How to spot a phishing attack and protect your crypto

Scams that target your data and crypto have become more common and sophisticated – here’s what to watch out for

At Trust Wallet, we take a proactive approach to security that keeps your assets safe – but security often goes beyond the Trust Wallet app itself. In fact, security threats come in many forms including phishing attacks.

So in this security article, we’ll go through what phishing attacks are, how scammers use them to steal information and crypto, and how to protect yourself.

Before we start: Get proactive security alerts from Trust Wallet

Educating our community is one of the best ways to combat online scammers and hackers. So we’ll consistently provide content like this security article to help keep you one step ahead of malicious actors.

Additionally, you can get proactive security alerts inside of Trust Wallet – like the one below that alerts you of risky transactions.

These security alerts are designed to help you keep your digital assets safe, so install the most updated version of Trust Wallet to ensure you receive them. Get the latest version of Trust Wallet here.

What is a phishing attack?

A phishing attack is when online hackers and scammers try to steal your personal information by pretending to be a trusted person or entity. These malicious actors use fake emails, websites, social media posts and much more to convince you they are real – and their goal is to gain unauthorized access to your personal information and crypto.

Phishing attacks come in many forms including:

  • Airdrop Scams
  • Fraudulent emails
  • Fake Websites
  • Watch wallet scams
  • Address poisoning scams
  • Fake wallet apps
  • Unexpected SMS text messages
  • Social media posts and chat groups

Let’s have a look at these phishing attack examples, including how to spot a fake, and how to protect your information and your crypto.

Fraudulent emails

Phishing emails are one of the most common ways scammers try to steal your information and crypto. They can be difficult to detect as they often look really authentic, but we’ll outline some simple ways to spot them using the example below.

Note: When in doubt, DO NOT click on any links, and reach out to our support team using this form if you suspect you’ve received a phishing email.

What to look out for:

  • Always check the email address carefully. For example, you’ll see this particular example is from [email protected], which is not a real Trust Wallet email address. We use emails ending with

  • Trust Wallet support will never ask you to “verify” your wallet in any way. We will never email you or message you to ask for your 12-word secret phrase.

  • Trust Wallet is a self-custody wallet, so we don’t have the ability to “suspend” your wallet – you are always in full control of your digital assets.

  • Obvious mistakes, grammar errors or contradictory statements. This can be a bit difficult to detect, but we would not refer to people that use Trust Wallet as “customers”.

How to stay safe:

  • DO NOT click on any links as they may install malware that will allow a hacker to remotely control your device and steal your information and crypto.

  • Do not follow the instructions of these fake emails. Even if the email says you have a time limit and you feel pressured, it’s best to take your time and check with Trust Wallet support first in order to protect your information and crypto.

  • Report the email as phishing/spam in your email platform and to Trust Wallet support.

Fake websites

Phishing websites can be difficult to detect because they often look authentic and might include the Trust Wallet logo.

That’s why it’s important to take note of the URL. For example, you might see a website like in the below example, which is not Trust Wallet’s real URL. Trust Wallet’s real URL is

As with other forms of phishing, it’s important to never enter your 12-word secret phrase and to avoid clicking any links or filling out any forms.

What to look out for:

  • Always check the URL carefully – In the above example, you’ll see the fake website has a suspicious URL, which is not from the official Trust Wallet website.

  • Any legitimate website, including will never ask you for your 12-word secret phrase.

How to stay safe:

  • Bookmark legitimate URLs such as in your web browser. Bookmarking helps avoid typos and ensures you’re always going to the correct website.

  • DO NOT fill out any forms or enter your 12-word secret phrase.

  • DO NOT click on any links as they may install malware that will allow a hacker to remotely control your device and steal your information

Address poisoning scams

Address poisoning is a type of scam that misleads people into sending crypto to the wrong address. This scam is difficult to spot unless you know exactly what to look for and how to avoid it.

Here’s how address poisoning works:

  1. The scammer creates a wallet address that looks very similar to one of your wallet addresses or an address you’ve recently interacted with. For instance, if a friend sends you crypto, they create an address that looks like your friend’s address. Or if you’ve sent yourself crypto from an exchange, they’ll create an address similar to that one.

  2. The scammer sends a small amount of crypto to your wallet from the similar-looking address they created. Sometimes they even send a zero (“0”) amount of crypto.

