What is the minimum anti-phishing routine to follow before you connect/sign/claim?

Conclusion

Most phishing follows the same chain:

• fake entry point → make you connect/sign → drain via permissions

So your defense reduces to two habits:

1. control your entry points (bookmarks/official sources only)
2. read permissions before signing (Approve/Permit/SetApprovalForAll)

If anything feels off, stop. Do not push through.

Explanation

The dangerous action is often not a transfer. It’s an approval that grants spending rights.

Common high-risk permissions:

• Approve (ERC-20): token spend allowance (unlimited is the big risk)
• Permit (EIP-2612-style): approvals via signature
• SetApprovalForAll (NFTs): collection-wide transfer permission

Your goal is to avoid granting permission to the wrong contract.

Practical Guide

Step 1: lock down entry points (before you click)

• avoid search results, especially sponsored ads
• use only:
  • official docs
  • official X/Discord pinned messages
  • your own bookmarks (best)
• read the domain out loud (catches lookalikes)
• watch for fake subdomains (official.example.com.attack.tld)

Step 2: reduce exposure (before you connect)

• do not stay connected by default
• split wallets by purpose:
  • main assets (rarely used)
  • experimental (airdrops/DeFi)
• confirm chain + account match what you expect

Step 3: read permission intent (before you sign)

On the signer screen, check:

• is this Approve / Permit / SetApprovalForAll?
• is it unlimited?
• does the spender/contract match the real app?

If uncertain:

• cancel
• verify the official URL on another device
• confirm the same action exists in official docs

Step 4: limit blast radius (after the action)

• disconnect
• review approvals monthly (or weekly if you farm airdrops)

Pitfalls

• “official-looking” ads ranking above the real site
• fake support via DMs (assume scam)
• urgency triggers (“claim now”, “limited time”)

Checklist

• [ ] Enter via bookmarks or official sources (not ads/search)
• [ ] Domain verified (lookalikes/subdomain traps)
• [ ] Wallet is not connected by default
• [ ] Correct chain + account confirmed
• [ ] Purpose wallet separation exists (main vs experimental)
• [ ] Signer screen checked for Approve/Permit/SetApprovalForAll
• [ ] Unlimited allowance avoided unless intentional
• [ ] Spender/contract verified (if unsure, cancel)
• [ ] Post-action disconnect performed
• [ ] Approval review cadence exists (monthly/weekly)
• [ ] Revocation tool/process is known in advance

FAQ

Q1. Is “don’t click links” realistic?

No. The realistic rule is: control entry points and verify the domain every time.

Q2. Why are approvals more dangerous than transfers?

Transfers are one-time. Approvals can authorize ongoing spending or NFT transfers until revoked.

Q3. What’s the fastest damage control if I already signed?

Stop interacting, review approvals, revoke suspicious ones, and move funds to a safer wallet if needed.

Internal links

• Parent hub: Web3 safety: start here
• Related:
  • Safe airdrop claims checklist
  • Read wallet signing screens checklist
  • Review and revoke token approvals on EVM

References

• MetaMask Security: https://support.metamask.io/
• EIP-2612 Permit: https://eips.ethereum.org/EIPS/eip-2612

Disclaimer

Not financial advice. General security guidance only.