Table of contents

• Quick checklist
• Before you install: baseline setup
• Daily habits and transaction hygiene
• Token approvals: audit and revoke
• Mobile vs browser extension: practical differences
• Hardware wallets & account abstraction (advanced)
• Phishing, malicious dApps & address poisoning
• Immediate steps if you suspect a compromise
• FAQ — short answers to common questions
• Conclusion & next steps

---

MetaMask Security Checklist: Prevent Hacks & Phishing

This checklist collects hands-on best practices for securing a MetaMask software wallet (hot wallet) when you use DeFi, swap tokens, interact with dApps, or manage NFTs. I use MetaMask daily and have tested approvals, swaps, and revocations across mainnet and L2s (so these are practical, battle-tested items). Some are quick fixes. Some are habits that prevent costly mistakes.

Quick checklist

• Install from the official store and verify the extension/app source. (See installation steps: browser extension | mobile).
• Back up your seed phrase offline. Never type it into a website or store it unencrypted in cloud storage. See seed phrase backup & recovery.
• Enable a PIN/biometric lock on mobile. Biometric protection reduces casual access.
• Limit token allowances. Revoke unused approvals regularly (how to: revoke guide).
• Test dApps with a small transaction first. Small test amounts reveal malicious behavior without large loss.
• Use a hardware wallet for large balances (integrates with MetaMask: hardware wallet integration).

And keep this checklist near your setup notes.

---

Before you install: baseline setup

Why start here? Initial setup errors are a common vector for loss. Short answer: attention at install saves pain later.

• Source verification: install the extension or app from the official store page. Check the exact publisher string and reviews. If anything looks off, pause.
• Local key storage: MetaMask stores private keys locally, encrypted with your password. That means the security of your browser or phone matters.
• Seed phrase practices: write your seed phrase on paper or a metal backup. Store copies in separate, secure locations. Do not store the seed phrase in email, notes apps, or cloud backups unless you understand the encryption trade-offs (and personally, I avoid cloud backups for primary accounts).

For step-by-step install and onboarding see install the browser extension or mobile app setup.

---

Daily habits and transaction hygiene

Is it safe to keep crypto in a hot wallet? The honest answer: hot wallets are convenient for active DeFi use but are higher risk than cold storage. If you use a hot wallet for daily swaps or staking, keep only the working balance on it; move large holdings to a hardware wallet.

Practical habits:

• Check the URL and site domain before connecting. Phishing sites often mimic dApp interfaces.
• Preview transactions. Look at gas fees, the recipient address, and the called function (approve, transferFrom, etc.).
• Avoid approving "infinite" token allowances when a dApp requests them. Many dApps default to unlimited allowances; change that when you can.
• Test with small amounts. If a new dApp or bridge looks legitimate, send a small test swap first.
• Lock MetaMask when idle and use different browser profiles for high-risk browsing.

But don't let convenience win every time; a single careless approval can cost real funds.

---

Token approvals: audit and revoke

Token allowances are one of the largest attack surfaces. Approving a contract lets it move your tokens — sometimes indefinitely. Regular audits reduce long-term exposure.

How to revoke token approvals MetaMask (summary):

1. Use a token-approval auditor (connect your MetaMask wallet in read-only mode).
2. Review the list of spenders and allowances. Focus on large or unlimited approvals.
3. For risky approvals, issue a revoke transaction (this is an on-chain action that costs gas).
4. Verify the revoke on a block explorer.

I recommend performing revocations on an L2 or testnet where gas is cheap, if the allowance exists there, to practice. For a detailed walkthrough see token allowances and revoke and the step-by-step page how to revoke approvals.

Task	Where to do it	Notes
Audit approvals	Approval-audit tool (connect with MetaMask)	Connection is read-only; revokes will require transaction signing.
Revoke approval	On-chain transaction	Costs gas; consider batching on L2.

---

Mobile vs browser extension: practical differences

Short comparison and what to use when.

• Mobile: convenient for daily swaps, built-in dApp browser, supports biometric lock (biometric lock MetaMask). Mobile stores keys in OS secure storage (Keychain/Keystore) and can auto-lock.
• Browser extension: better for developer tools, multiple accounts, and desktop dApp workflows. Extensions are dependent on your browser security.

Use mobile when you're on the go. Use the extension for deeper contract interactions or multi-account management. If you carry large balances, pair MetaMask with a hardware wallet (see: hardware wallet integration).

---

Hardware wallets & account abstraction (advanced)

Hardware wallets reduce risk because private keys never leave the device. MetaMask can connect to hardware wallets so you can approve transactions securely while keeping keys offline. See hardware-wallet-integration for setup steps.

Account abstraction and smart-contract wallets add flexibility: session keys, gasless transactions, and batched operations. They can improve safety (short-lived session keys) but introduce new trust choices (paymasters, relayers). Read more on account-abstraction-smart-contract-wallets.

---

Phishing, malicious dApps & address poisoning

Phishing MetaMask attacks often come via fake sites, malicious contract approvals, and address-poisoning (where UI shows a safe-looking address that maps to a malicious contract). Always:

• Verify contract addresses from the protocol's official source or block explorer.
• Avoid clicking links sent over social channels.
• Use the site’s vetted documentation and community channels to confirm URLs.

For deep reading and examples see phishing address poisoning.

---

Immediate steps if you suspect a compromise

If you think you were hacked, act fast:

1. Disconnect from all dApps (MetaMask menu -> Connected sites).
2. Revoke approvals for risky tokens (see earlier section).
3. Move remaining funds to a clean wallet you control (preferably a hardware wallet).
4. Check recent transactions on a block explorer and save transaction hashes as evidence.
5. Read the recovery checklist: compromised wallet — what to do.

And inform any counterparties if funds were moved from shared contracts.

---

FAQ

Q: Is it safe to keep crypto in a hot wallet? A: Hot wallets are fine for active DeFi and small balances. For long-term storage or large holdings, use a hardware wallet. Think in terms of "working balance" vs "cold reserve." (I keep less than a month’s trading balance in hot wallets.)

Q: Can MetaMask be hacked? A: Yes — any hot wallet can be compromised via phishing, malware, or careless approvals. Security is layered: OS/browser hygiene, careful approvals, and hardware wallets for large funds.

Q: How to secure MetaMask wallet? A: Follow the steps in this checklist: secure seed phrase, enable mobile biometrics, audit approvals, use hardware wallets, and test dApps with small transactions.

Q: What happens if I lose my phone? A: If you have the seed phrase, you can restore your wallet to a new device. If not, funds are unrecoverable. See seed phrase backup & recovery.

Q: How do I revoke token approvals MetaMask? A: Use an approvals auditor, review allowances, and submit revoke transactions (see how-to-revoke-approvals-step-by-step).

---

Conclusion & next steps

Security is iterative. Follow the quick checklist above, adopt the daily habits, and schedule a monthly approval audit. If you want a guided setup, walk through install the extension or mobile setup and then secure your seed phrase using the steps on seed phrase backup & recovery.

If you want a one-page printable checklist, see staying-safe-checklist.

Stay practical. Small habits prevent big losses.