Lesson 5 — Phishing & social engineering patterns
The four high-frequency patterns and the personal-policy rules that make them ineffective on you.
Phishing succeeds because it pushes you into a state where you act before you reason. The defence is not 'be smarter than the phisher in the moment' — it is to have rules that hold even when you are tired, rushed, or emotionally invested. This lesson covers the four highest-frequency patterns and the personal policies that defeat them.
Pattern one: paid Google ads to typo domains. Search 'revoke.cash' or 'metamask' or 'coinbase support' on a given day and the top result is often a paid ad pointing to a typo domain (`metarnask.io`, `coinbase-support.help`, etc.). The page mirrors the real site, including the wallet-connect button. Connecting and signing the first prompt drains the wallet. Defence: bookmark the real site once and use the bookmark forever. Never use search results for crypto sites. If you genuinely need to find a new site, navigate from a known trusted source (the project's official Twitter, the manufacturer's printed documentation, the official .org domain typed directly).
Pattern two: fake support DMs. You post on Twitter, Reddit, or Discord that you are having a problem with a wallet, exchange, or NFT mint. Within minutes someone with a 'verified' or 'staff' badge messages you offering to help. They will eventually ask you to 'verify' your wallet by connecting it to a 'support portal' or by entering your seed phrase. Defence is a single rule: real support never DMs you first, and no support — anywhere, ever — needs your seed phrase. The moment a 'support agent' DMs you first, they are a scammer.
Pattern three: Discord and Telegram admin impersonation. Scammers join a community's Discord, copy an admin's profile picture and username (often with a single-character variation that is hard to spot), then DM members during high-activity moments — new mints, token launches, security incidents. The message offers help, a 'verification' link, or an exclusive opportunity. Defence: turn off DMs from server members in your Discord privacy settings for any crypto-related server. Use the official `#announcements` channel as the single source of truth, and verify any admin claim by asking in a public channel rather than responding in DM.
Pattern four: fake airdrop, mint, or claim pages. You see a post from what looks like a real project announcing an airdrop. The site has a 'claim' button that opens your wallet for a 'small signature.' The signature is a Permit, setApprovalForAll, or direct transfer call. The site is hosted at a typo domain or via a shortened URL. Real airdrops almost always require you to bridge to the protocol you already use — not to sign anything on a brand-new page. Defence: when in doubt, wait 24 hours and check whether the airdrop is announced through the project's verified channels.
Across all four patterns, the underlying defence is a personal-policy rule: 'I do not sign anything I did not initiate, and I do not act on time-pressured messages.' Phishers manufacture urgency because urgency bypasses reasoning. If a 'support agent' tells you that you have five minutes to act, you have all the information you need: they are not a support agent.
Example
In a series of incidents through 2024 and into 2025, paid Google search ads served typo-domain copies of revoke.cash, Uniswap, MetaMask, and Phantom — all of which lead to drainer pages. The advertising platform's review process flagged and removed many of these, but the cycle of 'set up, run for a few days, get banned, restart with a new variant' has continued. Bookmark discipline is the only sustainable defence; expecting Google's review process to catch every variant is not realistic.
Common mistakes
- Trusting the URL bar at a glance. A typo domain looks identical at the speed people normally read. Read the full URL character by character on any site that will ask you to sign.
- Accepting verification badges as proof of identity. Verified accounts on every major social platform have been bought, stolen, or impersonated. Treat badges as colour, not as evidence.
- Replying to 'support' in DM. Move the conversation to the project's official public channel and watch how fast the 'support agent' loses interest.
- Acting on FOMO. 'Limited supply,' 'last 24 hours,' 'whitelist closes tonight' are the same manipulation patterns whether they come from a real project or a scam — better to miss a real opportunity than to lose to a fake one.
Safety warning
The single most reliable predictor of a scam is unsolicited contact about money — a DM, an email, a phone call, a message in a group — that arrives without you initiating it. If the contact is unsolicited and the topic is your crypto, you are being phished by default until you can prove otherwise through a separate verified channel.
Check your understanding
You DM the official Twitter account of a wallet provider asking for help with a stuck transaction. A 'support agent' replies within 30 seconds with a verification link. What does the rapid reply tell you?
Key terms covered
Sources & further reading
- PrimaryAnti-Phishing Working Group — Phishing Activity Trends Report
Industry-wide statistics on phishing volume and pattern frequency.
- SecondaryKrebs on Security — phishing archive
Long-running journalism on specific phishing incidents and operator tradecraft.
- ContextualDiscord — Privacy and Safety Center
Official Discord guidance on configuring DM restrictions and reporting impersonators.
We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.