What scams should I watch out for?
How to spot different types of phishing scams, ways to prevent malicious actors and hackers from getting access to your wallet, and some common signs of scams.
One of the biggest threats in crypto is getting tricked into giving your private keys or 12-word secret recovery phrase to a scammer.
In this article:
- What is a phishing scam?
- How can I identify a scam?
- Watch out for spoofs of legitimate websites
- Watch out for malicious wallets and apps
- Spear phishing via your information that has been leaked
- Hallmarks of a scam
- What are some common scams?
- Don't trust others to set up your wallet
- Don't allow anyone remote access to your device
- Your Exodus wallet has not been linked to Binance
- Ethereum Merge scam
- Recovery scams
- Exodus imposters
- Don't validate your wallet!
- Be careful when sending crypto using QR codes
- Don't import TRON 12-word phrases or private keys!
- Unrecognized transactions with zero value (address poisoning)
- Investment scams
- Dust attacks
- How can I protect myself from scammers?
- Other resources
What is a phishing scam?
A phishing scam is a fraudulent method of impersonating famous people or pretending to be from reputable companies to convince people to reveal personal information. In a sense, the thieves are 'fishing' for your information, hoping you will bite.
They typically send fake emails, create fake websites, and make sham social posts to get your 12-word secret recovery phrases, private keys, or other personal information to steal your money.
Phishing scams are ubiquitous and not unique to crypto. However, scammers are very active in this space. If you hold your funds in a self-custody wallet like Exodus, you control your assets. If they can convince you to reveal your private keys or 12-word phrase, they will have full access to your funds.
Once someone has stolen crypto from your wallet, it’s not possible for anyone to reverse the transaction. Immutability, or the inability to cancel or reverse transactions, is one of the core features of blockchain technology.
So what can you do? Prevention is key. With the power of controlling your own assets comes the added responsibility of protecting those assets. Let’s dig deeper into how to recognize the common tactics that scammers use and how to protect yourself against scams.
How can I identify a scam?
There are too many scams to name them all, so below are some tips to help you identify scams. If you're not sure, you're always welcome to contact Exodus Support.
Watch out for spoofs of legitimate websites
Spoofing is when a malicious website is disguised as a known, trusted platform. Spoofed websites might look nearly identical to an official website, but if you look closely, you will spot minor differences. For instance, scammers will use a domain address that looks very closely related to the real site. They might change one letter of the company name or use different domain extensions such as .biz .info, etc.
Spoofed websites are successful as many scammers purchase advertising space on search engines. This allows their advertising links to appear higher in the search results, which then causes people to think it’s legitimate. As such, try to avoid clicking on ad links when searching for a website. While some ads will bring you to the correct websites, it’s a good security practice to click only on the search engine results and check that the address begins with https://, and the URL is spelled correctly, so you know your link is secure.
Want to be sure you are on the correct Exodus website? We have an article in our Knowledge Base that summarizes all the official domains of Exodus:
Aside from search engines, be very careful on social media as well! Scammers often set up accounts on popular social media applications such as Twitter, Reddit, Facebook, TikTok, Telegram, Instagram, Discord, and other social media platforms and wait for vulnerable users to prey on them.
Scammers will initially offer you some good advice to trick you into believing they are legitimate. Once they win your trust, they’ll direct you to a fake website asking for your private information. They will use official-sounding terms like “validate your wallet” and “verify your info.”
Watch out for malicious wallets and apps
While Apple and Google are really good at screening their app stores, fake and malicious apps can still sometimes get through. When scammers get fake versions in official stores, they use screenshots and pictures from the real app, as well as fake reviews, to make their wallets look legitimate.
Checking to make sure your app is authentic is key to protecting your funds. We go into this information in depth in this article here:
If you are more technical, you can use a checksum and look for the release hashes and verify that the download you have is signed. You can also turn on auto-update in your mobile phone settings or in the desktop app.
Exodus Mobile is offered on Apple devices running iOS 12 or higher and Android devices running Android 8.0 Oreo or higher. We offer no other way to download Exodus apart from using the Google Play Store for Android, App Store for iOS, or the direct download links on our website.
Spear phishing via your information that has been leaked
Some scammers use personal information leaked from data breaches to launch targeted attacks. This is called spear phishing. If your email address has been involved in a data breach, then you could be at risk.
