The Complete Guide to Spotting Fake Airdrops & Phishing: Approval Phishing, Fake Claim Pages, Seed-Phrase Scams

Q: An unknown token suddenly appeared in my wallet. What should I do?

Don't touch it, and especially don't click any 'official site' or 'claim' link attached to it. An unfamiliar token airdropped to your address unprompted is, in the vast majority of cases, bait: it lures you to a phishing site to wait for you to approve or sign. The right move is to act as if it doesn't exist — don't interact, don't approve, and hide it in your wallet if needed. It won't steal your coins by itself; trouble only starts if you touch its link or sign something.

I know plenty of people who farmed for half a year without catching a single decent airdrop, yet one late night their hand slipped and they signed away everything they'd built up over months. The story is always the same pattern: see a message saying "you're eligible, claim now, limited time," click in, connect wallet, popup, confirm — three seconds. On-chain transactions are irreversible; once that one click is signed, no one can get it back. So I call this quest the "bestiary": the real enemy of farming isn't missing out, it's getting phished. The monsters below — what they look like, how they bite, how to dodge them, and how to save yourself if bitten — I'll break down one by one.

Remember one thing first: money doesn't move because you looked at a website

Before the fight, nail one underlying truth into your head — it'll keep you from making a fatal mistake in a moment of panic: assets on a blockchain only move because of a transaction or approval signed by your own hand. Simply opening a page, connecting a wallet, looking at an ad, watching a countdown — none of those actions costs you a cent. The danger is always the next step: your wallet pops up a box asking you to click "confirm," "sign," or "approve," and you click it.

Scams come in endless variations, but they have only two endpoints: either trick you into signing an approval or transfer, or trick you into handing over your seed phrase or private key directly. The former steals a particular coin or a particular asset; the latter steals the whole wallet. Recognize these two main lines and you can classify every later trick. So whenever any "claim," "verify," "sync," or "unlock" popup appears, pause three seconds and ask yourself one question: what exactly am I signing right now? That one pause can save most of what you own.

▶ The mindset

The mistake beginners most often make isn't "getting hacked by sophisticated tech" — it's clicking confirm offhandedly while anxious and excited. Every phishing scheme leans on two things to rush you: scarcity (limited time, limited spots, miss it and it's gone) and authority (posing as official). The moment you feel "I need to hurry," that's most likely exactly the moment to stop.

Monster #1: fake airdrops and fake claim pages

This is the most common opener. Its bait usually looks like this:

A token inexplicably appears in your wallet, with a name often made to impress, echoing some hot project, and a URL stuffed into the token description saying "go here to claim your real reward."
Someone @s you or DMs you on Twitter, Telegram, or Discord, saying you're eligible for some airdrop, with a claim link attached.
You search a project on Google, and the top ad slot is a counterfeit domain that looks almost identical to the official site, off by a letter or two, or with .com swapped for .xyz, .app, and the like.

Once you click in, the fake claim page is made very convincing: the project logo, colors, and fonts all copied, a bright "Claim" button on the page, maybe a ticking countdown to rush you. You connect your wallet, click claim, and the popup appears — here's the key — what that popup asks you to sign isn't "claiming coins" at all, but an approval or transfer. The interface says "Claim," but the contract call actually executing underneath approves your assets to the scammer, or transfers them away outright.

How to recognize it? A few hard rules:

Verify the domain letter by letter. Don't trust search results, don't trust links others send. To actually reach a project's official site, click through from its official Twitter profile or official docs, or type a URL you've confirmed yourself. Counterfeit domains are this scam's weak point — clamp down on it and you filter out most of them.
Treat any too-good-to-be-true "limited-time claim" as fake to begin with. Real airdrops rarely use "claim now or lose it" pressure tactics; legitimate projects tend to spell the rules out clearly and leave ample time. The more it rushes you and maxes out the sense of scarcity, the more suspicious it is.
An unfamiliar token that materializes in your wallet — never touch the link it gives. This kind of "airdrop" is bait to hook you onto a phishing page. Just act as if it doesn't exist; it won't steal your coins by itself.

A side note: what a real airdrop is, why projects are willing to give tokens away, and roughly what a legitimate claim flow looks like — those are covered in what an airdrop is. Have a mental template of "what normal looks like" first, and the fakes give themselves away more easily.

⚠ Heads up

There's a particularly insidious variant: the phishing page asks you to "sign a free message to verify your identity." This signature looks harmless (no gas, looks like a login), but its content may be a permit approval (detailed below), and signing it opens a door. Remember: if you can't understand what something you're being asked to sign is saying, don't sign it.

Monster #2: approval phishing (approve / permit / setApprovalForAll)

This is the one most worth the time to understand, because it's the sneakiest and most common. To explain it properly, first I have to make clear what an approval mechanism is.

