How to Spot a Phishing Attack & Protect Your Crypto

Scams that target your data and crypto have become more common and sophisticated – here’s what to watch out for

At Trust Wallet, we take a proactive approach to security that keeps your assets safe – but security often goes beyond the Trust Wallet app itself. In fact, security threats come in many forms including phishing attacks.

So in this security article, we’ll go through what phishing attacks are, how scammers use them to steal information and crypto, and how to protect yourself.

Before we start: Get proactive security alerts from Trust Wallet

Educating our community is one of the best ways to combat online scammers and hackers. So we’ll consistently provide content like this security article to help keep you one step ahead of malicious actors.

Additionally, you can get proactive security alerts inside of Trust Wallet – like the one below that alerts you of risky transactions.

These security alerts are designed to help you keep your digital assets safe, so install the most updated version of Trust Wallet to ensure you receive them. Get the latest version of Trust Wallet here.

What is a phishing attack?

A phishing attack is when online hackers and scammers try to steal your personal information by pretending to be a trusted person or entity. These malicious actors use fake emails, websites, social media posts and much more to convince you they are real – and their goal is to gain unauthorized access to your personal information and crypto.

Phishing attacks come in many forms including:

  • Airdrop Scams
  • Fraudulent emails
  • Fake Websites
  • Watch wallet scams (watch-only spending scams)
  • Address poisoning scams
  • Fake wallet apps
  • Unexpected SMS text messages
  • Social media posts and chat groups

Let’s have a look at these phishing attack examples, including how to spot a fake, and how to protect your information and your crypto.

Airdrop Scams

Airdrop scams are another popular method used by scammers to trick unsuspecting people into giving away their personal information and crypto. Airdrops are typically events where a project distributes free tokens or coins to the crypto community as a way of promoting their project or increasing their user base. Scammers exploit this concept by creating fake airdrops that ask users to provide their private information or deposit tokens in order to receive the “free” airdrop.

The image below is an example of a person who could be a victim of an airdrop scam. Remember to NEVER share your secret phrase (seed phrase) with anyone for any reason – even if they are promising you a big airdrop or anything else as you could become a victim of this common scam.

What to look out for:

  • Be wary of airdrops that require you to provide sensitive information like your private keys, secret phrase, or ask you to authorize access to your wallet.

  • Unrealistic rewards or promises of high returns in a short period of time. If it sounds too good to be true, it probably is.

  • Check the official sources of the project hosting the airdrop. Verify the legitimacy of the airdrop by visiting their website and social media channels.

  • Unsolicited messages or emails promoting airdrops. Scammers often use fake social media accounts or emails to lure users into their traps.

How to stay safe:

  • Never share your private keys, 12-word secret phrase, or grant access to your wallet to anyone or any website. Remember, Trust Wallet will never ask for this information.

  • Research the project before participating in any airdrop. Verify its legitimacy by checking the official website, social media channels, and community forums.

  • Be cautious of airdrops that require you to send tokens or deposit funds to receive rewards. Genuine airdrops will not ask you to send funds in order to participate.

  • If you are uncertain about the legitimacy of an airdrop, reach out to Trust Wallet support or seek advice from the crypto community.

By being vigilant and understanding how to spot these phishing attacks, you can protect your valuable information and crypto assets. Stay informed, stay secure, and always trust your instincts when it comes to your digital assets.

Fraudulent emails

Phishing emails are one of the most common ways scammers try to steal your information and crypto. They can be difficult to detect as they often look really authentic, but we’ll outline some simple ways to spot them using the example below.

Note: When in doubt, DO NOT click on any links, and reach out to our support team using this form if you suspect you’ve received a phishing email.

What to look out for:

  • Always check the email address carefully. For example, you’ll see this particular example is from [email protected], which is not a real Trust Wallet email address. We use emails ending with

  • Trust Wallet support will never ask you to “verify” your wallet in any way. We will never email you or message you to ask for your 12-word secret phrase.

