If rug pulls exploit the permissionless nature of DeFi, phishing and social engineering exploit the most reliable vulnerability in any security system: the human using it. Technical security can be nearly perfect - hardware wallets, multi-factor authentication, strong passwords - but a single successful phishing attempt can bypass all of it by tricking the user into voluntarily handing over the information or approval needed to drain their wallet. This lesson covers the specific techniques used in crypto phishing attacks - not in abstract terms, but in the exact forms they appear - so that when you encounter them, you recognise them immediately.
How Phishing Works in Crypto
Crypto phishing takes many forms but follows a consistent structure: the attacker creates a communication or environment that appears legitimate, induces the victim to take a specific action (entering a seed phrase, approving a transaction, clicking a link), and uses that action to steal funds.
Website phishing: A website that looks identical to MetaMask, Ledger, Coinbase, or Uniswap - created with a URL that appears legitimate at a glance (metarnask.com, ledqer.com). The victim types their seed phrase to 'restore' or 'verify' their wallet. The seed phrase is captured immediately. The attacker drains all funds within minutes.
Email phishing: An email appearing to come from a legitimate exchange or wallet provider - 'Your account has been compromised. Click here immediately to secure it.' Link leads to a phishing site. Login credentials captured.
Search ad phishing: Google search for 'MetaMask' or 'Uniswap' returns a paid advertisement for a phishing site above the legitimate result. Victim clicks the ad - lands on fake site. All subsequent interactions are compromised.
Airdrop phishing: 'You have received 1,000 [token].' 'Connect your wallet to claim.' Connecting the wallet triggers a transaction approval draining the wallet.
Fake Wallet Applications
Fake wallet applications are a particularly dangerous phishing vector because they appear in official app stores - Google Play and Apple App Store - despite platform screening. Fake Ledger Live, MetaMask, and Trust Wallet applications have periodically appeared in app stores, collecting seed phrases from users who believed they were installing legitimate software.
The fake wallet typically works in one of two ways: it displays a seed phrase generation screen that records the phrase as the user writes it down, or it asks the user to enter their existing seed phrase to 'import' their wallet - immediately transmitting the phrase to the attacker.
RULE 1: Only install wallet applications from the official developer website (e.g., ledger.com, metamask.io, trustwallet.com). Verify the developer name matches exactly.
RULE 2: Check reviews and download counts. Fake apps have few reviews and recent installation dates, whereas real ones have millions of downloads.
RULE 3: Any application that asks for your seed phrase to set up a NEW wallet is malicious. A new wallet generates a new seed phrase - it never needs your existing one.
Discord and Telegram Scams
Discord and Telegram are the primary community platforms for crypto projects - and the primary attack surfaces for social engineering in the ecosystem.
Fake admin DMs: You join a crypto project Discord. Within minutes, someone DMs you claiming to be an admin or moderator. Admins of legitimate projects NEVER DM first. If someone DMs you claiming to be an admin - it is a scam.
Fake giveaway announcements: Hacked accounts post fake giveaways. Any 'send to receive' (e.g., 'Send 0.1 ETH to verify and get 1 ETH back') is always a scam.
Compromised server links: Bots post malicious links in project servers claiming urgent migrations to trick you into draining approvals.
Investment advice DMs: Group members DMing you claiming high-conviction trades and guiding you to fake broker platforms.
The Fake Support Scam
The fake support scam targets users who have a genuine problem with a crypto product and seek help through search engines or social media. The attacker creates fake support pages that rank highly in searches for terms like 'Ledger support' or 'MetaMask help.' When the victim contacts the fake support, they are guided through a 'recovery process' that requires entering their seed phrase.
Variations appear on Twitter/X, where attackers monitor official company accounts for mentions and reply to users experiencing problems with a fake support account using a near-identical username. The victim, already stressed by their technical problem, follows the support guidance and loses their funds.
Protecting Yourself
Seed phrase rules: NEVER enter your seed phrase on any website. NEVER type it into any digital device under any circumstances - only enter it directly into the hardware device itself. No exceptions.
URL rules: Bookmark crypto sites. Never search Google for exchanges or wallets; access them via secure bookmarks or direct address inputs.
Communication rules: Admins never DM first. Support never requests seed phrases. Urgency is always a red flag.
Device rules: Install reputable security software. Verify clipboard addresses carefully before clicking send (clipboard hijackers swap addresses).