Phantom offers industry-leading security features and a dedicated support team to help keep you safe. But like any crypto wallet, security starts with you.
This guide explains the key risks to be aware of and how Phantom protects you. It also provides practical steps you can take to protect yourself when using Phantom.
Why self-custody matters
Web3 empowers you to fully own your digital assets—but it also comes with responsibility. When you self-custody your assets, you are in full control of your wallet, your transactions, and your private keys.
While this removes the need to trust centralized intermediaries, it also means no one (not even Phantom) can recover your wallet if your keys are lost or compromised.
Common phishing methods to avoid
Phishing is the most common scam in crypto. Here are some tactics to watch out for:
Deceptive messages
Scammers often impersonate support staff or community moderators in Discord, Twitter, or Telegram. They may claim they can help you and ask for your secret recovery phrase or direct you to a fake site.
Important: Phantom will never ask for your secret recovery phrase or prompt you to sign a transaction outside of the wallet UI.
Airdropped spam tokens and NFTs
After you interact with legitimate dApps, scammers may airdrop NFTs or tokens with messages prompting you to claim a prize or visit a suspicious site. These links often lead to malicious dApps that attempt to drain your wallet.
Other scams to avoid
- "Rotten" seed phrases distributed by fake wallet generators.
- Copy/paste malware that replaces addresses in your clipboard.
- Fake devnet tokens (like "devnet SOL") used in phishing links.
Protect yourself in Phantom
Never share your secret recovery phrase
Your secret recovery phrase gives full access to your wallet. Only enter it when restoring a wallet—and never share it with anyone. This includes support staff or websites you are interacting with.
Never share your PIN
If you created a wallet using a social login (Google or Apple), your 4-digit PIN is part of your authentication and recovery process.
Do not share your PIN with anyone, including Phantom support. Keep it private just like your recovery phrase.
Secure your device
Make sure the device you use Phantom on is safe and up to date:
- Keep your operating system and apps updated.
- Use a strong, unique password for Phantom.
- Install antivirus and anti-malware tools.
- Avoid downloading unknown files, especially from links in emails or unfamiliar websites.
Enable Phantom's security settings
Set your Phantom wallet to auto lock on both the browser extension and mobile app. For more information, see How to set your wallet to instantly lock.
Read our transaction previews
Phantom scans your transactions in real time and provides a clear, human-readable preview before you approve anything. If the transaction is suspicious or potentially harmful, you'll see a warning explaining what could happen.
This helps protect against:
- Wallet drainers
- Fake or malicious contracts
- DNS spoofing and dApp impersonation
Report spam NFTs
Never interact with unsolicited NFTs. Scammers send "airdropped" tokens, hoping you will visit their site and interact with their dApp, which then withdraws funds from your wallet. If you received unwanted NFTs, you can report them as spam directly in your wallet, which will also hide them from view. For more information, see How to hide or report a collectible (NFT).
Burn NFTs
You can permanently remove spam NFTs from your wallet using the burn feature. Burning reclaims the SOL used to store the NFT and helps declutter your wallet. For more information, see How to burn unwanted Solana based NFTs on Phantom.
Use trusted dApps only
Stick to known, reputable sites. If a site is new or unknown, proceed with caution. Avoid clicking links from random messages or social media posts.
Use a seedless wallet with Google or Apple
Managing a seed phrase can be risky. Phantom offers an alternative: create a wallet using your Google or Apple login and a 4-digit PIN.
This method uses a self-custodial, distributed key management system. Your private key is never stored in full outside your device, and no single party—including Phantom—can access or reconstruct it.
You can recover your wallet with just your email and PIN. For more information, see How to create a new wallet using your Google or Apple ID (email/social login).
Phantom’s built-in security systems
Phantom includes additional layers of protection:
- Transaction previews: warn you about suspicious actions or contracts.
- Open source blocklist: automatically blocks known malicious domains and tokens.
- Spam detection: flags NFTs and tokens reported by the community.
- Burn feature: lets you permanently delete spam NFTs from your wallet.
These protections apply across Solana, Ethereum, and Polygon.
Advanced tips
- Create a second wallet for storage, and use your main wallet for interactions. Your storage wallet should only send/receive from your main wallet. To create one, follow these steps:
- In the browser extension, click your account icon (upper left), then select Add / Connect Wallet (the plus icon in the lower left).
- On mobile, tap your account icon (upper left), then tap Add Wallet (bottom left).
- Use a hardware wallet for high-value assets. Devices like Ledger or Trezor offer an added layer of protection. Store your most valuable assets on the hardware wallet and only connect it to well-known dApps.
- Revoke approvals periodically on Ethereum and Solana. This helps reduce exposure from past dApp interactions.
Get help from Phantom support
If you have any questions or concerns related to the best practices in this guide, or are unsure if a site you are wanting to visit or interact with is safe, please do not proceed. Reach out to our support team first and we'll be happy to assist!
Note: Phantom only provides support through the Help Center at help.phantom.com. We will never message you on Discord, Twitter, Telegram, or any other chat app.