  • Trust Wallet is a self-custody wallet, so we don’t have the ability to “suspend” your wallet – you are always in full control of your digital assets.

  • Obvious mistakes, grammar errors or contradictory statements. This can be a bit difficult to detect, but we would not refer to people that use Trust Wallet as “customers”.

How to stay safe:

  • DO NOT click on any links as they may install malware that will allow a hacker to remotely control your device and steal your information and crypto.

  • Do not follow the instructions of these fake emails. Even if the email says you have a time limit and you feel pressured, it’s best to take your time and check with Trust Wallet support first in order to protect your information and crypto.

  • Report the email as phishing/spam in your email platform and to Trust Wallet support.

Fake websites

Phishing websites can be difficult to detect because they often look authentic and might include the Trust Wallet logo.

That’s why it’s important to take note of the URL. For example, you might see a website like in the below example, which is not Trust Wallet’s real URL. Trust Wallet’s real URL is

As with other forms of phishing, it’s important to never enter your 12-word secret phrase and to avoid clicking any links or filling out any forms.

What to look out for:

  • Always check the URL carefully – In the above example, you’ll see the fake website has a suspicious URL, which is not from the official Trust Wallet website.

  • Any legitimate website, including will never ask you for your 12-word secret phrase.

How to stay safe:

  • Bookmark legitimate URLs such as in your web browser. Bookmarking helps avoid typos and ensures you’re always going to the correct website.

  • DO NOT fill out any forms or enter your 12-word secret phrase.

  • DO NOT click on any links as they may install malware that will allow a hacker to remotely control your device and steal your information

Watch wallet scams (watch-only spending scams)

Watch-only spending scams are phishing attacks that exploit users’ misunderstanding of watch-only wallet addresses. Scammers deceive users into believing that they can access or spend the funds shown in a watch-only address without a private key, which is not the case.

What to watch out for:

  • Scammers offering Blockchain wallets for sale on social media groups and pages, claiming they hold a high balance. They use screenshots of the wallet dashboard displaying the balance as proof, but the balance is associated with an imported watch-only address.

  • Scammers claiming that a wallet has been specially configured for mining or investment purposes, and that the user must deposit funds into a wallet provided by the scammer to activate the mining process. The scammer sends funds to an imported watch-only address, creating the illusion that the deposited funds are multiplying, but these funds cannot be spent without the private key.

How to stay safe:

  • Never purchase wallets from unknown or unverified sources, as the private keys might be compromised or non-existent.

  • Be cautious of claims that a wallet is configured for mining or investment purposes, and avoid depositing funds into wallets provided by strangers.

  • Understand that wallet balances shown in watch-only addresses cannot be spent without the private key, and be skeptical of anyone suggesting otherwise.

  • If you’re unsure about the legitimacy of a wallet, app, or service, seek advice from the crypto community or reach out to support teams like Trust Wallet for guidance.

By being vigilant and understanding the limitations of watch-only wallet addresses, you can protect yourself from falling victim to watch-only spending scams and safeguard your crypto assets.

Address poisoning scams

Address poisoning is a type of scam that misleads people into sending crypto to the wrong address. This scam is difficult to spot unless you know exactly what to look for and how to avoid it.

Here’s how address poisoning works:

  1. The scammer creates a wallet address that looks very similar to one of your wallet addresses or an address you’ve recently interacted with. For instance, if a friend sends you crypto, they create an address that looks like your friend’s address. Or if you’ve sent yourself crypto from an exchange, they’ll create an address similar to that one.

  2. The scammer sends a small amount of crypto to your wallet from the similar-looking address they created. Sometimes they even send a zero (“0”) amount of crypto.

  3. From here, the scammer hopes the next time you send crypto, you’ll get lazy and copy their scam address from your transaction history, and mistakenly send them your crypto.

Address poisoning is difficult to spot because crypto applications typically shorten crypto addresses in transaction summaries. In the image above you see that the addresses are shortened in Trust Wallet transaction histories as well.

