Phishing is the single most common way self-custody users lose money. Not a broken cipher, not a cracked private key — a convincing message, a look-alike website, or a transaction that looks routine until it isn't. The cryptography behind your wallet is sound, and the attacker knows it, so they skip it entirely and go after the one part of the system that can be talked into doing the wrong thing: you. Every year, billions are lost to crypto-related fraud and social engineering, and the bulk of it starts with a phishing message rather than a technical exploit.
This article breaks down what crypto phishing actually targets, the specific patterns you can learn to recognize on sight, and how SSP's design helps — while being honest about where it can't protect you.
What phishing actually targets
Phishing against a self-custody user is after one of three things: your seed phrase, your approvals, or your signature. Steal the seed and the attacker owns every account it derives, forever. Trick you into granting a token approval and they can drain specific assets at their leisure. Get you to sign a single malicious transaction and the funds move in one block.
What all three share is that you have to act. The attacker cannot reach into your wallet and take anything; they need you to type, click, approve, or sign. That dependence is also your advantage — every attack has a moment where you can stop it, if you know what the moment looks like.
The patterns you can recognize
Crypto phishing reuses a small set of plays. Once you can name them, they get much harder to fall for.
Fake wallet sites and search-ad typosquats
The oldest play is a clone of a real wallet or exchange site, served from a look-alike domain and often pushed to the top of search results as a paid ad. The page looks pixel-perfect and exists for one reason: to harvest your seed phrase, or to trick you into connecting and signing. Treat the search bar as hostile. Find the real site once, verify it, and bookmark it — then only ever arrive through that bookmark. SSP will never ask for your seed phrase on a website, and the real extension is installed from the official browser store, not from a search ad. If you are unsure what a legitimate extension wallet even looks like, read browser extension wallets explained.
Seed-phrase entry prompts
This one deserves its own rule, because it is absolute: no legitimate wallet ever asks you to type your seed phrase into a website, a form, a pop-up, or a DM. Not to "validate" it, not to "sync" it, not to "claim" anything. Your seed is entered in exactly one place — inside the wallet software itself, during initial setup or recovery. SSP only takes your seed inside the extension or the mobile app for that purpose, and never on a web page. If anything else asks, it is a theft attempt, full stop. For the broader discipline of protecting it, see seed phrase best practices.
Approval phishing and wallet drainers
Newer and sneakier: a malicious dApp does not ask for your seed at all. It asks you to sign what looks like a normal transaction — but the action is a token approval or a setApprovalForAll that hands the attacker's contract permission to move your tokens or NFTs. You keep custody of your keys; you just signed away the right to your assets, and a wallet drainer sweeps them later, sometimes weeks afterward. The defense is to understand what an approval is and to keep them short-lived. Read token approvals — the permissions you keep granting, then revoke the ones you no longer use.
Address poisoning
Address poisoning preys on copy-paste habits. The attacker sends a tiny or zero-value transfer to your wallet from an address engineered to look like one you already use — the same first four and last four characters. It then sits in your history, so the next time you copy a "known" address from past transactions you grab theirs instead, and send your funds straight to the attacker. The fix is mechanical: never copy an address from transaction history, and verify the full address, character by character — not just the first and last four. A look-alike can match both ends perfectly and differ entirely in the middle.
Impersonation in DMs
If someone messages you first on Discord, Telegram, or X claiming to be "official support," it is a scam by default. Real support does not slide into your DMs, and no admin, moderator, or "validation bot" ever needs your seed phrase, your private key, or for you to connect your wallet to "verify" it. Urgency is the tell — "your funds are at risk, act now" exists to stop you thinking. Close the DM and reach support only through a channel you navigated to yourself.
Malicious signature requests / blind signing
The most technical play asks you to sign a message rather than a transaction — a Permit, an eth_sign payload, or an opaque blob you cannot read. These can authorize token transfers or approvals off-chain, sometimes with no gas cost and no obvious warning. The rule: understand what you are signing before you sign it, and be deeply suspicious of any request you cannot decode. When you connect to dApps, know how the session and its signing requests work — what WalletConnect is and how it works with SSP walks through that surface.
How SSP's design helps — and where it doesn't
SSP is a 2-of-2 multisig wallet: every transaction must be co-signed on a second device, the SSP Key, before it can be broadcast. That gives you a second screen, on separate hardware, showing the request one more time before it goes through — a genuine second review surface that a single-device wallet does not have. The extension also never asks for your seed on a web page, which closes the most common harvesting route by design.
Here is the honest part: multisig is not a phishing cure. If a malicious transaction is in front of you and you approve it in the extension and confirm it on your SSP Key, the wallet does exactly what you told it to. The second device protects you from a single compromised device signing alone — it does not protect you from approving a bad action twice. So read both screens: if the destination, amount, or action does not match what you intended, reject it on the SSP Key. Phishing defense ultimately still rests with you. Why that responsibility is worth it is the heart of why self-custody matters now.
A 60-second phishing self-check
Before you sign anything, run this:
- URL check — did you arrive through your own bookmark, or through a link or ad someone handed you? If it is not your bookmark, stop.
- Seed check — is anything asking for your seed phrase? If yes, it is a scam, every time, with no exceptions.
- Read the SSP Key — does the action and amount on your second device match exactly what you meant to do?
- Destination check — verify the full recipient address, not just the first and last four characters.
- DM check — did this start with an unsolicited message or an urgent "act now"? Treat it as hostile.
- Approval hygiene — revoke stale token approvals you no longer need, so a forgotten one cannot be drained later.
If any step fails, reject and walk away. A missed opportunity costs nothing; a signed drainer can cost everything.
Keep going
Phishing is one layer of a larger personal-security practice. Tighten the rest with browser extension hygiene for crypto users, and put it all on a recurring schedule with your crypto opsec checklist. For how the wider ecosystem tracks these attacks, the APWG Phishing Activity Trends reports and the FBI's IC3 are solid primary sources.
