XDRIPACADEMY
Sign in

Lessons·Threats·9 min·Beginner

Phishing 101: what every attacker tries first

Phishing is not a clever exploit. It is a conversation that ends with you handing over the keys. We break down the conversation so you can hear it coming.

If you talk to anyone who has lost crypto, the story is almost never "I had a complex bug in my hardware wallet." The story is almost always some version of "someone sent me a message, and I did the next thing."

Phishing is the most common attack on crypto holders by a wide margin. It is also the least technical. The attacker does not need to break the cryptography. They do not need to bypass the hardware. They just need to get you to type or paste or sign one specific thing in one specific moment. They are not attacking your wallet. They are attacking your judgment.

This lesson is the shape of that attack. Once you can recognize the conversation, you stop falling for it.

Phishing in one sentence

Phishing is when someone you do not know, or someone pretending to be someone you know, gets you to take an action that gives them control over something they should not have.

In crypto, the action is usually one of three things:

  1. Type your seed phrase into a screen they control.
  2. Approve a transaction that signs away funds or grants spending rights.
  3. Give them remote access to your device, on which the wallet lives.

That is the universe. Every phishing attempt you will ever see is a variation on getting you to do one of those three things. The wrappers around the action change. The action does not.

Key takeaway

Phishing is a conversation that ends in seed entry, a malicious signature, or remote access. Three outcomes, infinite stories. Recognize the destination and the story stops mattering.

The script most attackers run

Phishing follows a remarkably consistent shape, because it works. The shape:

  1. Contact, made to feel routine. A direct message, an email, a comment, a post in a Discord server, a notification in your wallet, a phone call. The contact is designed to feel like something that happens normally. Support replying to a question. A platform sending an alert. A friend asking for help.
  2. A reason to act, with a soft deadline. Your wallet is at risk. Your account will be locked. A migration is required. There is a special opportunity, and slots are limited. The deadline does not have to be sharp. It just has to be present, so that "I will think about this tomorrow" loses to "let me handle it now and move on."
  3. A path that looks legitimate. A website that resembles a real one. A form that looks like an official flow. A document that resembles a memo. The familiarity is doing the work. You are not being asked to trust something new; you are being asked to act on something you already trust.
  4. The action. Type your seed to "verify your wallet." Sign a transaction to "claim your tokens." Click the link to "approve the migration." Install the helper. Share the screen.
  5. The exit. Once the action is taken, the attacker disappears. Some run additional follow-ups (recovery scams, secondary phishing on the same victim) but the funds are usually gone the moment the action lands.

If you can name the step you are at, in real time, the attack stops working. Most victims describe the experience as a fog: they were not thinking about the script while it was running. The fog is the whole tool. Naming it is the way out.

The specific channels phishing uses in crypto

Phishing arrives through every channel attackers can reach you on. The most common, in rough order:

  • Direct messages on Telegram and Discord. Especially "support" messages from accounts that look exactly like a real project's team but are not. Real project teams almost never DM you first.
  • Replies and quote-posts on X. Especially under any post you make that mentions a wallet, a transaction, or an issue. Bots and impersonators monitor for that exact signal.
  • Phone calls from "support." Aimed at exchange users mostly, but increasingly at high-value individual holders. The attacker has often already gathered enough public information to sound legitimate.
  • Email "security alerts" from "your wallet provider." Wallet providers do not usually email you about your seed. Look at the sender domain carefully. Better, ignore the email and go to the real site directly.
  • Search-engine ads. Paid ads above legitimate sites, leading to nearly identical fake versions. Type the URL of important wallet sites yourself, or save them in bookmarks. Do not search and click.
  • Compromised influencer accounts and giveaway scams. Real accounts hijacked, then used to promote a fake giveaway or token launch. Anything that asks you to send first to receive more is a scam, every time.
  • Fake dApp connect prompts. A site that asks you to "connect your wallet" and then prompts you to sign something that is not what it appears to be.

Each channel has its own texture. The thing they all share is the underlying script.

The non-negotiable rules

These do not have exceptions.

  • Nobody legitimate ever asks for your seed phrase. Not support. Not your wallet's developer. Not a "validator." Not a migration tool. If anyone, anywhere, asks for your seed, it is an attack. There are no exceptions to this rule.
  • No legitimate process requires you to "verify" by entering your seed on a website. Verification flows for legitimate services use signed messages from your wallet, not the seed itself.
  • Real support does not contact you first. Especially not in DMs. If you opened a ticket, you go check the ticket on the real site, where you know you are on the real site. You do not respond to messages from people who reached out to you.
  • Slow down on anything urgent. Urgency is the attacker's friend, not yours. Any message that wants you to act now without thinking, the right move is to wait. Real situations almost always survive a fifteen-minute pause to verify.
Watch out

The single most useful habit for avoiding phishing is the fifteen-minute pause. When you receive any message that involves typing your seed, signing something, clicking a link to your wallet, or sending funds urgently, you stop. You wait fifteen minutes. You do something else. You come back, and you act only if the situation still makes sense after that pause. Almost no real opportunity dies in fifteen minutes. Almost every phishing conversation dies in fifteen minutes.

What makes phishing modern

Two things have changed in the past few years that make phishing harder to spot than it used to be.

The first is AI-quality copy. Old phishing was full of grammar errors and obvious tells. New phishing reads as well as the real thing, in any language. The "bad English" tell is gone.

The second is targeted phishing. Attackers now know who you are before they message you. Public wallet activity, social media, breach data, and low-cost intelligence work combine to produce phishing that mentions your real situation, your real holdings, your real connections. The "they could not possibly know about me" tell is gone too.

What this means in practice: do not rely on red flags to spot phishing. Rely on the structure of the request itself. Is anyone asking me to type my seed, sign something I do not understand, or act faster than I am comfortable with? If yes, regardless of how legitimate the message looks, the answer is no.

The mental model

Picture a stranger at your door, dressed exactly like the utility worker you were expecting, holding a clipboard with your name on it, asking to come in and check the meter. Maybe they are real. Maybe they are not. The cost of being wrong is enormous.

The right answer is not to inspect the uniform more carefully. The right answer is to call the utility company directly, on the number you already have, and confirm the visit was scheduled. The defense is not in detecting the fake. It is in routing through a channel you trust.

That is exactly the right model for phishing. Do not inspect the message harder. Route through a known-good channel and start over.

Drill: triage four messages

Below are four messages. Some are safe, some are phishing. Mark each one, then we grade them all together and explain the tell.

Drill · Phishing triage
Mark each message

Four messages. Some are safe, some are phishing. Mark each one before you submit. We grade them all at once and explain why.

  • Emailsupport@xcoldpro-account.com
    Action required: verify your XColdPro device

    Your XColdPro Frost firmware is out of date. Click below within 24 hours to keep your funds safe.

  • DM@xdrip_support

    Hi, this is XDRIP Support. We saw a failed transaction and need to verify your seed phrase to fix it.

  • Emailnewsletter@xdripacademy.com
    Lesson 3 is live: Hardware vs software wallets

    Following on from last week, the next lesson in the Self-Custody pillar is now live on your account. No action required from you.

  • SMS+1 (415) 555-0142

    URGENT: your XECHO release was paused. Reply YES to authorize.

Key takeaway

Phishing is the dominant way crypto gets stolen. The attacker wants you to type your seed, sign a malicious transaction, or grant remote access. The story around the request is dressing. Recognize the destination. Pause before acting. Route through a channel you already trust. Anyone asking for your seed is an attacker, every time, no exceptions.

Track your progress

Create a free account to mark lessons complete and unlock pillar discounts.

← All lessonsThe scams everyone falls for