Skip to main content

This site is for educational purposes only. Nothing here constitutes financial advice.

Lesson 5 of 8
~22 minCrypto Security Bootcamp

Lesson 5 — Phishing & social engineering patterns

The four high-frequency patterns and the personal-policy rules that make them ineffective on you.

Intermediate
Evergreen
22 min readUpdated 2026-05-17Block Clarity Hub Editorial Team

Phishing succeeds because it pushes you into a state where you act before you reason. The defence is not 'be smarter than the phisher in the moment' — it is to have rules that hold even when you are tired, rushed, or emotionally invested. This lesson covers the four highest-frequency patterns and the personal policies that defeat them.

Pattern one: paid Google ads to typo domains. Search 'revoke.cash' or 'metamask' or 'coinbase support' on a given day and the top result is often a paid ad pointing to a typo domain (`metarnask.io`, `coinbase-support.help`, etc.). The page mirrors the real site, including the wallet-connect button. Connecting and signing the first prompt drains the wallet. Defence: bookmark the real site once and use the bookmark forever. Never use search results for crypto sites. If you genuinely need to find a new site, navigate from a known trusted source (the project's official Twitter, the manufacturer's printed documentation, the official .org domain typed directly).

Pattern two: fake support DMs. You post on Twitter, Reddit, or Discord that you are having a problem with a wallet, exchange, or NFT mint. Within minutes someone with a 'verified' or 'staff' badge messages you offering to help. They will eventually ask you to 'verify' your wallet by connecting it to a 'support portal' or by entering your seed phrase. Defence is a single rule: real support never DMs you first, and no support — anywhere, ever — needs your seed phrase. The moment a 'support agent' DMs you first, they are a scammer.

Pattern three: Discord and Telegram admin impersonation. Scammers join a community's Discord, copy an admin's profile picture and username (often with a single-character variation that is hard to spot), then DM members during high-activity moments — new mints, token launches, security incidents. The message offers help, a 'verification' link, or an exclusive opportunity. Defence: turn off DMs from server members in your Discord privacy settings for any crypto-related server. Use the official `#announcements` channel as the single source of truth, and verify any admin claim by asking in a public channel rather than responding in DM.

Pattern four: fake airdrop, mint, or claim pages. You see a post from what looks like a real project announcing an airdrop. The site has a 'claim' button that opens your wallet for a 'small signature.' The signature is a Permit, setApprovalForAll, or direct transfer call. The site is hosted at a typo domain or via a shortened URL. Real airdrops almost always require you to bridge to the protocol you already use — not to sign anything on a brand-new page. Defence: when in doubt, wait 24 hours and check whether the airdrop is announced through the project's verified channels.

Across all four patterns, the underlying defence is a personal-policy rule: 'I do not sign anything I did not initiate, and I do not act on time-pressured messages.' Phishers manufacture urgency because urgency bypasses reasoning. If a 'support agent' tells you that you have five minutes to act, you have all the information you need: they are not a support agent.

Example

In a series of incidents through 2024 and into 2025, paid Google search ads served typo-domain copies of revoke.cash, Uniswap, MetaMask, and Phantom — all of which lead to drainer pages. The advertising platform's review process flagged and removed many of these, but the cycle of 'set up, run for a few days, get banned, restart with a new variant' has continued. Bookmark discipline is the only sustainable defence; expecting Google's review process to catch every variant is not realistic.

Common mistakes

  • Trusting the URL bar at a glance. A typo domain looks identical at the speed people normally read. Read the full URL character by character on any site that will ask you to sign.
  • Accepting verification badges as proof of identity. Verified accounts on every major social platform have been bought, stolen, or impersonated. Treat badges as colour, not as evidence.
  • Replying to 'support' in DM. Move the conversation to the project's official public channel and watch how fast the 'support agent' loses interest.
  • Acting on FOMO. 'Limited supply,' 'last 24 hours,' 'whitelist closes tonight' are the same manipulation patterns whether they come from a real project or a scam — better to miss a real opportunity than to lose to a fake one.

Safety warning

The single most reliable predictor of a scam is unsolicited contact about money — a DM, an email, a phone call, a message in a group — that arrives without you initiating it. If the contact is unsolicited and the topic is your crypto, you are being phished by default until you can prove otherwise through a separate verified channel.

Check your understanding

You DM the official Twitter account of a wallet provider asking for help with a stuck transaction. A 'support agent' replies within 30 seconds with a verification link. What does the rapid reply tell you?

Key terms covered

Sources & further reading

We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.

Go deeper