This makes sense because crypto addresses can be very long, so it’s convenient to look at the prefix (the first few characters of the address) and suffix (the last few characters of the address).

In the above image example, the deposit of 0.001 ETH and the withdrawal of 0.002 ETH look like they are from and to the same address. But the deposit could be from a scam address. Why is that possible? Because from the transaction summary page, you cannot see the full address. You would only know the full address for certain if you clicked into the details.

Scammers have realized that many people don’t check the full address of their transactions – and they hope that you don’t click to see the full details of addresses you interact with before sending crypto.

What to look out for:

  • Look out for unexpected small deposits to your wallet. It can be any coin or token such as TRX, USDT, ETH or any other asset such as an NFT.

How to stay safe:

  • Never copy address details from your transaction history when you want to send or receive crypto. Always get your deposit details using the official procedure.

  • Use the Trust Wallet address book feature to save addresses that you know and trust. This way, you won’t have to repeatedly copy and paste addresses as they’ll be securely saved in your wallet.

  • If you are not using a trusted address that’s already saved to your wallet’s address book, always ensure you verify every character of the address, one by one.

  • Also, understand that if you’ve been targeted by an address poisoning transaction, your wallet is still safe. Just don’t send any crypto out to the scam address.

  • If you receive an unexpected NFT, do not try and send, trade, or interact with it in any way. Use the Trust Wallet hide & report NFTs feature to ensure these NFTs are hidden from your wallet.

Fake wallet apps

Fake wallet apps that appear like the real Trust Wallet can trick you into giving up your secret phrase. You might come across a fake Trust Wallet app through a malicious website or an app store.

To avoid download fake Trust Wallet apps, always start from the official download page for Trust Wallet | Trust Wallet. The official page will direct you to the correct app store.

What to look out for:

  • Malicious apps that state your wallet is or will be suspended.

  • Common misspellings and mistakes in our name.

  • You may see a very low amount of reviews on an app.

  • Malicious websites are typically designed to look like wallet apps. Again look for any suspicious URLs and never enter your secret phrase into any website

How to stay safe:

  • Get Trust Wallet applications via the official Trust Wallet Website

  • Bookmark the Trust Wallet website URL in all web browsers you use.

  • Never fill out any forms or enter your 12-word secret phrase.

  • Do not click on any links as they may install malware that will allow a hacker to remotely control your device and steal your information

Unexpected SMS text messages

Trust Wallet is a decentralized self-custody wallet, and the wallet does not use any form of SMS 2FA or confirmation methods.

So any SMS text message you receive in regards to Trust Wallet is fake and is trying to gain unauthorized access to your crypto. Trust Wallet will never send you an SMS text message.

What to look out for:

  • Any SMS text claiming to be from Trust Wallet is not real. Do not respond to these text messages or follow any of their instructions.

How to stay safe:

  • Do not click any links or take action if you receive SMS text messages from anyone claiming to be from Trust Wallet.

  • Use your phone’s block/spam feature to report these messages

Social media posts and chat groups

It’s common for online scammers to use social media accounts on Twitter, Telegram and others to mislead people into giving up sensitive information – including wallet secret phrases. Always note, Trust Wallet will never message you on social apps (or anywhere else) to ask for your 12-word secret phrase.

What to look out for:

  • Watch out for anyone that sends you a message asking for your secret phrase. Never send your 12-word secret phrase to anyone.

  • Beware of giveaway scams or schemes that ask you to send a bit of crypto in return for more crypto. If it sounds too good to be true, it probably is.

How to stay safe:

  • Do not respond to any messages or instructions, and never send your 12-word secret phrase to anyone on social media or anywhere else.

  • Do not click on any links because they may install malware on your device.

Not sure if something is a phishing attack or not?

Phishing attacks are evolving to become more sophisticated, so if you’re ever unsure if you’re being targeted, reach out to our support team. Also, ensure be sure to follow us on Twitter @Trust Wallet where we’ll keep you updated on security threats and share security tips.

1 Like