Phishing & Address Poisoning: How to Spot and Avoid Scams

---

Phishing & Address Poisoning: How to Spot and Avoid Scams

Short version: phishing is social-engineering that tricks you into signing or revealing sensitive info; address poisoning is a targeted trick that replaces or spoofs recipient addresses so you send funds to an attacker. I believe the two combined are the most common ways people lose funds from a software wallet (hot wallet). I've been using MetaMask and other wallets daily for months, and these attacks are stealthy because they rely on expected workflows — connecting, approving, copying addresses. So this guide focuses on concrete checks you can do before you click "Confirm".

What are phishing and address poisoning?

• Phishing (MetaMask context): malicious websites or fake dApps that ask you to connect, to sign messages, or to approve token allowances that let a contract move your funds. Searches like "phishing metamask" and "scam sites hack metamask wallet" reflect this worry — and for good reason.
• Address poisoning: attackers generate or publish addresses that look similar to your address (or that share a short prefix) and then get you to paste or select them. Why? If you don't compare the full address, you might send funds to a poisoned address instead of your own.

Both rely on tricks you can defend against. But can MetaMask be hacked by connecting to some sites? Short answer: connecting alone doesn't expose your private keys or seed phrase. However, connecting plus signing or approving can. (Yes, really.)

How attackers pull this off (real examples)

How do attackers get you to make a critical mistake? Common flows:

1. Fake dApp prompts you to "connect". You connect and the site reads your address. Then it asks you to sign a message that looks like benign text but actually gives permission or proves control.
2. Approve popup asks for an unlimited token allowance. You confirm thinking it's a small amount. Next, the malicious contract pulls your tokens out.
3. Address poisoning: a site pre-fills a recipient with an address that uses the same leading hex characters as yours (vanity prefix) or replaces your copied address on the clipboard with an attacker address. You paste or accept without checking full characters.

I once approved an unlimited allowance for a low-liquidity token by accident; revoking that approval cost me gas and a few anxious minutes. What I've found is that small habits (checking the small details) prevent most losses.

Common phishing patterns and red flags

• Domain mimicry: subdomains or domain typos that look like the real dApp.
• Unexpected signature requests: prompts to "sign to verify" when no login is needed.
• Unlimited approvals: "Approve" with no max amount shown.
• Clipboard replacement: you paste an address and it doesn’t match what you copied.
• Pressure: popups saying "Confirm now to claim airdrop" or countdown timers.

And always remember: never enter your seed phrase into a website or a prompt. Ever.

How to check connected sites in MetaMask (step-by-step)

Desktop extension (common flow):

1. Open the MetaMask extension.
2. Click the account icon (top-right) or menu (three dots) and choose "Connected sites" or "Connected accounts".
3. Review the list. For each entry, note which accounts are connected and which permissions were granted.
4. Click an entry and choose "Disconnect" if it's unfamiliar.

Mobile app (WalletConnect sessions included):

1. Open MetaMask mobile.
2. Tap the menu → Settings → Connections or Connected sites.
3. End sessions you don't recognize (this will terminate WalletConnect sessions as well).

![Screenshot placeholder: Connected sites view]

Need detailed steps? See disconnect connected sites and the WalletConnect guide connect to dapps via WalletConnect.

How to cancel a contract interaction in MetaMask (step-by-step)

If you accidentally submit a transaction that is still pending you can sometimes cancel or replace it. Cancelling works only while the original transaction is unmined.

1. Open MetaMask and find the pending transaction in the Activity list.
2. If a "Cancel" button is available, use it — MetaMask will create a replacement transaction with the same nonce to override the pending one.
3. If there is no explicit "Cancel", use "Speed Up" to submit a different transaction (0 ETH to self) with the same nonce and a higher gas fee.
4. If you prefer manual control, enable nonce editing in Settings → Advanced, then send a replacement transaction with the same nonce and higher gas.

Note: once a transaction is confirmed on-chain you cannot undo it. For more on pending transactions see pending-transaction-troubleshooting.

Practical defenses against address poisoning & phishing

• Verify full addresses: check the first 6 and last 4–6 characters before confirming. Don't trust partial matches.
• Use a hardware wallet for high-value transactions so the device screen shows the recipient address.
• Keep a curated address book (save only addresses you trust) and prefer saved contacts to pasted addresses.
• Limit token allowances when possible and routinely revoke approvals.
• Test with a tiny transaction first (1–5 USD equivalent) when interacting with a new dApp. And if you're unsure, disconnect and open the dApp URL in a new tab.
• Use separate accounts: one account for DEX swaps, another for long-term holdings.
• Check contract calls: copy the transaction input to a block explorer (see using-etherscan-with-metamask) to decode function calls.

If you've already approved something malicious: immediate steps

1. Disconnect suspicious dApps and revoke token allowances right away. See how to revoke approvals step-by-step.
2. Move remaining funds to a new wallet that you control (generate a fresh seed phrase with a clean device). See seed phrase backup & recovery.
3. If tokens have been drained, collect on-chain evidence (tx hashes) and consult compromised wallet: what to do.

But remember: moving funds from a compromised device without first revoking approvals on-chain may still leave assets exposed if the attacker still has live approvals on the original address.

Quick mitigation comparison table

Action	Preventive or Reactive	Difficulty	When to use
Disconnect connected sites	Preventive	Low	After unfamiliar connection
Revoke token approvals	Reactive/Preventive	Medium (gas)	After suspicious approvals
Use hardware wallet for confirmations	Preventive	Medium	High-value txs
Replace/cancel pending tx (nonce)	Reactive	Medium	Pending dangerous tx
Save contacts & use address book	Preventive	Low	Routine transfers

Who MetaMask is for — and who should look elsewhere

Who it's for:

• Active DeFi users who need a browser-extension and WalletConnect workflow for EVM-compatible dApps.
• People who trade or swap frequently and want quick access to dApps.

Who should look elsewhere (or augment MetaMask):

• Holders of large long-term balances should pair a hardware wallet with MetaMask or use cold storage (see hardware wallets with MetaMask).
• Users who prefer contract-based wallets with session keys and gas abstraction might explore smart contract wallet options (account-abstraction-smart-contract-wallets).

FAQ

Q: Is it safe to keep crypto in a hot wallet? A: Hot wallets are convenient for daily DeFi activity but they increase exposure compared with cold storage. I keep a small working balance in a hot wallet and most funds offline. What I've found is that this reduces stress and loss risk.

Q: How do I revoke token approvals? A: Use MetaMask's connected sites and token approval UI or use a block explorer / approval-revoker tool. Confirm revocations with a small gas transaction. See token approvals and revoke and the detailed walkthrough how to revoke approvals step-by-step.

Q: What happens if I lose my phone? A: If you have your seed phrase you can restore your wallet on another device. If the seed phrase is lost or exposed, treat the wallet as compromised; move funds to a new wallet and follow the compromised-wallet checklist (/compromised-wallet-what-to-do).

Q: Can MetaMask be hacked by connecting to some sites? A: Connecting by itself only shares your public address. The risk begins when you sign messages or approve contracts — that's when malicious sites can move tokens. So the act of connecting isn't the hack; user approvals are the vector.

Conclusion & next steps

Phishing and address poisoning are avoidable with checklist-style habits: verify addresses, limit approvals, disconnect unfamiliar dApps, and use hardware confirmation when transferring meaningful amounts. And if something goes wrong, act quickly to revoke approvals and move funds. For a step-by-step security plan, read our security checklist and the seed phrase backup & recovery guide.

Want to practice safe habits? Start by reviewing your connected sites now: Disconnect connected sites.