How to protect your wallet from phishing and drainers
Web3 phishing protection isn't one setting — it's a short set of habits. This is the full checklist, in the order that actually matters, with links to the deep-dive guide for each step.
Security Guides · 7 min · Updated Jul 2026
Almost every crypto loss comes down to one of two things: you gave up your seed phrase, or you signed something you shouldn't have. Neither requires anyone to "hack" you — both rely on tricking you. The good news is that defending against them is mechanical. Work through the layers below from top to bottom; the earlier ones matter most.
1. Install the real wallet in the first place
A counterfeit wallet captures your seed phrase the moment you type it, so protection starts before you install anything. Download only from the official site or store listing — never from a search ad, an email link, or a "mirror."
- Confirm the listing is genuine. Check the publisher and the browser extension ID against the official one before adding it.
- Verify the file. Match the download's SHA-256 against the developer's published hash using the free in-browser WalletGuard verifier — nothing is uploaded.
- Start from a trusted source. Our directory of verified wallet downloads links straight to official releases. See the worked example: download MetaMask safely.
More on the ways fake downloads reach people: spotting a fake MetaMask extension and why search-ad downloads are dangerous.
2. Guard your seed phrase — the one unbreakable rule
Your recovery phrase restores full control of your wallet on any device. It can't be reset and isn't rate-limited: one disclosure is total, irreversible loss.
Never enter your seed phrase anywhere except your own wallet's recovery screen, when you deliberately restore it. No legitimate site, app, support agent, or "wallet migration" page ever needs it. A request for your seed phrase is, by itself, proof of a scam. Store it offline on paper or steel — never a screenshot, cloud note, or password manager. Full breakdown: seed phrase phishing and how to avoid it.
3. Read what you sign — this is how drainers work
Modern DeFi security is less about stolen keys and more about malicious signatures. A wallet drainer doesn't need your seed phrase — it needs you to approve one transaction. That approval can grant a contract permission to move your tokens, or transfer an asset outright.
- Slow down on any request to "connect," "approve," or "sign." Read the plain-language summary your wallet shows.
- Be suspicious of unlimited token approvals and of signature requests you didn't initiate.
- Prefer wallets that simulate a transaction and warn on risky ones before you confirm — MetaMask now does this natively, and Rabby is built around it (see MetaMask vs Rabby).
4. Audit and revoke old approvals
Every approval you've ever granted stays live until you remove it — including ones to contracts that later turn malicious. Most wallets now let you review and revoke token approvals from their own settings; do it periodically and remove anything you no longer actively use. Think of it as closing doors you left open months ago. For how these approvals get abused in the first place, see how wallet drainers work.
5. Reduce your attack surface
- Use a hardware wallet for meaningful balances. Keys stay offline and every transaction needs a physical confirmation. Weigh it up in hardware vs software wallets.
- Separate wallets by purpose. Keep a "hot" wallet with small amounts for minting and dapps, and a cold wallet you rarely connect for savings.
- Watch what you paste. Attackers seed your history with lookalike addresses — always check the full address, not just the first and last characters. See address poisoning.
A note on what protection can and can't do
No checklist makes you unhackable — social engineering evolves. What these habits do is remove the easy wins attackers rely on. WalletGuard is an independent verified-download directory and checksum tool; we don't sell a wallet, extension, or "protection" product. We make the official path and verification discipline easier to follow. Always confirm URLs, extension IDs, and contract addresses yourself when funds are involved.
Frequently asked questions
What is the single most important way to protect a crypto wallet?
Never enter your seed phrase anywhere except your own wallet's recovery screen. It's the master key, and disclosing it means total, irreversible loss. Every other step is secondary to that one rule.
How do wallet drainers empty a wallet without my seed phrase?
They trick you into signing a malicious transaction or token approval, which grants permission to move your tokens — so they never need your seed phrase. Read every transaction before signing and revoke approvals you don't use.
How do I know a wallet download is safe?
Download only from the official source, confirm the extension ID or publisher, then verify the file's SHA-256 against the developer's published value with the WalletGuard verifier.
Does a hardware wallet stop phishing?
It blocks a lot by keeping keys offline and forcing physical confirmation, but it can't save you if you approve a malicious transaction on the device. You still have to read what you're signing.