Scams and Social Engineering in Crypto: Recognizing Red Flags and Avoiding Traps

Why scams work in crypto (and what “social engineering” means)

Most crypto losses from scams are not caused by “hacking the blockchain.” They happen because an attacker convinces you to take an action that gives them access: sending funds, revealing a recovery phrase, signing a malicious transaction, or approving a token permission that lets them drain your wallet. This is social engineering: manipulating human behavior (fear, urgency, trust, greed, romance, embarrassment) to bypass your normal caution.

A useful mental model: scams are workflows. The attacker has a script, a set of assets (fake profiles, cloned websites, bot accounts), and a target action they need from you. Your job is to recognize the workflow early and switch to a safe response.

Scenario 1: Impersonation (support agents, admins, influencers)

What it looks like

You post a question in a public forum, comment on a project’s social media, or join a community chat. Minutes later, “support” DMs you. Or an “influencer” offers a private deal, whitelist spot, or “recovery service.”

Observable red flags

• Unsolicited direct messages offering help, especially after you ask a public question.
• Profile look-alikes: similar username, copied avatar, recently created account, low engagement.
• Moves you off-platform: “Message me on Telegram/WhatsApp,” “Use this special link.”
• Requests secrets or actions: seed phrase, private key, “screen share,” “install this tool,” “connect your wallet to verify.”
• Authority pressure: “I’m an admin,” “I work with the team,” “I can freeze your funds.”

Typical attacker scripts

• “Hello, I’m support. We detected suspicious activity. Please verify your wallet to secure it.”
• “We can recover your funds. Share your seed phrase so we can restore access.”
• “You’ve been selected for a private presale. Send 0.2 ETH to confirm your spot.”
• “I’m the influencer’s manager. We have a limited-time partnership.”

Safe response (step-by-step)

1. Do not reply with any sensitive info. No seed phrase, no private key, no screenshots of recovery words.
2. Independently find official channels (see decision tree below). Do not use links provided by the DM.
3. Ask for a public ticket reference or request they respond publicly where you originally asked. Real teams can usually do this.
4. Block and report the account. If in a community chat, notify moderators using the official channel list.

Scenario 2: Phishing links (cloned sites, fake logins, “security alerts”)

What it looks like

You receive an email, DM, or ad: “Account locked,” “Unusual login,” “Claim your reward,” “New airdrop,” “KYC required.” The link leads to a site that looks identical to an exchange, wallet provider, or project page. The goal is to steal credentials or trick you into signing a malicious transaction.

Observable red flags

• Domain tricks: misspellings, extra words, different top-level domains, or look-alike characters (e.g., “examp1e.com”).
• Link shorteners or “click here urgently” messages.
• Unexpected login prompts for services you didn’t initiate.
• Requests to “import wallet” by entering a seed phrase on a website.
• Browser warnings, certificate errors, or unusual pop-ups.

Typical attacker scripts

• “Your account will be suspended in 30 minutes. Confirm now.”
• “We detected a failed withdrawal. Cancel it here.”
• “You are eligible for a limited airdrop. Connect wallet to claim.”

Safe response (step-by-step)

1. Do not click the link. Treat messages as untrusted.
2. Navigate independently: type the known domain yourself or use a bookmark you created earlier.
3. Verify the domain carefully before entering any credentials or connecting a wallet.
4. If you already clicked, close the page and run a quick check: did you enter credentials, approve a transaction, or download anything? If yes, move to the “If compromised” section.

Scenario 3: Fake airdrops and “claim” traps

What it looks like

A post claims you’re eligible for free tokens: “Claim now,” “Snapshot taken,” “Season 2 rewards.” The site asks you to connect your wallet and sign something. Sometimes it asks for a small “gas fee” or “activation fee.”

Continue in our app.

You can listen to the audiobook with the screen off, receive a free certificate for this course, and also have access to 5,000 other free online courses.

Or continue reading below...

Download the app

Observable red flags

• Too-good-to-be-true rewards with minimal context.
• Pressure and scarcity: “Only 10 minutes left,” “First 5,000 users.”
• Unclear eligibility: you never used the project but “won” anyway.
• Requires sending funds to receive funds (classic advance-fee pattern).
• Asks you to sign multiple prompts without explaining what they do.