On-chain, your tokens (say USDT, various ERC-20 tokens) sit in your own address. When you want to use a DeFi app — to swap, to stake — that app's contract needs to "move those coins on your behalf." But it can't move your money out of nowhere; you first have to approve it: you sign a transaction telling the token contract to "allow such-and-such contract address to move up to X of this coin of mine." This is a normal mechanism that farming can't avoid — if you've used DeFi, you've signed an approve.

The problem lies in two places. First, many approvals default to "unlimited amount" — for convenience, apps often request a ceilingless amount so you don't have to re-approve each time. Convenient, yes, but once that contract is malicious, or later gets hacked, it can sweep all of that coin away — not just the bit you meant to use. Second, the approval pays off on a delay: at the moment you sign, your coins haven't decreased and the popup isn't scary, so you feel nothing. Once the scammer has an unlimited approval, they can lie in wait and sweep it clean on the day your balance is highest. Many people who get "hacked out of nowhere days later" trace it to an approval signed offhandedly at some point.

A few common approval calls — you should at least recognize the names:

approve — for ERC-20 tokens (USDT, various coins), approving a contract to move a coin of yours, possibly with an unlimited amount.
permit / permit2 — an "approve via signature" method, no separate transaction, no gas, even less noticeable. Phishing pages love it, because victims think "I just signed something, I didn't spend money" and let their guard down the most.
setApprovalForAll — for NFTs, and this one is the harshest: one signature approves your entire NFT collection to the other party. Fake "NFT claim" and "free mint" pages love it, able to walk off with a whole set of your NFTs in one go.

✖ Red line

In a wallet signature popup, if you see words like approve, permit, or setApprovalForAll, with the amount shown as "unlimited / Unlimited / a long string of a huge number," and you don't clearly know why you'd be approving — reject it immediately. A legitimate app's approval appears only when you actively initiate a swap or stake, not popped at you out of nowhere by some "claim an airdrop" or "verify identity" page.

How to dodge approval phishing?

Understand the popup before signing. Mainstream wallets now give a reading before you sign: what this transaction does, who it approves, how large the amount is. Don't click confirm mindlessly — spend five seconds reading that line. Can't understand it? Don't sign.
Lower the approval amount if you can. Many wallets let you change unlimited down to "just enough for this time." A bit more hassle, but it compresses the risk from "everything" to "this little bit."
Clean up approvals periodically. With a tool like revoke.cash, connect your wallet and you can see which contracts your address has approved and for how much, then revoke the unused and suspicious ones one by one. Make this a routine habit — how to do it and how often is covered specifically in wallet security.

Approvals are exactly why this site keeps stressing having a dedicated farming wallet with no big money in it: even if an approval gets phished one day, the loss is confined to this small pot, while your main holdings and long-term assets sit safe in a separate clean wallet, never touched.

Monster #3: the drainer auto-sweep script

"Drainer" means just that — a whole suite of malicious scripts purpose-built to empty wallets. It's not a single move but a packaging of the above tactics into a "product" — in the criminal underground, people even rent drainers out to others, the renter handling the lure (fake sites, buying ads, scattering links in groups) while the drainer handles "efficient emptying" and splits the loot with the renter. So many phishing sites you see out there run on the same drainer behind the scenes.

Where's its sting? The instant you connect your wallet, the script automatically scans every asset in your address — across chains, every token, NFTs — works out which is most valuable, then carefully constructs a popup dressing up "the highest-value approval or transfer" to look as harmless as a "claim" or "verify," luring you to sign it in one go. Some go further, splitting the signing into several steps, granting small sweeteners early to lower your guard and dropping the real hit on the last step. The whole process is highly automated; from connecting your wallet to assets being swept can be a matter of tens of seconds.

▶ The editorial team's hands-on test

To find out exactly what these phishing pages want you to sign, we deliberately set up an empty wallet (a few dollars of gas, no valuable assets) and visited a few known phishing sites, watching the block explorer and the wallet's "reading" interface the whole time. The pattern across several sites was nearly cut from one mold: "Claim" shouting all over the page, but what the wallet actually had us confirm was either an approve unlimited approval, a permit signature, or a setApprovalForAll. The sneakiest one first popped a "gas-free identity verification signature" to relax us, with the real approval only in the second popup right after. We rejected them all, of course. The line most worth taking away: when you're panicking, staring at the page is useless — look down and read that one line of real intent in the wallet popup, and the mask falls off instantly. One more word — don't run this test with your main wallet; there's a real loss risk, so use a disposable empty wallet.

Defending against a drainer involves no mysticism — just doing the work of the previous two sections solidly: don't enter dubious sites, don't sign things you don't understand, and isolate risk with a dedicated small wallet. However "smart" a drainer is, it still has to wait for you to press that confirm button before it can act. Keep that hand in check and it's a paper tiger.