  3. From here, the scammer hopes the next time you send crypto, you’ll get lazy and copy their scam address from your transaction history, and mistakenly send them your crypto.

Address poisoning is difficult to spot because crypto applications typically shorten crypto addresses in transaction summaries. In the image above you see that the addresses are shortened in Trust Wallet transaction histories as well.

This makes sense because crypto addresses can be very long, so it’s convenient to look at the prefix (the first few characters of the address) and suffix (the last few characters of the address).

In the above image example, the deposit of 0.001 ETH and the withdrawal of 0.002 ETH look like they are from and to the same address. But the deposit could be from a scam address. Why is that possible? Because from the transaction summary page, you cannot see the full address. You would only know the full address for certain if you clicked into the details.

Scammers have realized that many people don’t check the full address of their transactions – and they hope that you don’t click to see the full details of addresses you interact with before sending crypto.

What to look out for:

  • Look out for unexpected small deposits to your wallet. It can be any coin or token such as TRX, USDT, ETH or any other asset such as an NFT.

How to stay safe:

  • Never copy address details from your transaction history when you want to send or receive crypto. Always get your deposit details using the official procedure.

  • Use the Trust Wallet address book feature to save addresses that you know and trust. This way, you won’t have to repeatedly copy and paste addresses as they’ll be securely saved in your wallet.

  • If you are not using a trusted address that’s already saved to your wallet’s address book, always ensure you verify every character of the address, one by one.

  • Also, understand that if you’ve been targeted by an address poisoning transaction, your wallet is still safe. Just don’t send any crypto out to the scam address.

  • If you receive an unexpected NFT, do not try and send, trade, or interact with it in any way. Use the Trust Wallet hide & report NFTs feature to ensure these NFTs are hidden from your wallet.

Fake wallet apps

Fake wallet apps that appear like the real Trust Wallet can trick you into giving up your secret phrase. You might come across a fake Trust Wallet app through a malicious website or an app store.

To avoid download fake Trust Wallet apps, always start from the official download page for Trust Wallet | Trust Wallet. The official page will direct you to the correct app store.

What to look out for:

  • Malicious apps that state your wallet is or will be suspended.

  • Common misspellings and mistakes in our name.

  • You may see a very low amount of reviews on an app.

  • Malicious websites are typically designed to look like wallet apps. Again look for any suspicious URLs and never enter your secret phrase into any website

How to stay safe:

  • Get Trust Wallet applications via the official Trust Wallet Website

  • Bookmark the Trust Wallet website URL in all web browsers you use.

  • Never fill out any forms or enter your 12-word secret phrase.

  • Do not click on any links as they may install malware that will allow a hacker to remotely control your device and steal your information

Unexpected SMS text messages

Trust Wallet is a decentralized self-custody wallet, and the wallet does not use any form of SMS 2FA or confirmation methods.

So any SMS text message you receive in regards to Trust Wallet is fake and is trying to gain unauthorized access to your crypto. Trust Wallet will never send you an SMS text message.

What to look out for:

  • Any SMS text claiming to be from Trust Wallet is not real. Do not respond to these text messages or follow any of their instructions.

How to stay safe:

  • Do not click any links or take action if you receive SMS text messages from anyone claiming to be from Trust Wallet.

  • Use your phone’s block/spam feature to report these messages

Social media posts and chat groups

It’s common for online scammers to use social media accounts on Twitter, Telegram and others to mislead people into giving up sensitive information – including wallet secret phrases. Always note, Trust Wallet will never message you on social apps (or anywhere else) to ask for your 12-word secret phrase.

What to look out for:

  • Watch out for anyone that sends you a message asking for your secret phrase. Never send your 12-word secret phrase to anyone.

  • Beware of giveaway scams or schemes that ask you to send a bit of crypto in return for more crypto. If it sounds too good to be true, it probably is.

How to stay safe:

  • Do not respond to any messages or instructions, and never send your 12-word secret phrase to anyone on social media or anywhere else.

  • Do not click on any links because they may install malware on your device.

Not sure if something is a phishing attack or not?

Phishing attacks are evolving to become more sophisticated, so if you’re ever unsure if you’re being targeted, reach out to our support team. Also, ensure be sure to follow us on Twitter @Trust Wallet where we’ll keep you updated on security threats and share security tips.