How to Keep Your Crypto Safe: Avoid Scams, Phishing & Hacks
Educational content · reviewed for accuracy · not financial advice
Crypto transactions are irreversible — there is no bank to call. Keep your crypto safe by storing the seed phrase offline, using a hardware wallet for large amounts, enabling app-based two-factor authentication, and never clicking unsolicited links or sharing your private key with anyone.
On this pagetoggle
The single most important thing to understand about cryptocurrency is that transactions cannot be reversed. If someone drains your wallet or you send funds to the wrong address, no company, no government agency, and no support team can get that money back. Keeping your crypto safe is therefore not optional — it is the foundation of using crypto responsibly. This guide walks you through the most effective defences, the most common scams targeting beginners, and the daily habits that separate people who hold their crypto long-term from those who lose it.
Before you do anything else, track the big picture at our crypto market dashboard so you understand what you own and how much is at stake.
Self-Custody vs Leaving Funds on an Exchange
When you buy crypto on a centralised exchange (a platform where you sign up with an email and deposit money), the exchange holds your private keys. You do not own the crypto outright — you own an IOU from the exchange. This matters because:
- Exchanges can be hacked. Several major platforms have lost hundreds of millions of dollars in customer funds.
- Exchanges can freeze withdrawals. During periods of financial stress, some platforms have locked users out for weeks or months.
- Exchange insolvency is real. If a platform goes bankrupt, your funds may become part of a lengthy legal process.
The phrase "not your keys, not your coins" exists for good reason. For any amount you cannot afford to lose, move funds into a wallet where you control the private key. Exchanges are fine for active trading, but they are not safe long-term storage.
Protect Your Seed Phrase Above Everything Else
When you create a self-custody wallet, you receive a seed phrase — typically 12 or 24 ordinary English words. This phrase is the master key to every account in that wallet. Anyone who has it can drain all your funds instantly, from anywhere in the world.
Our dedicated guide on what a seed phrase is and how to protect it covers this in depth, but the essentials are:
- Write it on paper. Never store it in a screenshot, a notes app, cloud storage, or an email draft.
- Store it offline. A fireproof metal backup plate is more durable than paper, but paper in a sealed envelope in a secure location is better than any digital copy.
- Never type or speak it. No legitimate wallet, exchange, or support agent will ever ask for your seed phrase. If anyone asks, it is a scam.
- Make a second physical copy. Keep it in a separate location in case of fire or flood.
Losing your seed phrase means losing access to your funds permanently if your device fails. Sharing it means losing your funds immediately.
Use a Hardware Wallet for Large Amounts
A hardware wallet is a small physical device — similar to a USB drive — that stores your private key offline and signs transactions without exposing the key to your internet-connected computer. Even if your computer is infected with malware, the key cannot be extracted.
If you hold more than a few hundred dollars in crypto, a hardware wallet is the single most effective security upgrade you can make. Our guide to the types of crypto wallets explains what to look for. Buy hardware wallets only from the manufacturer's official website — second-hand devices or marketplace listings can be pre-compromised.
For smaller amounts or day-to-day spending, a software (hot) wallet on your phone is acceptable, but understand the trade-offs explained in our hot wallet vs cold wallet guide.
Enable App-Based Two-Factor Authentication (Not SMS)
Two-factor authentication (2FA) adds a second verification step when you log in to exchanges or wallet services. However, not all 2FA is equal:
- SMS 2FA is weak. Attackers can perform SIM-swapping — convincing your phone carrier to transfer your number — and then intercept your text codes. Many people have lost significant funds this way.
- App-based 2FA is much stronger. Apps like Google Authenticator or Authy generate time-limited codes locally on your phone, without any network request that can be intercepted.
Switch every crypto account you own from SMS 2FA to an authenticator app. Write down the backup codes and store them safely offline alongside your seed phrase notes.
