The new kid on the cryptocurrency block, non-fungible tokens (NFTs), has continued to draw the attention of celebrities, corporations and consumers alike, but the security risks are very real and are even being exploited as you read this blog.

What sets NFTs apart from other cryptocurrencies like Bitcoin and Ethereum is that each token is completely unique, so, unlike its predecessors, they cannot be traded or replicated. The threat landscape is more volatile than ever before, and if you do not have a structured security plan for your cryptocurrencies, it’s no longer a question of if an attack will occur but when.

The Approach of Threat Actors

While the tactics used by threat actors can seem complex, and in some cases are, you can expect to find them anywhere there’s an opportunity to exploit vulnerabilities. When a new fad takes the Internet by storm, such as NFTs, statistically speaking, there are bound to be individuals jumping on the bandwagon without the knowledge on how to best secure their funds.

One of the more popular avenues threat actors have used to gain access to digital property is through email scams. In recent months, cryptocurrency-specific scams are, not surprisingly, on the rise. Attackers have been sending emails to users impersonating Coinbase, notifying them that their account has a suspicious login with a prompt to verify their account. If a user proceeds to enter their login information via the attachment provided, the attacker is able to gain access to the account and steal the funds.

Similarly, threat actors can also spoof NFT platforms to steal users’ credentials and implant malware. The most popular attacks usually involve remote access Trojans that allow the attacker to gain full remote control over the compromised machine. Once they have access, attackers are able to intercept passwords and keystrokes, in addition to other capabilities.

The Simplest Solutions Are the Best Solutions

While it may seem like common sense, the most important actions to take on all online accounts include:

Multi-factor authentication (MFA): While it’s not a failsafe, this simple step makes it exponentially more difficult for threat actors to gain access to your account. By connecting your logins with a phone number or an alternate email account, you can get a notification if someone is attempting to access your account. According to an official statement from Nifty after their gateway hack in March, none of the affected wallets had MFA set up.

During the March attack, hackers gained access to user accounts and were able to both transfer the previously purchased NFTs from their account and purchase new ones to transfer with their payment cards on file. While the funds were returned to the impacted users, the NFTs were lost to the attackers, who promptly sold them to another NFT purchaser located on a different platform. Since, like Nifty Gateway, the platform holds the private keys associated with the NFT, they weren’t recoverable after being transferred.

Password Hygiene: This may seem like another no-brainer, but both consumers and businesses have trouble taking necessary steps to ensure the safety of the passwords themselves. To have good password hygiene, you must use (1) lower and uppercase, (2) numbers, (3) special characters and (4) different and unique passwords for every account. While it takes more effort to remember all the different passwords you use on which sites, there are tools out there that can securely store your passwords, like Keeper or LastPass.

For Companies and Platforms: In addition to the above, you should be taking additional steps to secure your digital currency (and your data overall). This includes taking security hardening steps, including, but not limited to, employee background checks, drive encryption, securing sensitive communications, employee-user awareness training, vulnerability testing, offering bug bounty programs and third-party penetration testing services.

Secure Storage: For both users and companies, when applicable and done properly, cold storage of digital assets (meaning not stored in an online environment) offers the best security from Internet-connected thieves. But even then, cold storage solutions, whether it be hardware, paper or desktop wallets, still must be physically secured to protect against loss, damage or theft.