Skip to main content
Don't invest unless you're prepared to lose all the money you invest. This is a high-risk investment, and you should not expect to be protected if something goes wrong. Take 2 min to learn more.

How to Spot and Avoid Crypto Scams

A field guide to the crypto scams you will actually meet, and the few habits that shut them down.

beginner7 min readDan Clarke
Hero image for how-to-avoid-crypto-scams

TL;DR

  • No one legitimate ever needs your seed phrase or private key; anyone who asks is robbing you.
  • No one doubles your money. Send 1, get 2 back is a scam in every language.
  • Check the web address letter by letter, and read every transaction before you sign it.
  • Slow-built investment tips from new online friends are the costliest trap; the FBI logged over $4 billion in 2023.
  • This is a how-to, not financial advice.

Most crypto scams are preventable, almost all of them in fact. They look clever from the outside, but up close they reuse the same five or six moves, and once you can name the move you stop falling for it.

Banxa has run fiat-to-crypto payments since 2014, so we have watched a lot of people get caught, nearly always in the same handful of ways, and a lot of the trouble clusters around a crypto exchange, where beginners gather. This is a field guide to those ways: a how-to, not financial advice, and not a promise you will never slip. Read it once and most of the tricks lose their bite.

No one legitimate asks for your seed phrase

Start here, because this one rule stops most theft outright. Your seed phrase is the 12 or 24 words that restore your crypto wallet, and your private key is the maths underneath it. Whoever holds either one owns the coins, not borrows them, owns them.

So the line is short: no real company, network, wallet or support agent ever asks for those words, not to verify you, not to sync your wallet, not to fix a stuck transaction. A platform that already did your KYC knows who you are and never needs your phrase to prove it.

The classic version lands in your inbox: in 2020 the hardware-wallet maker Ledger had a customer database stolen, and names, emails and home addresses leaked. What followed was years of phishing: fake Ledger Support mails telling people to re-enter their recovery words on a cloned site, plus extortion letters that named real addresses. The breach was one event, the scams off the back of it ran for years.

This bites hardest in self-custody, where you run your own non-custodial wallet and no support desk can reverse a slip. More control, more rope. The habit that protects you is dull: type the phrase nowhere, photograph it nowhere, and if a website box wants 12 words, close the tab, every time.

Impersonation: fake support and fake giveaways

Two scams share one engine: someone you trust appears to be talking to you. They are not.

Fake support is the everyday one: post a question in a public reply or a Telegram group and within minutes a friendly support agent slides into your DMs. Real firms do the reverse, and Ledger and MetaMask both say in plain words that staff never message first and never ask for your recovery phrase, so an account that DMs you first is the red flag, not the rescue.

Fake giveaways go louder. On 15 July 2020 attackers seized verified Twitter accounts belonging to Barack Obama, Elon Musk, Joe Biden and Apple, and posted the same pitch from all of them: send bitcoin to this address, get double back. From the most trusted accounts on the internet. It ran for a few hours and pulled in roughly $118,000 before it was shut down.

The maths never changes: send 1 ETH, get 2 back is not generosity, it is a one-way door. No person and no company doubles your money for the favour of holding it.

Romance and investment scams that take months

This is the patient one, and the most expensive. It carries an ugly nickname: pig butchering, after the idea of fattening the animal before slaughter.

It opens soft, with a wrong-number text, a warm chat, a new friend or romance built over weeks and no mention of money early on. Then your new friend lets slip that they trade, that they are doing well, that they would love to help you in. The app they show you looks real, and your balance even climbs, but it is a stage set, and the withdraw button is the trapdoor.

The figures are not small: the FBI logged more than $4 billion in crypto investment-scam losses for 2023, most of it this exact pattern. When you try to take money out there is always a snag: a fee, a deposit, some invented charge you must pay first to release your own funds, and that charge is the final squeeze. The tell is structural, not emotional, so anyone you met online who ends up steering you onto a trading app is running the play, however kind they seem.

