Recognizing Crypto Phishing Attacks
Real examples of phishing targeting wallet connections, token approvals, and social engineering through Discord and Telegram. How each attack works and how to verify before you click.
How Crypto Phishing Differs From Traditional Phishing
Traditional phishing steals passwords -which can be reset. Crypto phishing steals private keys or tricks you into signing transactions -which cannot be reversed. There are three main crypto phishing attack types: seed phrase phishing (a fake site asks you to enter your recovery phrase), approval phishing (a malicious dApp tricks you into granting unlimited token approvals), and signature phishing (you sign a message that appears harmless but actually authorizes a token transfer). In all three cases, the transaction is final. There is no bank to call, no chargeback to file. The moment you sign, the funds are gone.
Real Attack Examples
Fake MetaMask popups that appear over legitimate sites, requesting seed phrase entry for 'verification.' Discord DMs from accounts impersonating project moderators, linking to cloned mint sites with one-character domain differences (uniswap.org vs un1swap.org). Fake Uniswap frontends served through Google Ads that appear above the real result in search. Telegram groups where 'admins' pin messages with phishing links disguised as airdrop claims. Twitter/X accounts with verified checkmarks promoting fake token migrations. In every case, the sites look identical to the real ones -the only difference is the URL.
URL Verification Techniques
Check the full URL character by character -attackers use punycode (international characters that look like Latin letters), subdomain tricks (metamask.io.phishing-site.com looks like metamask.io at a glance), and typosquatting (metamsk.io, metamnask.io). Bookmark the real URLs for every service you use and only access them through bookmarks. Never click links in emails, DMs, tweets, or Telegram messages. If someone sends you a link, type the URL manually. Check the SSL certificate -click the padlock icon and verify the certificate was issued to the correct organization. Free SSL certificates (Let's Encrypt) are used by both legitimate sites and phishing sites, so SSL alone does not guarantee safety.
Wallet Connection Safety
When a site requests a wallet connection, read what permissions you're granting. A legitimate DEX needs permission to read your address and request transaction signatures -it should NOT ask for your seed phrase. If a wallet connection popup asks for anything more than address access, disconnect immediately. Use a dedicated browser or browser profile for crypto transactions. Do not connect your wallet to random sites, NFT mints you saw on social media, or 'airdrop claim' pages. Every connection is a potential attack surface. Revoke unnecessary connections regularly through your wallet's connected sites settings.
What To Do If You Clicked
If you entered your seed phrase on a suspicious site: immediately create a new wallet on a clean device, transfer ALL assets from every chain to the new wallet addresses, and consider the old wallet permanently compromised. Do this within minutes -attackers often use automated sweeper bots that drain wallets within seconds of receiving a seed phrase. If you signed a suspicious transaction: check what you approved using Etherscan or the relevant block explorer. If you granted token approvals, revoke them immediately using revoke.cash. Move assets that haven't been drained to a new wallet. Speed is everything -every second counts.