How to Identify Phishing Links

Jun 18, 2026

Phishing links impersonate trusted sources to trick users into clicking them and disclosing their private keys or seed phrases. Knowing how to identify them is the first line of defense for protecting your crypto assets.

Why It Matters

Phishing attacks are one of the leading causes of asset loss in the crypto space. The OWASP phishing attack guide defines phishing as a social engineering technique in which attackers impersonate trusted entities to trick victims into revealing sensitive information or performing dangerous actions. In a Web3 context, a single click can directly result in a wallet being stolen — and no institution can intervene to recover the funds.

Core Mechanics and Key Concepts

1. Domain spoofing (typosquatting) Attackers register domains that look extremely similar to official ones, exploiting users' visual inattention. Examples:

  • onekey.so (official) vs. onekey.so.phishing-site.com (fake)
  • Using visually similar characters: 0 (zero) replacing o (the letter), 1 (one) replacing l (lowercase L)

2. Search engine ad poisoning Attackers purchase ad placements on Google and similar search engines. When users search for "MetaMask download" or "OneKey official site," the fake website appears at the top of the results. Users click the ad rather than an organic result and land on a phishing site.

3. Fake social media accounts Impersonating official Twitter/X, Discord, or Telegram accounts, posting content such as "claim your airdrop," "urgent security upgrade," or "seed phrase migration" — luring users to phishing sites.

4. Email phishing Fake emails impersonating exchanges or wallet service providers, claiming account anomalies or the need to verify identity, with a link redirecting to a fake page.

5. QR code substitution In offline settings, attackers replace legitimate QR codes with phishing link QR codes. Scanning leads directly to a fake page.

Method 1: Check the full URL Carefully examine the domain in the browser address bar, paying special attention to:

  • Whether the root domain is completely correct (watch for spelling and character substitution)
  • Whether HTTPS is being used (but HTTPS alone does not guarantee a site is trustworthy)
  • Whether the subdomain structure makes sense (app.onekey.so is an official form; onekey.so.app.malicious.com is a fake)

Method 2: Do not click links in emails or messages Develop the habit of manually typing official domains directly into the browser, or using bookmarks to access frequently used DApps. Avoid navigating through links in emails, Discord messages, or Twitter posts.

Method 3: Verify through official channels Any action claiming to require "seed phrase verification," "asset migration," or an "urgent upgrade" should be re-verified through the official website (such as OneKey's website) or the official app — not by directly following an unverified link.

Method 4: Use phishing detection tools Major browsers have built-in basic phishing protection. Some security extensions provide additional malicious domain database blocking. Wallets such as MetaMask also integrate blocklist services like PhishFort.

Method 5: Hover to preview links Before clicking a link, hover your mouse over it and check the actual URL shown in the browser's status bar at the bottom to confirm it matches the displayed text.

User Scenarios

Scenario A: Discord airdrop scam A user in an NFT project's Discord server receives a direct message: "Congratulations, you've been whitelisted — claim within 24 hours at [link]." The link leads to a fake mint page that asks the user to connect their wallet and sign a malicious contract.

How to identify it: Official projects do not send whitelist notifications via direct message. Always verify directly through the official Discord announcement channel.

Scenario B: Search engine ad A user searches for "Uniswap trade," clicks the top result (an ad), lands on a fake page, connects their wallet, and is asked to sign an "authorization contract."

How to identify it: Search results marked with "Ad" require extra caution. Use bookmarks or manually type a verified URL.

Scenario C: Seed phrase "sync" scam A phishing page displays a popup claiming "wallet sync required — enter your seed phrase to restore access."

How to identify it: No website ever needs you to enter your seed phrase. A seed phrase is only used when restoring a wallet locally on a device and should never be entered online.

OneKey App Entry Point

OneKey App includes multiple built-in anti-phishing mechanisms:

  1. Domain risk alerts: Automatically checks whether a domain is on a known phishing blocklist when connecting to a DApp and displays a warning if so.
  2. Bookmarks: Save frequently used DApp addresses within the app and navigate via bookmarks each time, bypassing the risk of fake links.
  3. Human-readable transaction content: Displays a readable operation summary during signing to help users determine whether the authorized content matches their intent.

Risks and Precautions

  • A seed phrase should never be entered on a webpage: No matter how convincing the page looks, any webpage asking for your seed phrase is a phishing site.
  • HTTPS does not equal safety: Attackers can obtain a legitimate SSL certificate for a fake site. HTTPS only means the connection is encrypted — it does not mean the site is trustworthy.
  • Official teams will never ask for private keys: Any account claiming to be official support and asking for your private key or seed phrase is a scam.
  • Urgency is a red flag: Phishing attacks frequently create a sense of urgency — "limited time," "act now." Treat any such language with heightened suspicion.

FAQ

Q: I connected my wallet on a phishing site. What should I do? A: Immediately use Revoke.cash to check and revoke all related authorizations, then transfer your assets to a new address. If you signed any transactions, check the on-chain records to confirm whether any assets were lost.

Q: A phishing site looks identical to the official site. How can I tell the difference? A: The only reliable way is to verify the complete domain in the browser address bar. The page's visual appearance cannot be used as evidence of trustworthiness.

Q: Is mobile safer than desktop? A: Not necessarily. Mobile browsers typically hide the full URL, making it harder to verify the domain. It is recommended to use dedicated clients like OneKey App on mobile to access DApps.

Q: How do I report a phishing site? A: You can report malicious domains to Google Safe Browsing, Cloudflare, and similar services. You can also notify enforcement contacts in the official community channel of the targeted project.

Take Action Now

The ability to identify phishing links requires deliberate practice. Starting now, bookmark OneKey's website, download OneKey App, and regularly visit Revoke.cash to audit your wallet's approval status — making security habits part of your daily routine.

Secure Your Crypto Journey with OneKey

View details for Shop OneKeyShop OneKey

Shop OneKey

The world's most advanced hardware wallet.

View details for Download AppDownload App

Download App

Scam alerts. All coins supported.

View details for OneKey SifuOneKey Sifu

OneKey Sifu

Crypto Clarity—One Call Away.