Fake apps and copycat websites

Scammers do not always come to you, sometimes you walk to them, through a search ad or an app store.

Typosquatting is the old reliable: a cloned site sits on a near-identical web address, a zero swapped for an O, an extra letter, a different ending. You log in, you hand over your details, the site keeps them. Read the address letter by letter before you type a thing, all of it, not just the first word.

App stores are not clean either: fake wallet apps have repeatedly slipped past review on both the Apple App Store and Google Play, dressed up as Trezor, MetaMask and others, harvesting seed phrases from anyone who restores a wallet inside them. Install wallet software from the maker's own site or its verified store listing, check the developer name against the real one, and treat a five-star app with nine reviews as the warning it is.

Rug pulls and one-click wallet drainers

Some scams are the coin itself: a team launches a token, hypes it hard, watches money pour into the liquidity pool, then drains that pool and disappears, and that is a rug pull.

The textbook case is the Squid Game token in November 2021. It rode the show's fame, the price shot up fast, then it collapsed to zero in minutes as the developers walked off with around $3 million. Holders could not even sell on the way down, because the code had blocked them from selling at all.

Wallet drainers are quieter and meaner: you connect your wallet to a slick-looking site and approve a transaction, thinking you are claiming an airdrop or minting an NFT. What you actually signed was permission for a stranger's contract to move your tokens out. One approval, wallet emptied.

Two habits shrink this risk: keep the bulk of your coins in cold storage, an offline device that signs nothing while it sits in a drawer, and leave only a small float in a connected hot wallet. And read what you sign, because your wallet shows the contract and the permissions before you confirm, so slow down and look. A checker like Etherscan's token-approval page lets you find old approvals and cancel them.

The rules that hold up

None of these scams are new, and none of them are finished. The moves that emptied wallets in 2020 still work in 2026 because they target people, not code, so a short checklist beats a long worry.

  1. No one legitimate ever needs your seed phrase or private key, and anyone who asks is robbing you.

  2. Nobody doubles your money, and send some, get more back is a scam in every language.

  3. Check the web address letter by letter, then check it once more before you log in.

  4. Read every transaction before you sign it, and cancel approvals you no longer use.

  5. If it is urgent and the upside is enormous, that pressure is the product, so slow down and it falls apart.

None of this takes technical skill, just a flat refusal to be rushed and the dull discipline of checking before you click. Scammers count on you being too excited or too embarrassed to look twice. Disappoint them.

Frequently Asked Questions

No. A wallet address is like an account number for receiving, and you can hand it out freely. What a thief needs is your seed phrase or private key, and those you never share. If anyone claims they need more than your address to send you coins, they are setting up a theft.

Almost never. Ledger and MetaMask both state plainly that their staff do not message you first. Real support waits for you to open a ticket on the official site. Treat any account that slides into your DMs offering help as a scam until you have proven otherwise, and never paste your recovery words to anyone.

Read the web address letter by letter before you log in, watching for a swapped character like a zero for an O or an extra word bolted on the end. Reach sites through a bookmark you saved yourself, not a search ad or a link in a DM. If the page asks for your seed phrase, it is fake, full stop.

A slow scam where someone builds a friendship or romance over weeks, then steers you onto a fake trading app where your balance appears to grow. You can deposit but never withdraw. The FBI tied more than $4 billion of 2023 losses to this pattern, so it is far from rare.

Move fast. Open a token-approval checker such as Etherscan's, revoke the permission you granted, then move any remaining coins to a fresh wallet the bad contract cannot touch. An approval keeps working until you cancel it, so revoking is the step that stops the bleeding.

They cut a lot of risk by keeping your keys offline in cold storage, but they do not stop you typing your recovery phrase into a fake site or signing a malicious approval. The device guards the keys. You still have to guard the decisions.

By Dan ClarkeLast updated: 14 July 2026