Avoiding Scams and Phishing Attacks

Crypto scams evolve fast, but they rely on the same fundamentals: urgency, authority theater, and tricking you into revealing secrets orauthorizing malicious transactions. Build habits that make you hard to phish.

1) Phishing Patterns You’ll See Often

• Look-alike domains & fake sites: One letter off, extra hyphen, or a different TLD. Pages perfectly mimic wallets/exchanges.
• “Support” impersonation: DM/email that says your funds are frozen or airdrop is ending—“verify now.” Real teams won’t DM you first.
• Airdrops & prize links: Connect wallet → sign multiple prompts → assets drain. If “free money” requires blind signing, it’s a trap.
• Malicious extensions/apps: Wallet clones or “portfolio trackers” that exfiltrate seed phrases or inject drainer scripts.
• Clipboard hijackers & QR phish: Malware swaps addresses after copy, or QR codes send you to spoofed signing flows.

2) Website & App Hygiene (Before You Click)

• Type, don’t click: Manually type known URLs or use your own bookmarks. Search results and ads are frequently spoofed.
• Check domain + cert every time: Correct spelling, expected TLD, and valid HTTPS. Don’t proceed if anything feels off.
• Use official sources only: App Stores for mobile; verified GitHub/org links for desktop; never sideload random binaries.
• Separate browsers/profiles: Keep a “wallet profile” with no extra extensions; use another for general browsing.

3) Wallet & Signing Safety

• Seed phrase is offline-only: Never type it into a website or share via chat. Store on paper/metal, not in screenshots or cloud notes.
• Hardware wallet for serious funds: Confirm addresses and amounts on the device screen; reject anything unclear.
• Read the prompt: Know what you’re signing. Avoid blind signing where possible. If the app can’t explain it, don’t sign it.
• Use read-only mode first: Connect a watch-only wallet (no signing) to explore dApps safely before you transact.
• Simulate transactions (when available): Prefer wallets/dApps that show decoded effects and estimated balance deltas before you approve.

4) Social Engineering Defenses

• No private help in DMs: Real mods won’t ask for seed phrases or remote access. Route issues through official, public channels.
• 2FA wisely: Prefer TOTP (app) over SMS. Reserve email + phone for recovery only; don’t reuse passwords across exchanges.
• Slow down “urgent” requests: Timers and countdowns are engineered pressure. Step back; verify via an independent source.

5) On-Chain Interactions & Posture

• Separate hot vs. cold: Use low-balance hot wallets for daily dApp use; keep treasury in cold storage with strict policies.
• Allowlist receiving addresses: For frequent payouts, pre-approve addresses on your device to reduce clipboard risk.
• Revoke stale connections/permissions: Periodically review connected sites and token approvals/permissions in your wallet and revoke unused ones.
• Update firmware & clients: Keep wallet firmware, browser, and OS updated. Many attacks rely on old bugs.

Red Flags (Treat as Automatic “No”)

• “Guaranteed” high returns or double-your-crypto offers.
• Being asked for your seed phrase, “private key check,” or to install remote-desktop software.
• Multiple rapid signature prompts that don’t clearly map to your intended action.
• Links sent by strangers or newly created accounts—even if they look like staff.
• Websites that only work if you disable your wallet warnings or enable blind signing.

Quick Daily Checklist

1. Open bookmarked sites; never click random links.
2. Confirm domain + TLS; use a clean browser profile for wallet actions.
3. Double-check recipient addresses on the device screen (hardware wallet).
4. Read every signing prompt; simulate if possible.
5. Keep hot-wallet balances minimal; move profits to cold storage.

What’s Next

Up next: Key Management and Recovery — set up seed storage that survives device loss, automate safe restores, and use hardware wallets/multisig for resilience.