set by the scammer on their fraudulent website, not genuine notifications from your wallet app. The scammer's aim is to gain transfer authority over more of your tokens.
QR Code Payment Trick
Here, scammers lure you to scan a QR code or click a link, which opens a scam website mimicking the transfer page of your wallet app. The site takes you through an imitation of the familiar transfer interface. Instead of the transaction confirmation, a window for approving unlimited token balance shows.
Note: You can distinguish between real and fake transfer pages by checking the icon in the upper right corner of a page. The icons in the top right corner of a fake page are "..." and "X," while that of a real page is a QR code scan icon.
Liquidity Mining
Scammers impersonate imToken officials on channels such as Telegram, WhatsApp, Youtube etc. and offer you a salivating investment opportunity, such as depositing USDTs into their website and participating in liquidity mining or staking to get guaranteed daily earnings; the more tokens you deposit, the higher the rate of return.
Some scammers even tell you that no principal is required; pay some miner fees to join the network, then receive a stable income. Sounds too good to be true? Well, it probably is!
When you confirm a transaction on the scam website to start the so-called liquidity mining or staking, you give the scammer unlimited token allowance.
So when you make a transaction or invest in a project, please pay attention to whether the "Approve Allowance" page pops up in the app, and stay alert.
imToken Optimizes Signature Experience
In response to these three types of scams, imToken has optimized the signature experience. When you sign such transactions, imToken will clearly inform you that you are "approving a contract to transfer" and display the amount of tokens being approved. We advise you to stay vigilant during transactions. Additionally, if the approved recipient is a personal address, imToken will warn you that “there is a high likelihood of fraudulent activity.”
Security Reminder
- Be vigilant of SMS code reception, account purchases, fake exchanges, high-yield or guaranteed profit websites.
- Avoid making payments or transfers on unknown websites. Learn to differentiate between authorized and regular transactions, identify pages requesting unlimited authorization, and never enter your password for authorization on suspicious sites.
- Exercise caution with authorizations. On the authorization page, verify the contract address and check the contract label and transaction history using a block explorer to confirm the contract’s legitimacy.
How to Check Whether You Have Approved a Third Party to Transfer Your Tokens
Approve scams are common on Ethereum and TRON blockchains. This blog explains how to check and cancel the approval of your ETH and TRX addresses respectively.
TRX Wallet
Prerequisite:
Ensure you have at least 30 TRXs in your wallet for transaction charges. If not, please purchase some through exchanges and transfer them to your imToken TRX wallet.
1. Open the TRX wallet, swipe the function bar to the left, and tap "Revoke" to enter the "TRONSCAN" page, which automatically connects to the wallet for querying approvals.
Note: TRONSCAN is a tool for querying and managing TRX wallet approvals.
2. Scroll the page down and click "Approval," then all third-party addresses you have approved will be displayed on the page. If you find the "Approved amount" of an unknown project is unlimited or 999999…, it is likely to be a fraudulent address. Please revoke the approval immediately!
3. Click "Cancel" to revoke the approval. After the approval is successfully removed, the status will change from "Cancel" to "Canceled."
4. Check all your approval records to ensure all your unlimited token apptovals are canceled.
ETH Wallet
Prerequisite:
Ensure you have at least 0.02 ETH in your wallet for transaction fees. If not, please purchase some through exchanges and withdraw them to your imToken ETH wallet.
Note: When withdrawing tokens, please select "Ethereum Network" as your withdrawal network.
1. Open your imToken ETH wallet, swipe the function bar to the left, and tap "Revoke" to enter the "Revoke" page, which automatically connects to the wallet for querying approvals.
Revoke.cash: A tool that supports managing approvals across Ethereum, Arbitrum, Optimism, BSC, Polygon, Avalanche, and other networks. On this page, click the Ethereum icon to switch networks and view the approved details for the corresponding network.
2. Scroll down to the bottom of the page to view the approved status of the account. Check your approved amounts, the approved Spender, and the last updated list.
If you want to revoke an approval, find the token or NFT in the approved list that you want to revoke, swipe left, and click 'Revoke.' Confirm again on the pop-up page to cancel the approval.
3. After the cancellation is done, return to the wallet home page and click "Activity" to check the status of the transaction. When the status changes from "Pending" to "Successful", it indicates that you have successfully canceled the approval.
4. If you want to change the token approved amount, click the "✏️" icon to the right of the amount to edit it. After entering the new value, click "Update" and confirm again on the pop-up page.
The middle picture above shows "Approved Spender" including Uniswap, Aave, etc. This is because when we trade in DEXs, we need to approve first to allow DEXs to complete token swaps.
However, if you find an unfamiliar address in the Spender column and you do not recognize or understand who controls that address, it is likely a scammer's address. Please cancel the approval immediately!
Conclusion
As we wrap up our exploration of unauthorized USDT transactions, the significance of staying informed and proactive cannot be overstated.
The insights gained into approve scams and scam victim experiences are crucial elements in the ongoing battle against crypto fraud. By raising awareness, understanding the tactics at play, and bolstering protective measures, we collectively contribute to a stronger defense against unauthorized access and potential loss. Let these lessons guide us as we traverse the dynamic world of Web3.
Contact us in the App or email us via support@token.im when in doubt.
0 comments
Please sign in to leave a comment.