Today I saw someone was stolen from a phishing website because of clicks. I had a similar experience before. I trusted Google too much and thought that Google’s search results should be able to filter this. It turned out that I was wrong. Here’s the summary Here are some ways that I think can be effectively avoided.
Risk of malicious authorization
1. Question the reliability of search results
I always thought that Google's search results would only push some advertisements and would not appear as phishing websites. However, my assets were stolen precisely because I mistakenly clicked on an ad pushed by Google, and this website actually linked to a well-designed phishing website. There, the so-called "authorized login" operation I performed actually gave the website unlimited USDT operation permissions. So be wary of any search results.
2. Read the authorization content carefully
In many cases, if you accidentally enter a phishing website, the interface you see and the contents of the Metamask wallet that pops up may be tampered with and contain phishing codes. In this case, the safest thing to do is to shut down the site immediately. In a centralized network environment, we are often accustomed to clicking authorization directly without reading the terms. Hackers take advantage of this to steal assets. Therefore, before each click to authorize, be sure to read the authorization information carefully and check the URL. This is the last line of defense to protect assets.
How can we prevent it?
1. Use Brave browser: This browser is designed for Web3 and is more effective than Chrome in blocking phishing websites, while also providing privacy protection and ad blocking. I have also tested the response of Chrome and Brave to phishing websites before. Chrome will directly release them, while Brave can effectively block them. In addition, this browser also has advantages in privacy protection and ad blocking;
Enter the Defi project through DefiLlama: or save the URL of the Defi project you often use. This is an important step for everyone to protect their assets;
2. Read every authorization carefully: Start developing this habit now;
3. Regularly check and revoke unnecessary access permissions: If you often use dapp to participate in smart contracts, it is recommended to regularly check and revoke unnecessary permissions. You can use the method officially recommended by Metamask. Details can be found here.
mnemonic leak
Avoid volunteering sensitive information
Hackers often use various excuses to induce users to reveal their mnemonic phrases or private keys. Under no circumstances should we provide this extremely sensitive information to others.
Store private keys and mnemonic phrases carefully
Although there may be potential vulnerabilities in wallets such as Metamask, the chances of private keys or mnemonic phrases being leaked through these vulnerabilities are relatively low. Some users are worried about forgetting their mnemonic words or private keys and choose to save them in plain text on network drives and other Internet-connected devices. This approach is extremely dangerous. We should make every effort to prevent the mnemonic phrase or private key from being exposed in the network environment.
Decentralized management of assets
Concentrating all assets in one wallet address is extremely risky. Once this address is attacked, it may result in the loss of all Tokens.
How to effectively prevent it?
1. Never reveal your mnemonic phrase or private key: No matter what circumstances you face, never show or provide your mnemonic phrase or private key to others.
Save sensitive information offline: Do not save mnemonic words or private keys on any Internet-connected device. Use a 3-copy distributed offline storage method.
2. Decentralized asset management: Avoid placing all assets in the same wallet address to reduce single point risks.
3. Actively use hardware wallets: Hardware wallets provide a higher level of security and are ideal for managing digital assets.