Monster #4: seed-phrase and private-key scams

The earlier ones at least still need to trick you into signing something; this one goes straight for the master key: tricking you into handing over your seed phrase or private key. Once it succeeds, it doesn't even need your signature — with your seed phrase it can "copy" your entire wallet onto any device, and every chain and asset under your name changes hands in an instant. This is the most total loss, because it steals not a particular coin but ownership of the whole wallet.

What a seed phrase (usually 12 or 24 English words) and a private key actually are, and why they equal the master key, is explained fully in wallet security. Here you only need to remember one red line with no exceptions:

✖ A red line with no exceptions

No genuine airdrop, support agent, official activity, wallet upgrade, sync, or unfreeze ever needs you to provide your seed phrase or private key. The moment someone asks — no matter how reasonable the reason, how official the tone, how legitimate the interface — they are one hundred percent a scammer. Close it; no hesitation needed.

A few common skins this scam wears:

Fake "wallet sync / import" pages. Build a page that looks like MetaMask or the Binance wallet, claim your wallet needs to "re-verify / sync," and ask you to enter your seed phrase. The moment you fill it in, the words are in the scammer's hands.
Fake support "helping you fix a problem." You complain in some group that your wallet is acting up, and a "support agent" or "admin" immediately DMs you, helpfully guiding you to some page or just asking you to send the seed phrase to them "to help recover it." Real support will never ask for that.
Fake wallet apps / fake extensions. A wallet downloaded from an unofficial source is itself a shell; when you create or import a wallet, the seed phrase is grabbed straight away. So always install wallets from official channels — a point stressed repeatedly in the Binance Web3 Wallet guide.
"High-fidelity" recovery-phrase input fields. Some phishing pages thoughtfully lay out 12 / 24 input boxes in a row, looking very much like a legitimate import screen to lower your guard. However alike the interface, the logic doesn't change: the real thing never asks you for your seed phrase.

Bluntly, a seed phrase should live offline for its entire life; from the day you copy it down, it should never again be typed into any web page, any chat box, or any support conversation. Apart from the single case of restoring your wallet inside a wallet app you trust, anything else asking for it is after your entire net worth.

Monster #5: fake support, fake official accounts, fake airdropped-in groups

This one is the "customer acquisition channel" for all the moves above. A scammer first has to get you onto a phishing page, or earn your trust, before they can deploy the earlier tactics. The methods are very social-engineering:

Fake official accounts / high-fidelity impersonations. Avatar, name, and bio all copied from the real project, some even buying the blue check, replying "claim the airdrop here" under the real project's popular posts, or posting "official airdrop now live" outright. A beginner can't tell real from fake and clicks offhandedly.
Comment-section and DM phishing. You comment under a crypto-related post, or just followed a project, and soon an "official assistant" or "airdrop specialist" DMs you. Remember: a legitimate project almost never DMs you a link unprompted. Anyone who comes to you on their own, treat as a scammer by default.
Fake groups / "airdropped-in" groups. You're inexplicably added to a lively-looking group where "shills" flaunt their gains and admins post an "exclusive claim channel." The livelier the group, the more outrageous the flaunting, the more urgent the rush — the warier you should be.
Fake "wallet popup" notifications. Some NFTs or tokens airdrop to your address as a "notification"; open it and it reads "congratulations, you won, click here to claim," but it's really just steering you to a phishing site.

⚠ Heads up

To judge whether an information source is real, don't look at "how official it looks" — look at whether it's pushing you toward a high-risk action. A real official announcement usually just tells you to go check the official site; a scammer will find every way to get you to connect a wallet right now, sign right now, hand over a seed phrase right now. As long as it rushes you to do one of those three, however official it looks, treat it as a scammer first.

Once you can recognize the monsters, you can step in with more confidence. If you do want to practice, don't start from some "airdrop" of unknown origin — set up your on/off-ramp and wallet through legitimate channels and you'll feel a lot steadier.

Binance referral code BNB3469

▶ Sign up for Binance ⚒ Open a Web3 WalletSame code BNB3469

* Sign up through our referral code for 20% off trading fees.* The actual discount rate is whatever Binance's page shows and may change with policy. Crypto prices are highly volatile — take part responsibly.

If you're caught, how to save yourself: cut, revoke, move, record

If something really does go wrong, don't freeze. On-chain transactions are irreversible, but racing the clock can often still save part of it, especially if the scammer hasn't yet swept all the coins, or if you were only phished for an approval rather than leaking your seed phrase. Remember four words: cut, revoke, move, record.