Typical attacker scripts

• “Congratulations! You’re whitelisted. Connect wallet to claim.”
• “To prevent bots, pay a small verification fee. You’ll get it back.”
• “If you don’t claim today, your allocation expires.”

Safe response (step-by-step)

1. Verify the airdrop from official sources you find independently (project website you already know, verified social accounts, official docs).
2. Never pay to “unlock” an airdrop unless you fully understand the mechanism and have verified it through multiple official channels.
3. When connecting a wallet, read every prompt. If it requests broad permissions or an unexpected signature, stop.
4. Use a separate low-value wallet for experimental claims when possible, so a mistake doesn’t expose long-term holdings.

Scenario 4: Wallet-drainer approvals (malicious token allowances and signatures)

What it looks like

You connect your wallet to a site and it asks you to approve a token or sign a message. The approval may grant the attacker (or a malicious contract) permission to transfer your tokens later. Some drainers use signatures that look harmless (“Sign to continue”) but authorize actions behind the scenes.

Observable red flags

• Approval requests for tokens you didn’t intend to use.
• Very large or “unlimited” allowance when a small amount would do.
• Repeated prompts that push you to click quickly.
• Vague signature requests: “Sign to verify,” “Sign to sync,” without clear explanation.
• Site appears suddenly via ads/DMs rather than your normal workflow.

Typical attacker scripts

• “This is just a verification signature. It won’t cost gas.”
• “Approve unlimited to avoid future fees.”
• “Your wallet is out of sync. Sign to resync.”

Safe response (step-by-step)

1. Stop if you don’t understand the prompt. Confusion is a signal to pause.
2. Check what you are approving: token name, spender address (if shown), and amount/allowance.
3. Prefer limited approvals (only what you need for the transaction).
4. If you suspect you approved a drainer, immediately move to “If compromised”: revoke permissions and move remaining funds.

Quick reference: what’s the attacker trying to get?

Scenario 5: Romance and “investment mentor” schemes

What it looks like

A stranger builds a relationship over days or weeks. They share lifestyle photos, consistent attention, and then introduce “a safe crypto strategy” or “a private platform.” Sometimes it’s framed as love, sometimes as mentorship: “I’ll teach you,” “My uncle works in finance,” “I have an insider bot.” The platform is usually fake, showing profits that can’t be withdrawn.

Observable red flags

• Fast emotional escalation or intense daily contact from a new person.
• Isolation tactics: “Don’t tell anyone,” “They won’t understand.”
• Controlled funnel: they insist on a specific site/app and guide every step.
• Withdrawal problems: fees, taxes, or “verification deposits” required to withdraw.
• Refusal to video call or inconsistent identity details.

Typical attacker scripts

• “I want to help you become financially free. Start small, then scale.”
• “This platform is invitation-only. I can get you access.”
• “You can withdraw anytime—just pay the compliance fee first.”

Safe response (step-by-step)

1. Separate relationships from money. Do not invest based on a personal connection.
2. Refuse private platforms you cannot independently verify through official, reputable sources.
3. Test claims with friction: ask for verifiable company details, regulated entity info (if applicable), and independent reviews. Scammers usually pivot back to emotion or urgency.
4. If you already deposited and withdrawals are blocked, stop sending more funds. “Fees to unlock withdrawals” are a common trap.

Scenario 6: “Guaranteed yield” fraud (fixed returns, risk-free staking, doubling)

What it looks like

An offer promises consistent high returns with little or no risk: “2% daily,” “guaranteed APY,” “insured profits,” “principal protected.” It may be framed as staking, arbitrage, a trading bot, or a private fund. Often there’s a referral program to recruit others.

Observable red flags

• Guaranteed returns or “no risk” language.
• Opaque strategy: no clear explanation of how yield is generated.
• Withdrawal restrictions or lockups that change unexpectedly.
• Referral pressure: rewards for bringing in new deposits.
• Proof-by-screenshot instead of verifiable statements.

Typical attacker scripts

• “This is a private pool. Spots are limited.”
• “We’ve never had a losing day.”
• “If you deposit today, you get a bonus rate.”

