Security

Avoiding Phishing Attacks

6 min read Updated January 2024
Phishing protection

Phishing attacks are one of the most common ways cryptocurrency users lose their funds. Unlike technical hacks, phishing relies on tricking you into voluntarily giving up your keys or sending funds to the wrong address. Understanding these attacks is your best defense.

What Is Phishing?

Phishing is a social engineering attack where criminals impersonate legitimate services to steal your information or funds. In the cryptocurrency world, phishing typically aims to:

  • Steal your recovery seed phrase
  • Get you to send funds to a scammer's address
  • Trick you into approving malicious transactions
  • Gain access to your exchange accounts

Common Cryptocurrency Phishing Tactics

Fake Support Representatives

Scammers pose as customer support on social media, Telegram, or Discord. They typically:

  • Reach out proactively when you post about an issue
  • Direct you to a "support portal" to verify your wallet
  • Ask for your seed phrase to "sync" or "validate" your wallet
  • Claim they need remote access to help you

Remember: Legitimate support will NEVER ask for your seed phrase or private keys. Ever.

Fake Websites

Scammers create convincing copies of legitimate websites with slightly different URLs:

  • metamask.io becomes metamask-wallet.io or metamask.com
  • uniswap.org becomes uniswap.exchange or uniswäp.org
  • ledger.com becomes ledger-support.com

These fake sites ask you to enter your seed phrase or connect your wallet to drain your funds. Always verify URLs carefully and bookmark legitimate sites.

Malicious Airdrops and NFTs

You might receive unexpected tokens or NFTs in your wallet. When you try to interact with them:

  • The token contract might drain your wallet when you approve a transaction
  • An NFT might link to a phishing site
  • Selling the token might trigger a malicious contract

Rule: Do not interact with unexpected tokens or NFTs. Just ignore them.

Clipboard Hijacking

Malware on your computer replaces cryptocurrency addresses when you copy and paste them. You copy a legitimate address, but a different (attacker's) address gets pasted.

Defense: Always verify addresses on your hardware wallet screen before confirming. The hardware wallet shows the actual destination, regardless of what your computer displays.

Email Phishing

Fake emails that appear to come from exchanges, wallet providers, or other services:

  • "Your account has been locked - click here to verify"
  • "New security update required - enter your seed phrase"
  • "Congratulations! You won X crypto - claim now"

Never click links in emails. Go directly to the official website by typing the address.

How Hardware Wallets Protect You

Hardware wallets provide several layers of phishing protection:

  • Address Verification: You can verify the actual destination address on the device screen, defeating clipboard attacks
  • Transaction Review: You see exactly what you are signing before confirming
  • Physical Confirmation: Attackers cannot approve transactions remotely
  • Isolation: Your seed phrase never needs to be entered on a computer

Red Flags to Watch For

  • Anyone asking for your seed phrase for any reason
  • Urgency ("Act now or lose access")
  • Unsolicited contact about your wallet or funds
  • Offers that seem too good to be true
  • Requests to install remote access software
  • Slightly misspelled URLs or domain names
  • Poor grammar or spelling in official communications

Best Practices for Protection

  1. Bookmark legitimate sites and always use your bookmarks
  2. Verify URLs carefully before entering any information
  3. Never enter your seed phrase anywhere except your hardware wallet
  4. Use hardware wallet verification for all transactions
  5. Be skeptical of all unsolicited contact
  6. Enable 2FA on all exchange accounts
  7. Use unique, strong passwords for each service
  8. Do not rush - take time to verify before confirming

What to Do If You Are Targeted

If you realize you have been targeted by a phishing attempt:

  1. Do not provide any information or click any links
  2. If you entered your seed phrase anywhere, immediately transfer all funds to a new wallet with a new seed
  3. Report the phishing attempt to the legitimate company being impersonated
  4. Report the attack to relevant authorities and community watchdogs

Critical Reminder

Xfwallet will NEVER ask for your recovery seed phrase through email, social media, phone, or any other channel. Anyone who asks for your seed phrase is attempting to steal your funds.