Phishing is a social-engineering attack that tricks someone into voluntarily handing over credentials or approving a transaction that benefits an attacker, rather than breaking through any technical defense. In crypto, the payoff is unusually final: once a scammer has a seed phrase, private key, or a signed wallet approval, funds can be swept out within seconds, and there is no bank to call for a reversal.
Classic crypto phishing relies on a cloned exchange login page, a fake wallet "sync" or "airdrop claim" site, or a spoofed customer-support message that asks a user to type in their recovery words. Newer variants skip credential theft entirely: a fraudulent decentralized app presents an "approve" transaction that looks routine but actually grants the attacker unlimited spending rights over a token, a risk many wallets now try to flag before a signature is confirmed. A related tactic called address poisoning sends a near-zero-value transfer from a lookalike address so it appears in a victim's transaction history; the next time the victim copies an address to send funds, they may grab the scammer's version by mistake.
Security researchers tracked hundreds of millions of dollars lost to phishing kits and automated wallet drainers in 2025 and into 2026, much of it delivered through fake browser extensions, impersonated support accounts on social media, and messages tailored to a victim's visible on-chain activity. Enabling 2FA, bookmarking official sites instead of clicking links, verifying full addresses rather than trusting truncated ones, and never entering a seed phrase into any website remain the standard defenses.