Recognise Phishing Sites and Fake Apps
Phishing is one of the most common ways beginners lose funds. Attackers build near-perfect copies of popular wallet or exchange websites and drive traffic to them through:
- Paid ads that appear above the real site in search results
- Fake links shared in Telegram, Discord, or Twitter/X messages
- Emails that appear to come from a legitimate platform
- Fake browser extensions that mimic real wallet apps
How to protect yourself:
- Bookmark the official URLs of every exchange and wallet you use. Navigate from your bookmark, not from a search result or link.
- Check the URL character by character. Attackers use tricks like "binance.com.login-verify.net" or substitute look-alike characters.
- Install browser extensions only from official documentation links. Search for the wallet's official site first, then follow their extension link — never search the extension store and pick the top result.
- Treat every unsolicited message, even from apparent friends, as suspicious. Accounts get hacked and used to send phishing links.
If a site asks for your seed phrase to "verify your wallet" or "recover access," close the tab immediately. That is always a scam.
Fake Support Agents and Social Engineering
Crypto platforms do not have live chat agents who will message you first. Yet impersonators flood social media, pretending to be customer support for Coinbase, MetaMask, Ledger, Binance, and others. They find users who post complaints or questions publicly and send direct messages offering help.
The script almost always ends the same way: they will ask you to visit a link, install remote-access software, or enter your seed phrase to "recover" your wallet. Once you comply, your funds are gone.
Rules that eliminate this risk:
- Never share your seed phrase or private key with anyone, for any reason.
- Never install remote-access software (TeamViewer, AnyDesk, etc.) at the request of someone who contacted you.
- Only seek support through official channels found on the platform's verified website.
Token Approval Scams and How to Revoke Access
When you interact with DeFi applications or NFT platforms, you are often asked to "approve" a smart contract to spend your tokens. Malicious projects abuse this mechanism to drain your wallet after you approve them unlimited access.
This attack is surprisingly easy to fall for because it looks identical to a legitimate DeFi interaction.
How to stay safe:
- Only approve contracts from projects you have thoroughly researched — our guide on how to research crypto before buying covers the checks worth running first.
- When you approve, set a specific spending limit rather than unlimited approval if the interface allows it.
- Regularly audit and revoke token approvals using tools such as Revoke.cash or the built-in approval managers in wallets like MetaMask. Revoking a stale approval costs a small gas fee but removes the risk entirely.
Address-Poisoning Attacks
Address poisoning is a subtle attack that many beginners never expect. An attacker sends you a tiny transaction from a wallet address that looks nearly identical to one you have used before — same first four and last four characters. The goal is for you to copy that fake address from your transaction history the next time you send funds.
Defence: Always copy-paste addresses from the source (a QR code scan, the official platform interface, or a fresh typed entry). Before confirming any transaction, verify the full address character by character, not just the first and last few digits.
Pig-Butchering and Romance / Fake-Investment Scams
One of the fastest-growing and most financially devastating scams in crypto works like this: a stranger contacts you on a dating app, social media, or even a random text. Over days or weeks they build a friendly or romantic relationship. Eventually they mention a "private investment opportunity" or a platform where they have made significant profits.
They encourage you to deposit funds — and at first, the fake platform shows growing balances. When you try to withdraw, you are asked to pay fees or taxes. After you pay those, more fees appear. The entire platform is fraudulent. Victims have lost life savings.
The rule: Any investment opportunity that arrives through an unsolicited relationship, promises unusually high or guaranteed returns, or asks you to deposit into a platform you had never heard of before this conversation is almost certainly a scam.