A great example of this is the Ledger data leak. As Ledger is a crypto company, the people on the breached email database were likely to have crypto. Knowing this, scammers targeted campaigns to the leaked email addresses. They sent information from spoofed email addresses directing users to “validate” their wallets on malicious sites or apps.
Knowing if your email address has been compromised and being aware that scammers might contact you via email will keep you on alert. We recommend that you check here to see if your email address has been leaked:
haveibeenpwned.com is a third-party platform that is not affiliated with Exodus. As such, Exodus cannot guarantee the performance of its products/services or that the steps shown and the information provided will always be accurate.
Hallmarks of a scam
Be on the lookout for celebrity giveaways, time crunches, and double-back promises. While these are not phishing, they are worth noting while we are talking about scams. Elon Musk, Vitalik Buterin, and Changpeng Zhao (CZ) don’t give away crypto. Adding a famous name to a “promotion” is a way to trick you into a false sense of security.
Many scam websites push a very tight time limit or “limited space” so you’ll be rushed to send funds quickly. This is often done on YouTube live streams that have comments disabled. The focus is put on getting double the amount back to make you concentrate on the reward. If it ever sounds too good to be true, especially with crypto, it almost certainly is.
What are some common scams?
Be on the lookout for these common scams, and don't fall for them!
Don't trust others to help set up your wallet
Some scammers will offer to help you set up your Exodus wallet (or another crypto wallet), or they claim that they can assist with an issue you are having with the wallet.
These scammers will pretend to help you, try to confuse you, and take advantage of the situation to gain access to your 12-word secret recovery phrase and steal your funds. Some will even pretend to be Exodus Support.
It is important never to share information like your secret 12-word recovery phrase or private keys with anyone, not even with Exodus Support.
For example, a scammer could try to confuse you by remotely accessing your device and then change which fiat currency the value of your crypto is shown in, so it looks like you have a different amount of funds.
If you are ever concerned about the value of your crypto or the amount you hold, you can always check your balance using a blockchain explorer: Why should I use a block explorer?
Remember that you should never share your secret 12-word recovery phrase or private keys with anyone, including Exodus. Exodus Support will never ask for sensitive information, including 12-word phrases, private keys, or passwords.
If you ever have an issue with your wallet, or if you need help setting it up, then make sure you contact the official Exodus support team: How do I contact Exodus Support?
Don't allow anyone remote access to your device
Never allow anyone remote access to your device for any reason. This is a common method scammers use when they try to steal funds and wallet information.
Some scammers might offer help or pretend to be a support agent, then ask you to download software to allow them to remotely access your device so they can help you.
Don't do it. Never allow anyone to get remote access to your device.
Once a scammer gets access to your device, they might attempt to steal your information, steal your funds, install malware, or make unauthorized transactions.
Exodus Support will never ask to access your device remotely.
If you ever have an issue with your wallet, or if you need help when you're setting it up, then make sure you contact the official Exodus support team: How do I contact Exodus Support?
Your Exodus wallet has not been linked to Binance
You may have received an email that your Exodus wallet has been linked to Binance or another crypto platform.
This is a scam. It's not possible for your Exodus wallet to be linked to any other platform. The scammer wants you to provide your 12-word secret recovery phrase so they can steal your funds.
Exodus Support will never ask for your 12-word phrase or your private keys.
Ethereum Merge scam
This is a scam where a scammer sends an email claiming to be from Exodus that tells customers that they need to merge their assets.
This is untrue. There was no need to take any action after The Merge, and there is no need to merge any assets. You can read more about The Merge here: Ethereum: The Merge FAQs.
In this scam, customers are directed to a malicious link. If you receive an email like this, the best thing to do is nothing. Don't click on any links, and don't provide any information to the scammer. Your assets are 100% safe.
Exodus announces wallet issues through in-app messages or the status page.
If you have any doubts about the validity of an email, or any questions at all, you can always contact Exodus support for confirmation.
Recovery scams are schemes that pretend to help people recover lost or stolen funds. These scams often involve individuals or groups who claim to have special expertise or resources that can help recover lost funds. In reality, they are trying to steal more funds from people who may already be victims of scams.
Recovery scams take a variety of forms, such as phishing scams, fake recovery websites, or impersonation scams, and they may target victims who have lost funds through scams or hacks, or who are simply looking for a way to recover funds that they believe were lost due to a mistake or oversight.