Cut — disconnect immediately. First thing, disconnect the wallet from that site (the "connected sites" list in your wallet lets you cut it manually), close the phishing page, and go offline if needed. Cut the in-progress interaction first to stop it from luring you into the next signature.
Revoke — revoke the approval. If you suspect you signed an approval, immediately connect that wallet to revoke.cash, check the approval records one by one, and revoke that suspicious contract's approval. Note: revoking also requires a transaction and costs gas, so keep a little gas in the wallet. The faster the better — it cuts off the channel for "continued draining from now on." But be clear-eyed: it can't recover coins already swept, only stop the later bleeding.
Move — move remaining assets. If what you leaked is the seed phrase or private key, then revoking approvals is useless, because the scammer has the master key. In that case the wallet is effectively scrap: immediately move the valuable assets still in it to a brand-new, clean wallet (created on a new device with a new seed phrase — never reuse the leaked set). You're racing the scammer; whoever's script/hand is faster takes it, so move fast and move the highest-value first.
Record — record and investigate. Afterward, use a block explorer (Etherscan, BscScan) to comb through this address's transaction history, see exactly what was signed, which transaction the coins left from, and which address they went to, and record it. First, to understand the loss boundary and confirm whether any other approval is still un-revoked; second, in case a larger amount is involved and you need to report it or raise it with a platform, this on-chain evidence comes in handy.

✖ The key judgment

The first fork in self-rescue is asking yourself: did I leak an "approval," or a "seed phrase / private key"? Only phished for an approval — the wallet can still be kept; revoke the approval and move the assets. If a seed phrase or private key leaked — abandon this wallet entirely and move all assets to a new one, and never use it again. Get the direction wrong and you waste the rescue window.

Of course, the best rescue is never letting it get to this point. Separate the farming wallet from your big money, revoke periodically, understand the popup before signing, don't touch links of unknown origin — these daily habits are a hundred times more useful than scrambling after the fact. For how to build this line of defense, read through Wallet Security: seed phrases, private keys, hardware wallets, and approval management and set up the whole protection kit; if you don't have the big picture yet, go back to what an airdrop is to run through the whole context of farming, then check yourself against the 10 mistakes beginner farmers make most to clear your own minefield. On the scam quest, recognizing the monsters wins you half the battle; the other half is the habits you build.

Frequently asked questions

I opened a phishing link but didn't sign anything. Will I lose coins?

Just opening the page and connecting your wallet usually isn't enough to lose coins. The real danger is when you go on to click a wallet popup like "confirm," "sign," or "approve." Money on a blockchain doesn't move because you glanced at a website; it only moves because of a transaction or approval you signed with your own hand. So if you connected your wallet but signed nothing, don't panic — disconnect, close the page, and check on revoke.cash whether that site phished any approval.

What's the difference between an approve approval and a direct transfer, and why is an approval sneakier?

A transfer moves coins directly — what you send is what leaves, visible on the spot. An approval (approve) is you allowing a contract to "move this token of yours from now on," possibly with an unlimited amount. Its sneakiness is that when you sign, your coins haven't decreased and the popup isn't alarming; the danger pays off later: once a scammer has an unlimited approval, they can sweep it all when your balance is highest. That's why many people are "hacked several days later."

After being phished for an approval, can revoking on revoke.cash recover the coins already stolen?

No. Revoking an approval only cuts off the channel for being drained "from now on"; assets already moved out can't be recovered, because on-chain transactions are irreversible. So revoking is about stopping the bleeding: if the approval is still live and the coins haven't all been swept, revoking fast saves what's left; if your private key or seed phrase was leaked, revoking won't help and you must abandon the whole wallet and move assets to a brand-new one.

Why do all scams eventually ask for my seed phrase or private key?

Because the seed phrase and private key are the master key to the wallet; getting them equals getting all assets across all chains under that wallet, with no further signing needed from you. No genuine airdrop, support agent, or official activity ever needs you to provide your seed phrase or private key. So this is a red line with no exceptions: no matter how reasonable the reason sounds, the moment someone asks for your seed phrase or private key, they're a scammer — close it.

An unknown token suddenly appeared in my wallet. What should I do?

Don't touch it, and especially don't click any "official site" or "claim" link attached to it. An unfamiliar token airdropped to your address unprompted is, in the vast majority of cases, bait: it lures you to a phishing site to wait for you to approve or sign. The right move is to act as if it doesn't exist — don't interact, don't approve, and hide it in your wallet if needed. It won't steal your coins by itself; trouble only starts if you touch its link or sign something.

To check and revoke approvals yourself, use revoke.cash; for a wallet's official security guidance, see the MetaMask Help Center; on-chain transactions and fund flows can be checked yourself on block explorers Etherscan and BscScan; for conceptual explanations of mechanisms like approve, refer to Binance Academy and ethereum.org.