Skip to content
Security

How to Avoid Crypto Wallet Scams and Phishing Attacks

Most stolen crypto is not hacked, it is handed over by users tricked into signing or revealing secrets. Learn the common scams and how to defend against them.

Sofia Lindqvist

Explainers Lead · Jun 14, 2026 · 7 min read

PHISHING

The uncomfortable truth of self-custody is that the weakest link is rarely the cryptography. Modern wallets are extremely hard to break mathematically, so attackers do not try. Instead they target the person holding the keys. Almost all wallet losses come from social engineering: tricking you into revealing a secret or approving a malicious transaction yourself. Learning to spot these patterns is the single highest-value security skill for a beginner.

Why do scams work better than hacking?

Guessing a private key by brute force is not realistically possible with today's computing. So attackers shift the battlefield from the code to your attention and emotions. They manufacture urgency ("your wallet is compromised, act now"), authority ("official support"), or greed ("claim your free airdrop"). Under pressure, people skip the verification steps that would have protected them.

No legitimate wallet, exchange, or support team will ever ask for your seed phrase or private key. Anyone who does is trying to rob you. There are no exceptions to this rule.

What are the most common wallet scams?

The specific tactics evolve, but they cluster into a handful of recognisable categories. Knowing the shape of each one lets you spot new variations.

  • Seed-phrase phishing: A fake wallet website, pop-up, or "support" chat asks you to "verify" or "restore" by entering your recovery phrase. Handing it over gives them everything instantly.
  • Fake apps and extensions: Counterfeit wallet apps in app stores or browser extension stores look identical to the real thing but steal your seed the moment you enter it. Always install from the official source linked on the project's verified site.
  • Malicious approvals: On smart-contract networks, you grant apps permission to move specific tokens. A scam site can request an approval that lets it drain a token later. You signed it, so the transfer looks legitimate to the network.
  • Address poisoning: An attacker sends you a tiny transaction from an address that looks similar to one you use, hoping you later copy it from your history and send funds to them.
  • Impersonation and giveaways: Fake support accounts, cloned social profiles, and "send 1 and receive 2 back" offers. If it sounds too generous, it is bait.

How can you protect yourself in practice?

Defence is mostly a set of calm, repeatable habits rather than technical expertise. Build these into your routine and most attacks simply bounce off.

  • Slow down. Urgency is the scammer's main tool. Any message pushing you to act immediately deserves more suspicion, not less.
  • Never type your seed phrase anywhere but your own wallet during setup. Treat any request for it as automatically hostile.
  • Read what you are signing. Modern wallets show what a transaction does. If you are just connecting to view a site, it should not need permission to move your funds. Reject requests you do not understand.
  • Verify addresses fully. Check the first and last several characters, and ideally the middle too. Do not rely on the ends alone. Send a small test amount first for large transfers.
  • Bookmark official sites. Reach apps through your own saved bookmarks, not through search ads or links in messages, which are frequently spoofed.
  • Use a hardware wallet for real value. It forces you to physically confirm transactions and keeps your key off the internet, blocking most remote theft.

What should you do if you think you have been targeted?

Speed matters. If you suspect a wallet is compromised, move any remaining funds to a brand-new wallet with a freshly generated seed phrase immediately, starting with the most valuable assets. Do not reuse the old seed phrase, because the attacker may already have it.

If you granted a token approval to a suspicious app, use a reputable approval-management tool to revoke that permission so it can no longer pull your tokens. Going forward, keep long-term holdings in cold storage and use a separate small hot wallet for interacting with unfamiliar apps, so a bad approval can only ever touch a limited balance. The mindset that keeps you safe is simple: assume every unsolicited message is a scam until you have independently proven otherwise, and never let anyone rush you.

This article is educational information, not financial advice.

Share
Sofia Lindqvist

Explainers Lead

Sofia turns dense on-chain mechanics into plain English. She writes Coin Currents Daily's Learn desk and edits the glossary.