Quick tips
Protect your recovery phrase. Never share your 12-word recovery phrase. Your recovery phrase is what gives you, and only you, access to your wallet.
Research dapp websites. Check that the dapp website you want to use is legitimate. Also double-check that you’re using the correct dapp website URL.
Slow down. Watch out for grammatical mistakes, typos and misspelled words. Scammers often make grammar or spelling mistakes.
Phishing
Phishing websites and dapps try to trick visitors into providing their sign-in credentials or other sensitive information to gain control of their accounts or wallet. These scammers use emails, SMS text messages, social media and search-engine advertisements to make their sites appear legitimate.
To avoid phishing:
Check that you’re using the correct dapp website URL.
Double-check that the dapp website is legitimate. Research the platform thoroughly to validate their services and authenticity.
Giveaway scams
Scammers are using social media to carry out their giveaway scams. They post screenshots of forged messages from companies and executives promoting a giveaway, with hyperlinks to fraudulent websites. Fake accounts will then respond to these posts, making the scam appear legitimate. The fraudulent websites will then ask that you “verify” your address by sending cryptocurrency to the scam giveaway.
To avoid giveaway scams:
Never send cryptocurrency to giveaways under the guise of address verification.
Be sceptical of all giveaways and offers found on social media. Do not trust screenshots in reply messages as images can be forged and altered.
Use a reputable search engine to do research on any entity soliciting you on social media. If the offer sounds too good to be true, it probably is.
Check the giveaway URL to make sure it’s legitimate.
Dusting attacks
A dusting attack begins when an attacker sends ‘dust’ funds (a tiny amount of crypto) to multiple wallets via an airdrop. If the recipient tries to cash out or move these funds, the attacker will use the activity to try to discover the wallet owner’s identity, which can then be used for phishing scams or other types of attacks.
Sometimes, these tokens will have a URL in the name to try to get the recipient to visit the website for malicious purposes, such as to reveal their seed phrase.
If you receive unexpected dust funds from an airdrop, you can simply leave them alone, in which case the attacker can’t perform the required analysis to try to de-anonymise the address. You can also report the token from the Base app by selecting the three dots at the top of the asset screen and then selecting Hide & report.
Airdropped tokens
An airdrop is when free assets are sent, or ‘dropped’, into your wallet by an asset issuer to raise awareness of a new cryptocurrency. We recommend that you contact the asset issuer directly for guidance on how to move these assets. For example, some airdropped tokens may be frozen by their smart contract and have complex instructions for trading funds in which you will need the asset issuer’s help.
Be extra cautious when receiving airdropped tokens that you’re not familiar with.
For example: Some scammers will use airdrops to get your personal information and attempt to take over your accounts.
Remember that no legitimate airdrop campaign will ask for your 12-word recovery phrase.
Note: An asset can start out as an ERC-20 token and then move on to its own blockchain which may or may not be supported by the Base app. Search the asset under Receive in your wallet to see if it’s supported.
You can check or report suspicious crypto addresses or domains on Chainabuse, a third-party, community-driven platform where people share scam reports. Since submissions are user-generated and may not always be verified, use them as a supplementary reference to help raise awareness among others. Chainabuse is not affiliated with Coinbase.