Operational Security: Identifying Common Scams

Operational security is critical when managing exchange accounts and private keys. Attackers constantly evolve techniques to exploit user error and haste. We must identify common vectors to protect our assets effectively.

Phishing and Domain Spoofing

Attackers often register domains that visually resemble legitimate exchanges. They replace letters with homoglyphs or use subtle misspellings to deceive the eye. If you enter credentials on these sites, the attacker captures them immediately. I recommend manually typing the exchange domain into your browser address bar every time. Avoid clicking links in emails or unsolicited messages.

Impersonation of Support Channels

Fraudsters pose as customer support agents on Telegram, Discord, or email. They claim your account is frozen or requires urgent verification to induce panic. Legitimate support staff will never ask for your private keys, seed phrases, or two-factor authentication codes. If someone requests this data, the interaction is a scam. Terminate the conversation and report the user through official channels.

Malicious Airdrops and Drainer Contracts

You may notice unexpected tokens appearing in your wallet or exchange account. These are often bait to trigger a "drainer" smart contract. Attempting to move or sell these tokens prompts you to sign a malicious transaction. This signature authorizes the attacker to spend all approved tokens in your wallet. I treat unsolicited tokens as toxic waste and ignore them completely.

Verifying Smart Contract Source Code

Interacting with decentralized protocols requires caution. Always verify the contract address on a block explorer before approving any transactions. Check if the code is verified and if the contract has a proxy that could be changed. Unverified contracts or those with unlimited minting capabilities present significant risks. Assume that interacting with an unverified contract will result in a total loss of funds.

Authentication Protocol Failures

SMS-based two-factor authentication (2FA) is vulnerable to SIM-swapping attacks. An attacker can hijack your phone number to receive 2FA codes and bypass security. We prefer using Time-based One-Time Password (TOTP) applications or hardware security keys. These methods generate codes locally or require physical possession, making remote attacks significantly harder.

Pre-Transaction Verification Checklist

Execute this mental checklist before signing any transaction or entering credentials.

• Confirm the URL matches the official exchange domain exactly.
• Reject any request for your seed phrase or 2FA codes.
• Verify the smart contract address on a block explorer.
• Ensure the token approval amount is the minimum necessary.
• Check that the recipient address is correct and not a blacklisted mixer.

Review your connected wallets and exchange API keys immediately. Revoke permissions for any applications or smart contracts you no longer use.