Security Checklist
| Action | Why it matters | Priority |
|---|---|---|
| Write seed phrase on paper, store offline | Digital copies can be hacked or deleted | Critical |
| Use a hardware wallet for large holdings | Key never exposed to internet | Critical |
| Switch exchange 2FA from SMS to authenticator app | SIM-swap attacks bypass SMS codes | High |
| Bookmark official exchange and wallet URLs | Prevents phishing via fake sites | High |
| Never share seed phrase or private key | Anyone who has it controls your funds | Critical |
| Revoke unused token approvals | Removes dormant DeFi attack surface | Medium |
| Buy hardware wallets from manufacturer only | Pre-tampered devices exist on marketplaces | High |
| Verify full wallet addresses before sending | Defeats address-poisoning attacks | High |
| Ignore unsolicited investment opportunities | Pig-butchering scams are widespread | High |
| Keep wallet software and device OS updated | Patches known security vulnerabilities | Medium |
Common Mistakes and How to Avoid Them
Our deeper look at common crypto mistakes beginners make covers a broader set of errors, but the security-specific ones that cost people the most money are:
- Storing the seed phrase digitally — a single data breach or sync to the cloud exposes it.
- Using the same password across accounts — one breached site compromises all your accounts.
- Rushing transactions — irreversibility means a moment of haste can be permanently costly. Pause, verify the address and amount, then confirm.
- Trusting "too good to be true" yields — any platform promising 50 percent monthly returns is almost certainly fraudulent.
Once you are comfortable with security basics, you can learn how to send and receive crypto safely with the habits described above already in place.
Building Long-Term Security Habits
Security in crypto is not a one-time setup — it is an ongoing practice. A few habits that compound over time:
- Separate wallets for separate purposes. Keep a cold-storage wallet for long-term holdings and a separate hot wallet for active use. If the hot wallet is compromised, losses are limited.
- Treat DeFi interactions as higher risk. Every new contract you interact with is a potential attack surface.
- Be sceptical by default. The crypto space attracts sophisticated scammers precisely because losses are irreversible and regulatory enforcement is difficult.
- Stay informed. Follow reputable security researchers and official platform announcements to learn about new attack types as they emerge.
The market overview at market cap rankings can help you keep perspective on what you hold — but no amount of market insight protects you if your wallet is compromised first.
This is educational information, not financial advice.
Frequently asked questions
What is the safest way to store crypto for the long term?+
The safest long-term storage is a hardware wallet purchased directly from the manufacturer, with the seed phrase written on paper and kept offline in a secure location. This keeps the private key completely disconnected from the internet, eliminating remote hacking as an attack vector. Never store the seed phrase digitally or share it with anyone.
Can I recover my crypto if I get scammed or hacked?+
In almost all cases, no. Crypto transactions are irreversible by design — once funds leave your wallet, they cannot be recalled by any third party. Some centralised exchanges have insurance or recovery funds for platform-level hacks, but if a scammer tricks you into sending funds or hands over your seed phrase, those funds are gone permanently.
Why is SMS two-factor authentication dangerous for crypto accounts?+
SMS codes can be intercepted through SIM-swapping, where an attacker convinces your mobile carrier to transfer your phone number to a SIM card they control. Once they have your number, they receive your text messages, including 2FA codes. App-based authenticators like Google Authenticator generate codes locally on your device without any network request, making them immune to SIM-swapping.
What are token approvals and why should I revoke them?+
When you use a DeFi app, you often grant it permission to move specific tokens from your wallet. If you grant unlimited approval, a malicious or later-compromised contract can drain those tokens at any time. Revoking approvals for contracts you no longer use removes that risk. Tools like Revoke.cash let you see and cancel approvals for a small gas fee.
How can I tell if a crypto website or app is fake?+
Check the full URL character by character — phishing sites often use look-alike domains or extra subdomains. Navigate only from bookmarks you set yourself or from links on the project's verified official documentation. Never install wallet browser extensions by searching the extension store; instead, go to the wallet's official website first and follow their specific installation link.
Our editorial team covers cryptocurrency market data, on-chain metrics and beginner education. Every guide is fact-checked against live market data from CoinMarketCap and Binance and reviewed for accuracy. Content is educational only and not financial advice. Learn about our data & methodology →
Track the market live
Real-time prices, market cap and trends for the top 100 coins.