Simple Base SwapSimple Base SwapOpen app
← All articles
Jul 2, 2026·6 min read

How to avoid wallet phishing, fake apps, and drainer scams

securitybasescamsguides
security

If you self custody your funds, the biggest risk you face is not a hacker breaking into a wallet from the outside. Modern wallets are hard to attack that way. The far more common story is simpler: someone is tricked into signing a transaction, typing a recovery phrase into the wrong box, or downloading an app that was never the real one. This is called phishing, and it is worth understanding in plain terms, because the defense is mostly about habits, not tools.

Why phishing works

A wallet does exactly what you tell it to. That is the whole point of self custody. There is no bank to call, no support desk that can reverse a transfer, and no fraud department watching your account. When you approve a transaction, the network carries it out and the result is final.

Phishing takes advantage of this. Instead of attacking the wallet, the attacker attacks the person holding it. The goal is to get you to do one of three things: reveal your recovery phrase, sign a malicious transaction, or install software that is quietly under someone else's control. If any of those succeed, the attacker does not need to break anything. You handed over the key.

The recovery phrase trap

Your recovery phrase, sometimes called a seed phrase, is the master key to your wallet. Anyone who has it can restore your wallet on their own device and move everything. This is the single most valuable thing an attacker can get, so a huge amount of phishing is aimed straight at it.

The rule is short and has no exceptions. A real wallet, a real exchange, and a real support agent will never ask you to type your recovery phrase into a website, a chat, a form, an email reply, or an app that is not your wallet's own setup screen. If anything asks for it, that thing is a scam. It does not matter how official it looks or how urgent it sounds.

Common versions of this trap:

  • A pop up or website claiming your wallet needs to be "validated" or "synced" and asking for your phrase.
  • A fake support person in a chat group who offers to help and then asks you to "verify" your wallet.
  • A form that promises an airdrop or a refund if you connect and confirm your phrase.

Write your phrase on paper, store it offline, and treat any request for it as an attack.

Fake sites and lookalike domains

Attackers register web addresses that look almost right. A single swapped letter, an extra word, or a different ending can make a fake page look identical to the real one. They then buy ads or post links so their fake version appears where you might click it.

Once you land on the fake site and connect your wallet, the page can ask you to sign a transaction that looks routine but actually grants the attacker permission to move your tokens. This is often called a wallet drainer, because a single approval can empty a balance.

A few habits keep you safe here:

  • Bookmark the real site and open it from your bookmark, not from search results, ads, or links sent to you.
  • Check the full web address carefully before connecting a wallet, letter by letter if needed.
  • Be suspicious of any link that arrives with urgency, a countdown, or a prize attached.

Fake apps

The same trick happens in app stores and download pages. A fake wallet app can look convincing, complete with a familiar name and logo. Once installed, it either steals the phrase you enter during setup or shows you a deposit address that belongs to the attacker.

To reduce this risk, install wallet software only from the official website or the verified listing linked from it. Check the developer name, the review history, and the number of downloads. If an app is brand new, has few reviews, or was linked from a random message, slow down and verify before trusting it with anything.

Read what you are signing

Every action that moves funds or grants permission requires a signature. This is your last checkpoint, and it is a good one if you use it. Before you approve, look at what the request actually does.

Modern wallets try to describe the request in plain language. If a swap you expected suddenly asks for permission to spend an unlimited amount of a token, or if a "claim" turns out to be a transfer out of your wallet, that mismatch is your warning. When the description does not match what you thought you were doing, reject it. You lose nothing by canceling and starting over.

Two ideas make this easier to spot:

  • A signature that grants spending permission is different from one that simply moves a fixed amount. Unlimited spending permissions are convenient but risky, because they stay active until revoked.
  • If you cannot tell what a request does, do not approve it. Confusion is a reason to stop, not to click through.

Cleaning up old permissions

Over time, a wallet collects approvals from every site it has interacted with. Some of those permissions may still be active long after you stopped using the site. If one of those sites is later compromised, an old approval can be abused.

You can review and remove these permissions. A block explorer for Base has a token approvals view where you can see which addresses your wallet has granted access to, and cancel the ones you no longer need. Doing this occasionally is good hygiene, a bit like changing passwords you no longer use.

A short checklist

  • Never type your recovery phrase anywhere except your own wallet's setup screen.
  • Open the real site from a bookmark, and verify the full address before connecting.
  • Install wallet apps only from official sources, and check the developer and reviews.
  • Read every signature request, and reject anything that does not match your intent.
  • Be extra careful with unlimited spending approvals, and revoke old ones you do not use.
  • Treat urgency, prizes, and unexpected messages as warning signs, not opportunities.

The mindset that protects you

Self custody gives you full control, and full control means the responsibility sits with you. That sounds heavy, but in practice it comes down to a calm habit: slow down before you approve anything, and never share the one secret that unlocks everything. Attackers rely on speed and confusion. A few seconds of doubt, spent checking an address or reading a request, is usually all it takes to stay safe.

None of this requires special software or technical skill. It requires attention at the moments that matter, and a firm rule that your recovery phrase is yours alone.

Ready to try it yourself?

Create a non-custodial wallet on Base in seconds. No account, no sign-up.

Open the web app