It is important to be cautious when seeking help to recover lost funds, as genuine recovery services are rare. Scammers often use convincing tactics to trick people into believing their ability to help is legitimate.
Because of the way blockchain technology works, it is very difficult to recover crypto once it is lost or stolen.
Scammers will pose as Exodus and will sometimes contact users with spoofed emails to trick users in an attempt to steal their funds. It is a method commonly used by scammers performing spear phishing attacks.
Some of these Exodus imposters might falsely claim that there has been a data breach, action needed to protect or claim your funds, or request that other urgent actions be taken. These are tell-tale signs that the email did not come from Exodus.
Exodus is a non-custodial wallet, you will never be asked to validate your wallet, and Exodus will never ask for your private keys or your 12-word secret recovery phrase.
Don't validate your wallet!
If you are ever asked to enter your 12-word secret phrase or private keys into a form, send them to a support agent to validate your wallet, or prove the wallet belongs to you, don't do it!
No legitimate support team will ever ask for 12-word secret recovery phrases, private keys, or passwords.
The only reason anyone would ask for this information is to steal your money.
Be careful when sending crypto using QR codes
If you're asked to send a small amount of crypto to verify your wallet address by scanning a QR code, don't do it!
When the scammer's QR code is scanned, it overwrites the amount that you enter and pre-fills it with an amount set by the scammer. This amount is usually much higher than what you expect to send.
The scammer hopes you won't check the amount before sending the transaction. If you confirm the transaction, then you'll send much more crypto than you expect. And because crypto transactions are irreversible, there will be no way to get your money back.
So if you ever send funds by scanning a QR code, always check the amount of crypto before you hit send.
Never send funds to anyone asking you to confirm your wallet details. Exodus is a self-custody wallet, so will never ask you to verify or validate your wallet.
Don't import TRON 12-word phrases or private keys!
This is a scam to steal your TRX.
Scammers will contact you and provide you with a TRON wallet 12-word secret recovery phrase and/or private key and ask you to recover their funds for them.
There will be funds in the wallet, usually TRON USDT, but there's no TRX to pay for the transaction fees. So you might send a little TRX to the wallet to send out the USDT.
What you don't know is that you've restored a multi-sig TRON wallet. Multi-sig wallets require more than one private key to access funds. Without all the necessary private keys (signatures), you won't be able to withdraw the funds.
This leaves the TRX in the wallet for the scammers, and you won’t have the necessary permissions to access the TRON or any TRON tokens in the wallet. Often these wallets are equipped with bots that send your TRX to another wallet as soon as it's received.
Never send funds to a wallet where the permissions for the TRON wallet have been changed. If you wish to delete your current wallet and create a new Exodus wallet, please visit: How do I delete my wallet and start over?
If you’ve restored a multi-sig TRON wallet in Exodus, you will see a warning, as shown in the examples below, and you will be unable to send or receive TRON and TRON tokens.
Unrecognized transactions with zero value (address poisoning)
If you see zero-value transactions that you don't recognize in your wallet, you may have been targeted by scammers. Transactions like these are known as address poisoning.
Scammers try to steal your assets by tricking you into sending them to the wrong address. They hope you’re not paying attention or in a hurry, so rather than double-checking that you have the correct address, you’ll send your crypto to the scam address because it shows up as a recent transaction in your wallet.
Although this scam may not seem as dangerous as others, it can still trick you into sending your assets to a scammer's address. So let's take a closer look at how this scam works.
Scammers create a fake address that looks similar to a real one you use. Then they send a small transaction to your address or create a fake transaction that looks like it's from you.
The scammer hopes you will mistakenly send your assets to the fake address from your transaction history, instead of the correct address.
Here at Exodus, we do everything we can to keep you safe. We've added a feature that hides zero-value transactions on all supported EVM networks.
If you're using another wallet, always double-check the address you're sending assets to. Make sure each letter and number matches the trusted address, so you can be sure you're sending it to the right person.
There are many different types of investment scams in traditional finance and in crypto. These scams often involve tricking people into believing they will earn a high rate of return on their investment when in reality, the investment is either worthless or does not exist. Investment scams can take many forms, including Ponzi schemes, pyramid schemes, and fake investment opportunities.
Ponzi schemes involve paying returns to earlier investors using the investments of newer investors rather than using any actual profits from investments. This creates the appearance of a successful investment. Eventually, the scheme collapses when there are not enough new investors to support the returns promised to earlier investors.
