How to avoid fake interviews

AKA the Maria Florence affair

The facts

I've been contacted on Telegram by Maria Florence for an interview for SuperRare magazine (curated conversations).

She was using a beautiful profile picture. Later, I discovered it was stolen from Sophie Maddocks. Ironically, Sophie Maddocks is a researcher, teacher and digital rights advocate. Particularly concerned with cyber-sexual violence, she has published research on image-based abuse, deep fakes and gender-based trolling.

The fake Maria Florence asked me to make a brief presentation of my artworks. And this should have rung a bell. She then studied my art production and prepared a realistic, quite involved interview!

Then she asked me to submit the interview on a subdomain of https://superrare-preview.com (now erased). At first sight, the page seemed legit, and I have to admit I totally fell into it. There was even a bot replying to my questions.

But when I clicked the button to submit the interview, the site asked me to sign transaction, trying to drain all my funds. Luckily, I did not sign it!

When I told "Maria Florence" about that, she disappeared in a blink of an eye! By the way, the fake Maria profile on Twitter is still there. Please report this profile (I did).

My tips and a proposal

  1. Always check the identity of the person that is contacting you (not easy, see below)

  2. Use a secondary wallet containing with only the coins to pay gas fees to sign dubious transactions

Here I have a piece of advice for SuperRare (and any other marketplace). SR should create an official page on SR site with the employees' names and official emails, as well as social handles. The employees should contact people only using these identities.

Of course scammers can farm fake identities which are very similar to the original ones. However, the security layer of Web3 is based on cryptography. So, why not using cryptography to solve this identity problem?

Consider the following scenario.

Alice claims to work for SR and she wants to interview Bob. How can Bob be sure Alice really works for SR and is not a scammer?

First method: use signed messages

  1. SR adds to their website the public address of Alice

  2. Alice contacts Bob and agrees to sign a message with her address. To add security, the content of the message is decided by Bob and should not be obvious

  3. Alice signs the message decided by Bob with her private key

  4. Bob verifies the message and checks that it comes from the address of Alice published on the SR site

You can use this Etherscan service to sign messages with your wallet (thanks to Luca Donno for pointing this out). In this case, you have to trust the service.

Second method: use signed transactions

  1. SR adds to their website the public address of Alice

  2. Alice contacts Bob and agrees to make a 0-amount transaction with her address to the address of Bob

  3. Alice makes the transaction (she pays only the gas fees; she might even use a Layer 2 like Optimism to save money)

  4. Bob verifies that the transaction comes from the address of Alice published on the SR site

There are only two ways this can go wrong:

  1. the scammer stole the private key of Alice and is using it

  2. Alice is herself a scammer (working for SR)

PreviousIdeasNextGenerative Art

Last updated