The 4 rules
- Never type your seed phrase into any website, app, or chat — not even 'wallet support'
- Use a hardware wallet for anything > 1 month of rent
- Bookmark official sites. Never use Google ads to reach an exchange
- Sign every transaction by reading it — if you can't tell what it does, reject it
Common drain patterns
Fake airdrop emails with a 'claim' button → connects wallet → signs a permit that drains tokens.
Fake support DM on Discord → asks for seed phrase to 'restore your wallet'.
Lookalike exchange URL → you log in and lose 2FA-bound funds.