Phantom offers industry-leading security features and a dedicated support team to help keep you safe. But like any crypto wallet, staying secure also depends on how you use it.
This guide outlines the most common security risks, how Phantom helps protect you, and the steps you can take to protect yourself.
Why self-custody matters
Web3 empowers you to fully own your digital assets, but it also comes with responsibility. When you self-custody your assets, you are in full control of your wallet, your transactions, and your private keys.
While this removes the need to trust centralized intermediaries, it also means no one (not even Phantom) can recover your wallet if your keys are lost or compromised.
Recognize common scams and phishing tactics
Phishing is the most common scam in crypto. Attackers use social engineering, fake assets, or malicious sites to trick you into exposing your wallet.
Deceptive messages
Scammers often impersonate support staff or community moderators in Discord, Twitter, or Telegram. They may claim they can help you and ask for your Secret Recovery Phrase or direct you to a fake site.
Important: Phantom will never ask for your Secret Recovery Phrase or prompt you to sign a transaction outside of the wallet interface.
Spam NFTs and fake tokens
Scammers may airdrop NFTs or tokens to your wallet with messages like “Claim your reward” or “You’ve won.” These links often lead to malicious apps that attempt to drain your wallet.
Avoid interacting with any unsolicited NFTs or tokens. If you’re unsure, report or burn them directly in the Phantom app.
Other scams to avoid
- Rotten recovery phrases from fake wallet generators.
- Clipboard malware that changes addresses that you paste.
- Fake devnet tokens like "devnet SOL" used in phishing links.
Learn more:
Protect your Phantom wallet
Never share your recovery phrase
Your Secret Recovery Phrase gives full access to your wallet. Only enter it when restoring a wallet—and never share it with anyone. This includes support staff or websites you are interacting with.
Never share your PIN
If you created a wallet using a social login (Google or Apple), your 4-digit PIN is part of your authentication and recovery process.
Don't share your PIN with anyone, including Phantom Support. Keep it private just like your recovery phrase.
Secure your device
- Keep your OS and apps updated.
- Use a strong, unique password for Phantom.
- Install antivirus and anti-malware protection.
- Avoid downloading unknown files or clicking suspicious links.
Enable Phantom's security settings
Set your Phantom wallet to auto lock on both the browser extension and mobile app.
Learn how to set your Phantom app to automatically lock
Review your transaction previews
Phantom scans all transactions before you sign and provides a human-readable preview. If something looks suspicious, you’ll see a warning about:
- Wallet drainers
- Malicious contracts
- DNS spoofing or app impersonation
Manage spam NFTs and tokens
Report spam NFTs
Never interact with unsolicited NFTs. Scammers send "airdropped" tokens, hoping you will visit their site and interact with their app, which then withdraws funds from your wallet. If you received unwanted NFTs, you can report and hide unwanted NFTs directly in Phantom. This removes them from view and helps train our spam detection system.
Learn how to hide or report an NFT in Phantom
Burn spam NFTs
Burning permanently removes spam NFTs and reclaims the SOL used to store them.
Learn how to burn an unwanted Solana NFT in Phantom
Choose trusted apps and setup methods
Use trusted apps only
Only connect to reputable, verified sites. Be especially cautious with links sent over DMs or found in comment sections or tweets.
Use social login with PIN
Managing a recovery phrase can be risky. Phantom offers an alternative: create a wallet using your Google or Apple login with a 4-digit PIN.
This uses self-custodial key management. Your private key is never stored in full or held by any one party—not even Phantom.
If enabled, you can recover your wallet using just your email and PIN.
Learn how to create a new Phantom wallet with Apple or Google login
Phantom’s built-in security systems
Phantom includes additional layers of protection:
- Transaction previews: Warn you about suspicious actions or contracts.
- Open source blocklist: Automatically blocks known malicious domains and tokens.
- Spam detection: Flags NFTs and tokens reported by the community.
- Burn feature: Lets you permanently delete spam NFTs from your wallet.
These protections apply across Solana, Ethereum, and Polygon.
Advanced tips
Create a separate storage account
Use one account for storage and another for interactions. Send funds between them to minimize exposure. To create a new wallet, follow these steps:
- Browser extension: Click your profile avatar in the upper-left corner, then click Add Account (plus icon) in the lower-left corner.
- Mobile app: Tap your profile avatar in the upper-left corner, then tap Add Account at the bottom.
Learn how to add a new account or wallet to Phantom after initial setup
Use a hardware wallet
Use devices like Ledger offer extra protection for high-value assets.
Revoke token approvals
Periodically review and revoke token permissions on Ethereum and Solana to limit exposure to past app activity.
Learn how to revoke token approvals
Note: Phantom only provides support through this website. We will never message you on Discord, X, Telegram, or other chat apps.