Now that you have an understanding of what is an NFT and what's a blockchain. Before you do anything further, I strongly suggest looking into the security aspects of owning a crypto wallet and doing transactions.
Since this is a decentralized landscape, there is no phone number you can call to file a fraud report. Marketplace customer support might help, but nobody can put your wallet on hold, similiar to blocking a card - you have to manage security yourself.
You are very warmly advised to spread awareness throughout social channels and relevant Discord groups though.
The most important thing about your wallet, is your seed phrase. The collection of words you were shown upon creating one.
Apart from developing custom contracts with Solidity - noone and I guarantee - noone needs your seedphrase.
If someone is asking for your seedphrase, beware as the biggest probability is - they want to take over your wallet.
I'd say even your family members shouldn't know your seedphrase, every additional person is an additional attack vector for social engineering - one of the popular way nowadays to hack into systems.
While it might sound scary, in reality it's very simple - It's designing an attack through social interactions and emotions.
Here's a more detailed description by Imperva.
Usually by utilizing the surprise factor, greed, fear, hype or just plain lack of awareness, the victim gives the attacker entry into a system or even just changes the system itself, even despite the victim having their best intentions - the result usually hurts the victim and benefits the attacker.
There are plenty videos and examples on social engineering on the internet and I warmly suggest you to find and look at some. The audacity of the attackers is definitely noteworthy.
A very simple example would be some marketplace supposedly e-mailing you and asking for your seedphrase to verify that's it's you on their platform or else your account will get deleted.
So now you have fear circulating in your head and some imaginary timer ticking, making things worse. You don't want to lose the art you just bought, so with shaking hands you hand over your seedphrase, with a sigh of relief, that you get to participate in the marketplace again.
Only to later realize that you weren't in any danger at all, your wallet is empty, and there's noone to call. You played yourself.
Obviously that was a simple scenario, real life ones are far more sophisticated. Recently, this twitter thread caught my attention.
It goes into detail how a hacker faked a wallet, threatened to rob a potential victim with a recording of the wallet in action. Then forgot that they could've just taken the funds in that scenario and not even bother with talking to the victim. Woops?
An additional layer of security is to have a hardware wallet. Like these - Ledger Nano.
Of course there are many other types available, but for the sake of this post, let's focus a bit on the Ledger Nano X.
It's the size of a regular USB stick, with a ST33J2M0 security chip inside. It even has integrations into Ledger's very own crypto marketplace. Serious stuff.
The main idea is to have a wallet, that's disconnected from the internet. Why?
Because even when you're sleeping, anyone that knows your seedphrase, for example, can give it away. Even you probably, with the right preparation, could be called in the middle in the night and you could be convinced to give it up.
Storing your funds on a physical device that's offline, makes sure that no transactions can be made with them.
Another potential tactic I see happening in the crypto space is what we've already seen in web2. Malicious script execution.
Let's say some random sends you a "potentially very profitable" NFT drop that's happening soon and gives you a link. You open the link and eiter automatically or from the push of whatever button they told you to push, the website asks you for permission to connect your wallet.
You might think "Well hell yeah, this is what I am here for, to get in on these giga profits!" - then you connect your wallet, the site freezes and once you refresh, some or all of your funds and/or NFTs are gone.
"Wtf is this" is how you might respond afterwards, but you don't have to. Just make sure you know exactly what you are doing. If there's noone online talking about the drop, chances are it's fake. If the website looks put together in 5 minutes or the potential reward seems too good to be true, it most likely is.
For extra security, you can just create another wallet to conduct the transaction. For even more security, you can just avoid sketchy offers in general.
The new risk of code being run out of a blockchain database, is executing malicious code, so be sure to do research about what you're getting into beforehand.
This risk is mitigated by sites like Etherscan.io, it allows you to explore the blockchain and thus any transaction, contract or token. Especially - the code inside.
Let's look at a few examples.
As you can see, tons of currencies, a fair balance of 1,368ETH as of writing this post. You can also see all of the transactions that have been made with this wallet, ever since it was created on 2015-09-09 12:11:14, the oldest transaction in it's history.
Let's look at that first transaction in more detail.
As we see, the gas price at that moment was 50 Gwei, which is relatively high, but Ether was only priced at $1.21/ETH at that specific time. Not $3412/ETH as it is currently.
You can see which Block the transaction was verified on (then chained to the previous block), where it came from and who it went to. Pure transparency.
After getting familiar with the inner workings of a wallet and a transaction, let's look at a token contract - a very important thing to do, before you transact with any funds in your wallet.
Let's look at Cryptopunks, as an example.
As you see, this is a contract with a lot of data. What I want you to focus in on while reading this post, is the "Contract" button.
You probably noticed the green checkmark on said button and also when you press it, you will see
"Contract Source Code Verified (Exact Match)"
This is a transparency measure, to make the contract code readable, else it will hold just a block of code that is designed to make sense for machines.
If you know Solidity, you will be able to make out what the contract does.
If you don't know Solidity, just use the "Read Contract" and "Write Contract" buttons, right under the "Contract" button you pressed earlier to see what functionality the contract holds.
By now you should be confident and better equipped to survive the wild wild west, as the crypto landscape is known to be defined as currently.
Be sure to keep your funds secured and always double-check your intended transactions before making them. 🙏