Phishing is responsible for more crypto losses than any other attack vector. Not blockchain hacks, not exchange hacks — just fake websites and emails tricking people into giving up their passwords and seed phrases.
Here’s how every common phishing attack works and exactly how to avoid it.
1. Fake Exchange Websites
How it works: You search “Coinbase login” on Google. An ad at the top of the results links to coinbase-login.com (not coinbase.com). You enter your username and password. The scammer captures them and drains your account.
How to avoid:
- Bookmark exchange URLs in your browser (never search for them)
- Always check the URL before entering credentials
- Use a password manager — it auto-fills only on the correct domain
- Ignore Google ads for exchanges (they’re often fake)
2. Fake Wallet Apps
How it works: You search the App Store or Google Play for “MetaMask.” A fake app with a similar name and icon appears. You install it and enter your seed phrase to “restore” your wallet. The scammer now has your seed phrase.
How to avoid:
- Download wallet apps only from the official website (linked from the project’s Twitter/GitHub)
- Check the developer name and download count
- Legitimate wallets have millions of downloads, not thousands
- Read recent reviews — fake apps often have 5-star reviews that are obviously fake
3. Seed Phrase Phishing
How it works: You receive an email: “Your wallet has been compromised. Verify your seed phrase to secure your funds.” You enter your 12 or 24 words. Your wallet is drained.
Variations:
- “MetaMask security update — re-enter your seed phrase”
- “Ledger data breach — verify your recovery phrase”
- “Your wallet is being migrated — enter your seed phrase to claim new tokens”
How to avoid:
- Never enter your seed phrase into any website, ever. No legitimate service asks for it.
- MetaMask will never email you
- Ledger will never ask for your recovery phrase
4. Twitter/X Scams
How it works: A hacked verified account (or account impersonating a crypto project) tweets: “We’re giving away 100 ETH! Send 0.1 ETH to this address to verify and receive 1 ETH back.”
Common variations:
- “Elon Musk is giving away Bitcoin! Send 1 BTC to this address”
- “NFT mint for a famous project — click this link”
- “Claim your free airdrop — connect your wallet”
How to avoid:
- No legitimate giveaway asks you to send money first
- Check the account’s history (not just the name)
- Real crypto projects never DM you about giveaways
- Hover over links before clicking (but don’t click them)
5. Fake Airdrop Websites
How it works: A new token airdrop is announced. You visit the “claim” website and connect your wallet. The website asks you to “sign” a transaction. This grants the scammer permission to spend your tokens.
How to avoid:
- Only claim airdrops from the official project website
- Verify the URL on the project’s official Twitter and Discord
- Check what you’re signing (MetaMask shows what permissions you’re granting)
- Never give unlimited token approval to unknown contracts
6. SIM Swap Attacks
How it works: An attacker calls your phone carrier, claims to be you, and requests a SIM transfer to a new phone. Your phone number is now under their control. They use SMS 2FA to reset your exchange passwords and withdraw your funds.
How to avoid:
- Remove SMS 2FA from all crypto accounts (use authenticator apps)
- Add a SIM swap PIN with your phone carrier (a password required to make account changes)
- Use Google Voice or a VoIP number for SMS 2FA (harder to SIM swap)
7. Fake Customer Support
How it works: You post a complaint on Reddit or Twitter about an exchange issue. A fake “support account” replies: “Sorry for the trouble. DM us and we’ll help.” They ask for your login details or seed phrase to “investigate.”
How to avoid:
- Legitimate support never DMs you first
- Only contact support through the official website
- Never give login credentials to “support agents”
8. DNS Hijacking
How it works: An attacker takes over an exchange’s domain name system (DNS) settings. When you type kraken.com, it redirects you to a phishing site that looks identical. You enter your credentials, and the attacker captures them.
How to avoid:
- Verify SSL certificates (click the padlock icon in your browser)
- Use a hardware security key (YubiKey) for 2FA — phishing sites can’t authenticate with your physical key
- Check the URL carefully before entering credentials
9. Malicious Browser Extensions
How it works: You install a browser extension that claims to “improve MetaMask” or “track crypto prices.” The extension reads your browser data, captures your wallet password, and sends it to the attacker.
How to avoid:
- Minimize browser extensions (fewer extensions = lower attack surface)
- Only install extensions from official stores with high ratings and many users
- Check permissions (does a price tracker need access to all website data?)
- Remove extensions you don’t use
10. Fake Investment Apps
How it works: You download an app that promises “10% daily returns” or “AI-powered crypto trading.” You deposit funds. The app shows fake profits. When you try to withdraw, there’s an “issue” requiring more deposits. Eventually the app disappears.
How to avoid:
- If it sounds too good to be true, it is
- Check if the app is registered with financial regulators
- Search for the app name + “scam” before depositing
- Never install apps from unverified sources
Phishing Red Flags Checklist
- URL looks slightly wrong (co1nbase.com instead of coinbase.com)
- Email has typos or poor grammar
- Message creates urgency (“Act now!” “Your account will be closed!”)
- Asking for your seed phrase or private keys
- “Free money” offers (giveaways, airdrops requiring payment)
- Unsolicited DMs from “support” accounts
- Requests to install remote access software (AnyDesk, TeamViewer)
What to Do If You’ve Been Phished
- Move remaining funds to a new wallet immediately (new seed phrase)
- Revoke all token approvals on Revoke.cash
- Change passwords on all related accounts
- Scan your device for malware
- Report the phishing site to Google Safe Browsing
- Accept the loss and learn — most phishing losses are irreversible
Verdict
Phishing is the #1 threat to your crypto. The blockchain is secure. You are the weakest link.
The solution is simple: never click links, never enter your seed phrase online, use authenticator apps not SMS, and verify everything.
Related: Fake Crypto Airdrops Scam | How to Spot a Fake Exchange | What Is Two-Factor Authentication? | How to Create a Strong Security Plan
Phishing threads are the most common type of “I lost my crypto” post on BitcoinTalk. In every case, the person clicked a link they shouldn’t have. Don’t be that person.