Pyramid schemes are similar to Ponzi schemes, but they involve recruiting new members to join the scheme rather than relying on investment funds. Each new member is required to pay a fee to join, and in return, they are promised a share of the profits generated by the members they recruit. Like Ponzi schemes, pyramid schemes eventually collapse when there are not enough new members to sustain the returns promised to earlier members.
Fake investment opportunities involve offering fake or worthless investments to people and may include things like buying into a fake company or investing in a non-existent product.
Investment scams can be difficult to spot, as scammers often use sophisticated tactics to create a sense of urgency or to create the impression that the investment is legitimate.
It is important to be wary of any investment opportunity that seems too good to be true and to do research and due diligence before investing. It is also a good idea to seek the advice of a financial professional or to check with regulatory agencies to verify the legitimacy of an investment opportunity. One way to spot scams that others have fallen victim to in the past is by simply searching the name of the company or proposed investment with the word "scam."
Investment scams can be difficult to spot, but there are several red flags that may indicate that an investment opportunity is a scam:
- Guaranteed high returns. Be wary of any investment opportunity that promises guaranteed high returns, as most legitimate investments carry some level of risk.
- Pressure to invest quickly. Scammers may try to create a sense of urgency to pressure you into investing before you have a chance to fully research the opportunity.
- Unsolicited offers. Be cautious of unsolicited investment opportunities, especially if they come from someone you do not know or have not done business with before.
- Lack of transparency. A legitimate investment opportunity should provide clear and detailed information about the investment, including how the funds will be used and the potential risks and rewards. If an investment opportunity is vague or does not provide this information, it may be a scam.
- Requiring upfront fees. Be cautious of any investment opportunity that requires upfront fees or requires you to transfer money to an individual or company you do not know.
- Unregistered investment products or advisers. Check with your country's regulatory agencies to ensure that the investment product and the adviser offering it is registered and legitimate.
Dust attacks involve an attacker sending very small amounts of crypto to multiple crypto addresses. The low value being sent can make them easy to miss. With dust attacks, the attacker's goal is typically one of two things:
- For account-based assets, the dust transaction might include malicious links leading to malware, phishing sites, or advertisements in the transaction details.
- For UTXO-based assets, an attacker might send dust to an address to try and reveal the other addresses the owner has by analyzing the movement of the dust.
To learn more about how to protect your funds if you’ve received a dust attack, please visit: What is a dust attack and how do I deal with it?
How can I protect myself from scammers?
Protect your private information
The easiest way to protect yourself from being phished is to know what information is for your eyes only. Your 12-word secret recovery phrase and your private keys should not be shared with anyone. There is no legitimate reason why anyone, including crypto support staff, would need this information. The only reason someone would ask you for this information is to steal your funds.
Never enter your private keys or 12-word phrase into any website. For more information on this, you can check out this article:
Remember, as a non-custodial wallet, Exodus does not collect any customer information. Our staff will never ask you to verify your wallet. They will never ask you for your 12-word phrase or private keys. Should you ever receive this type of email or direct message (DM), please ignore the contents and do not click on any links.
For more information about this, you can read these articles:
- What information does Exodus have access to?
- I received an email from Exodus, asking me to provide my 12-word phrase/password
How to contact Exodus Support
Remember there is no signup necessary or traditional account login with Exodus. This means Exodus doesn’t have your email address unless you sign up for our newsletter. We will only contact you directly via email as a reply to an inquiry you’ve already sent to us.
If you need to reach out to Exodus Support, please do so through our official channels. While we do have staff on the major social media channels, our staff will never DM you. If someone is DMing you on a social media platform, they are likely a scammer. Our social media team will only post public replies. Please see the following for more information on how to get in touch with us.:
If you are interested in reading more about how to keep yourself and your crypto safe, you can visit these resources:
- How do I keep my money safe?
- The Importance of a Good Password
- Security Tips for Crypto Newbies
- List of Security Practices
- What are the risks of using DeFi?
- How do I claim my forked coins?
- Comprehensive Guide to Cryptocurrency Scams and Frauds
- YouTube video by Andreas Antonopoulos on how to protect yourself against leaked information
The following resources are not affiliated with Exodus. As such, Exodus cannot guarantee that the steps shown and the information provided will always be accurate.