Base

Avoiding crypto scams

Quick tips

  • Protect your recovery phrase. Never share your 12-word recovery phrase. Your recovery phrase is what gives you and only you access to your wallet. 

  • Research dapp websites. Check that the dapp website you want to use is legitimate. Also double-check that you’re using the correct dapp website URL.

  • Slow down. Watch out for grammatical mistakes, typos, and misspelled words. Scammers often make grammar or spelling mistakes.

Phishing

Phishing websites and dapps try to trick visitors into providing their signin credentials or other sensitive information to gain control of their accounts or wallet. These scammers use emails, SMS text messages, social media, and search-engine advertisements to make their sites appear legitimate.

To avoid phishing:

  • Check that you’re using the correct dapp website URL.  

  • Double-check that the dapp website is legitimate. Research the platform thoroughly to validate their services and authenticity.

Giveaway scams

Scammers are using social media to carry out their giveaway scams. They post screenshots of forged messages from companies and executives promoting a giveaway with hyperlinks to fraudulent websites. Fake accounts will then respond to these posts making the scam appear legitimate. The fraudulent websites will then ask that you “verify” your address by sending cryptocurrency to the scam giveaway.

To avoid giveaway scams:

  • Never send cryptocurrency to giveaways under the guise of address verification. 

  • Be skeptical of all giveaways and offers found on social media. Do not trust screenshots in reply messages as images can be forged and altered. 

  • Use a reputable search engine to do research on any entity soliciting you on social media. If the offer sounds too good to be true, it probably is

  • Check the giveaway URL to make sure it’s legitimate.

Dusting attacks

A dusting attack begins when an attacker sends “dust” funds (a tiny amount of crypto) to multiple wallets via an airdrop. If the recipient tries to cash out or move these funds, the attacker will use the activity to try to discover the wallet owner’s identity, which can then be used for phishing scams or other types of attacks. 

Sometimes these tokens will have a URL in the name to try to get the recipient to visit the website for malicious purposes, such as to reveal their seed phrase.

If you receive unexpected dust funds from an airdrop, you can simply leave them alone, in which case the attacker can’t perform the required analysis to try to de-anonymize the address. You can also report the token from the Base app by selecting the three dots at the top of the asset screen and then selecting Hide & report

Airdropped tokens

An airdrop is when free assets are sent or “dropped” into your wallet by an asset issuer to draw awareness of a new cryptocurrency. We recommend you contact the asset issuer directly for guidance on how to move these assets. For example, some airdropped tokens may be frozen by their smart contract and have complex instructions for trading funds in which you will need the asset issuer’s help.

  • Be extra cautious when receiving airdropped tokens that you’re not familiar with. 

    • For example: Some scammers will use airdrops to get your personal information and attempt to take over your accounts. 

  • Remember that no legitimate airdrop campaign will ask for your 12-word recovery phrase.

Note: An asset can start out as an ERC-20 token and then move on to its own blockchain which may or may not be supported by the Base app. Search the asset under Receive in your wallet to see if it’s supported.

Scam tokens

Scam tokens can be designed to trap or steal funds from unsuspecting users. Two common types include:

  • Honeypot scam tokens: These may appear to offer potential profits but can’t be sold or traded due to hidden restrictions in the smart contract.

  • Other scam tokens: Some tokens are designed to be hidden in your wallet (so they can’t be used) or automatically sent to inaccessible addresses.

  • Research the token and verify its contract address: Use blockchain explorers like Etherscan and trusted sources like CoinGecko or CoinMarketCap.

  • Check for smart contract audits: Reputable projects undergo third-party security audits.

  • Review liquidity and trading volume: Low liquidity may indicate a scam.

  • Use scam detection tools: Platforms like Token Sniffer, Honeypot Detector, or Dextools can help with token research.

  • Be cautious of new or heavily promoted tokens: Avoid impulsive purchases based on hype.

  • Research the project: Verify the team's background, roadmap, and transparency.

  • Trade on reputable exchanges: Stick to well-known platforms with security measures against scams.

  • Perform a test: Try a small transaction to ensure you can sell the token before making a larger investment.

Even if a token passes all of these checks, there is no guarantee that it's not a scam token.

You can check or report suspicious crypto addresses or domains on Chainabuse, a third-party, community-driven platform where people share scam reports. Because submissions are user-generated and may not always be verified, use it as a supplemental reference and to help raise awareness for others. Chainabuse is not affiliated with Coinbase.