Safe response (step-by-step)

1. Treat “guaranteed yield” as a red alert. In real markets, return and risk are linked.
2. Demand verifiable transparency: who runs it, where funds are held, how yield is produced, what risks exist.
3. Do not deposit to unknown addresses or contracts you cannot verify.
4. Ignore scarcity tactics. Legit opportunities don’t require panic decisions.

Decision tree: verify any request before you act

Use this whenever someone asks you to click, connect, install, share, or send.

START: You receive a request (DM/email/post/phone) related to crypto action.  |  Q1: Did YOU initiate this contact or action?  |-- NO --> Treat as suspicious. Go to Q2.  |-- YES --> Still verify. Go to Q2.  Q2: Does it ask for a seed phrase/private key?  |-- YES --> SCAM. Stop. Block/report.  |-- NO --> Go to Q3.  Q3: Does it ask you to install remote-access software or screen-share?  |-- YES --> SCAM. Stop. Block/report.  |-- NO --> Go to Q4.  Q4: Does it ask you to "verify/sync/connect" your wallet on a random site?  |-- YES --> High risk. Stop. Independently verify official domain/channels.  |-- NO --> Go to Q5.  Q5: Are you being pushed with urgency/authority/scarcity?  |-- YES --> Pause. Independently verify.  |-- NO --> Go to Q6.  Q6: Verification steps (always do these):  1) Independently find official support channels (bookmark official site; use in-app help).  2) Compare domain carefully; avoid links from messages.  3) If a transaction/approval is required, read the prompt and confirm it matches your intent.  4) If anything is unclear, do nothing and seek help via official channels.  END

How to independently find official support channels (practical method)

1. Use a bookmark you created earlier for the service’s official website, or type the domain manually.
2. Navigate to the support page from within the site/app (not from a message link).
3. Cross-check the support handle or email listed on the official site with what contacted you.
4. Assume DMs are fake by default. Real support typically won’t initiate private chats asking for sensitive actions.

Practical drill: identify the manipulation tactic

Read each message and label (a) the scenario type and (b) the manipulation tactic: urgency, authority, scarcity, fear, greed, reciprocity, social proof, or romance/affection. Then write the safe response in one sentence.

Answer key (keep it honest)

• Message 1: Impersonation + urgency/authority/fear. Safe response: ignore DM, find official support channel independently, do not click.
• Message 2: Fake airdrop + scarcity/greed. Safe response: verify via official sources; don’t connect wallet from unsolicited link.
• Message 3: Impersonation + authority. Safe response: never install remote-access tools; end contact and report.
• Message 4: Wallet-drainer signature + ambiguity/urgency. Safe response: don’t sign; only sign when you understand exactly what it authorizes.
• Message 5: Romance/investment scheme + romance/greed. Safe response: refuse private platform; don’t invest based on relationship.
• Message 6: Advance-fee/withdrawal trap + urgency/greed. Safe response: stop paying; document and seek help; attempt recovery steps.

If you think you’re compromised: immediate response checklist

Speed matters. Your goal is to stop further loss, remove attacker access, and preserve evidence.

1) Freeze activity (stop the bleeding)

• Stop interacting with the suspicious site, chat, or “support agent.”
• Disconnect your wallet from the site (wallet interface) and close the browser/app.
• If a device may be compromised (remote access installed, suspicious downloads), stop using it for crypto actions.

2) Revoke permissions where applicable (wallet-drainer containment)

1. Identify the network where the approval happened (e.g., the chain you used).
2. Revoke suspicious token allowances using a reputable allowance management tool for that network (accessed via an official, independently verified link).
3. Re-check for multiple tokens: drainers often request approvals for several assets.

3) Move remaining funds to safety

1. Create a clean destination (a wallet you believe is not exposed).
2. Move remaining assets promptly, prioritizing the most valuable and most easily drained tokens.
3. Consider network fees and time: if you’re racing an attacker, act decisively and avoid unnecessary steps.

4) Secure accounts and access paths

• If exchange credentials were entered on a phishing site: change password, rotate 2FA if needed, review login sessions, and contact official support through verified channels.
• If email was involved: secure email account first (it is often the reset point for everything else).

5) Document evidence (for support, reporting, and your own clarity)

• Save URLs, screenshots of messages, usernames, and timestamps.
• Record transaction hashes for any approvals or transfers you didn’t intend.
• Write a short timeline: what you clicked, what you signed, what you installed, and when.