Was a friend of mine scammed or hacked somehow?

[Forsyth Jones]

Here's a tip: whenever you send any amount, always check the prefix and suffix of the recipient address and confirm the address with the recipient before sending.

Check at least that the first four characters (prefix) and last four characters (suffix) of the copied address are correct and that it's the same address provided by the recipient.

Whenever possible, scan the QR code instead of pressing CTRL C + CTRL V.

Of course, this tip is mainly for your friend, since you seem to be a much more informed user than your friend.

Remember, the most recommended option is to purchase a hardware wallet, but even a hardware wallet won't protect you from this malware (which is basically a mini-keylogger, as it monitors the clipboard and acts upon identifying a Bitcoin address). Although, as Mia Chloe mentioned, there's no way to be 100% certain that there's worse malware that not only monitors Bitcoin addresses but also monitors private keys and BIP39 seeds.

[Mia Chloe]

Whenever possible, scan the QR code instead of pressing CTRL C + CTRL V.

Copying and pasting the receiving address then manually cross checking the first and last few characters yourself to confirm if it's the right address is actually better in my opinion than scanning the QR code. Cameras are easily hijacked just like keyboards and because of something this some devices have a feature where you can turn off or on your camera at will.

As for keyloggers they are way worse as the hacker can see everything you do with your keyboard with time stamps. So it's not just what you copy and paste that's affected in the case of a keylogger.

[LoyceV]

Whenever possible, scan the QR code instead of pressing CTRL C + CTRL V.

Malicious QR-scanners are just as rampant as clipboard malware.

[Obim34]

~Snip

I can say of Electrum that doesn't manually allow CTRL C + CTRL V (mobile), once you copy the address,  press SEND to paste from clipboard (uneditable).

Electrum don't allow editing after paste from clipboard - what if someone is infected with clipboard malware?

[mr.mister]

I would say to check the first and last 5 characters of an address and also 5 in the middle, as someone who creates vanity addresses might be able to come up with an address with the first 5 and last 5 the same as your real address. In fact, I know that this is already happening, so I would add to verify 5 more characters in the middle. Also doing voice verifications adds a layer of security as well, so for example, say your friend is sending you a btc address, it should be followed with a voice message from him with the first, middle, and last 5 digits. If a large amount is being sent, you can test send a small amount first.

Also let me add that on native segwit and taproot addresses that start with bc1q and bc1p respectively, more than the first 5 characters should be checked.

[Z-tight]

I can say of Electrum that doesn't manually allow CTRL C + CTRL V (mobile), once you copy the address,  press SEND to paste from clipboard (uneditable).

Electrum don't allow editing after paste from clipboard - what if someone is infected with clipboard malware?

When you copy an address from anywhere and you hit the send button in Electrum mobile, the next thing is to click on 'paste from clipboard'. After pasting, you can then check every character in the address before inputing the amount you want to send and broadcasting it to the network.

It doesn't matter if you can't edit the address after pasting, because all you have to do is check it, and if it has been altered by malware, then you have a problem with your device and you'd have to sort that out first.

[Cricktor]

Here's a tip: whenever you send any amount, always check the prefix and suffix of the recipient address and confirm the address with the recipient before sending.

Check at least that the first four characters (prefix) and last four characters (suffix) of the copied address are correct and that it's the same address provided by the recipient.

This is in my opinion not enough to check, especially when you omit a portion to be checked somewhere else than at the start and end of an address.

As OP said and it's what I practice: I check 6 to 7 symbols (excluding the address type prefix) at the front, at the end and a few at the same position around the middle. If those three spots match, it's extremely unlikely that anything else doesn't match too.

The crucial thing is, you have to verify any of the transaction's outputs always, without exception. Best of course on the independent display of a hardware wallet.

Remember, the most recommended option is to purchase a hardware wallet, but even a hardware wallet won't protect you from this malware (which is basically a mini-keylogger, as it monitors the clipboard and acts upon identifying a Bitcoin address). Although, as Mia Chloe mentioned, there's no way to be 100% certain that there's worse malware that not only monitors Bitcoin addresses but also monitors private keys and BIP39 seeds.

A malware that alters the transaction details before it's passed to be signed on a hardware wallet is not science fiction. That's why you always have to check all transaction details before you sign and broadcast a transaction. Every time!

A hardware wallet protects your private keys from malware. Your private keys and your mnemonic recovery words should never touch an online device. Your hardware wallet creates your mnemonic recovery words in a secure environment. You write an analog paper backup (or better multiple redundant copies of it) which never go online. You create maybe also an analog metal backup for fire protection. This again never becomes online stuff. This is Bitcoin safety 101.

[Hazink]

Also let me add that on native segwit and taproot addresses that start with bc1q and bc1p respectively, more than the first 5 characters should be checked.

To even be more on the safer side, it will cost nothing to manually and gradually check through all the characters one after the other to make sure there is no error anywhere in between. It’s better we take extra precautions than to lose hard-earned funds to scammers. Even if it’s time-consuming, it’s worth it.

[Forsyth Jones]

This is in my opinion not enough to check, especially when you omit a portion to be checked somewhere else than at the start and end of an address.

As OP said and it's what I practice: I check 6 to 7 symbols (excluding the address type prefix) at the front, at the end and a few at the same position around the middle. If those three spots match, it's extremely unlikely that anything else doesn't match too.

The crucial thing is, you have to verify any of the transaction's outputs always, without exception. Best of course on the independent display of a hardware wallet.

I agree with you. I recommended checking the 4 digits at the beginning and end of the address as a minimum, but I check ALL characters regardless of the amount to be sent.

I usually start by checking 4, but instinctively I check more than 4, and before I know it, I've already checked all the characters. 

A malware that alters the transaction details before it's passed to be signed on a hardware wallet is not science fiction. That's why you always have to check all transaction details before you sign and broadcast a transaction. Every time!

A hardware wallet protects your private keys from malware. Your private keys and your mnemonic recovery words should never touch an online device. Your hardware wallet creates your mnemonic recovery words in a secure environment. You write an analog paper backup (or better multiple redundant copies of it) which never go online. You create maybe also an analog metal backup for fire protection. This again never becomes online stuff. This is Bitcoin safety 101.

That's what I always say: never act as if you're completely bulletproof, even if you have a hardware wallet. What guarantees security are the user's own practices and how diligent they're about the security of their hardware.

I think you're referring to Dark-Skippy. In this case, the risk is real. Users typically become infected with this malware if they import a compromised firmware version or purchase a counterfeit device. In this case, the chances of it going unnoticed by the user, even an advanced and veteran user, are very high.