Don’t validate your Exodus wallet! Phishing scams to watch out for

How to spot different types of phishing scams, ways to prevent malicious actors and hackers from getting access to your wallet, and some common signs of scams.

Please note: One of the biggest threats in crypto is getting tricked into giving your private keys or 12-word secret recovery phrase to a scammer.


In this article:


What is a phishing scam?

A phishing scam is a fraudulent method of impersonating famous people or pretending to be from reputable companies in order to convince people to reveal personal information. In a sense, the thieves are “fishing” for your information hoping you will bite.

They typically send fake emails, create fake websites, and make sham social posts to get your 12-word secret recovery phrases, private keys, or other personal information in order to steal your money.

Phishing scams are ubiquitous and not unique to crypto. However, scammers are very active in this space. If you hold your funds in a non-custodial wallet such as Exodus, you control your assets. If they can convince you to reveal your private keys or 12-word phrase, they will have full access to your funds.

Once someone has stolen crypto from your wallet, it’s not possible for anyone to retrieve it - immutability, or the inability to cancel or reverse transactions, is one of the core features of blockchain technology.

So what can we do? Prevention here is key. With the power of controlling your own bank, comes the added responsibility of protecting your bank. Let’s dig deeper into how to recognize the common tactics that scammers use, and how to protect yourself against them.


How can I identify a scam?

Watch out for spoofs of legitimate websites

Spoofing is when a malicious website is disguised as a known, trusted platform. Spoofed websites might look nearly identical to an official website, but if you look closely, you will spot minor differences. For instance, scammers will use a domain address that looks very closely related to the real site. They might just change one letter of the company name or use different domain extensions such as .biz .info, etc.

Spoofed websites are successful as many scammers purchase advertising space on search engines. This allows their advertising links to appear higher in the search results which then causes people to think it’s legitimate. As such, try to avoid clicking on ad links when searching for a website. While some ads will bring you to the correct websites, it’s a good security practice to click only on the search engine results and check that the address begins with https://, and the URL is spelled correctly, so you know your link is secure.

Want to be sure you are on the correct Exodus website? We have an article in our Knowledge Base that summarizes all the official domains of Exodus:

Aside from search engines, be very careful on social media as well! Scammers will set up accounts on popular social media applications such as Twitter, Reddit, Facebook, TikTok, Telegram, Instagram, Discord, and other social media platforms, and wait for vulnerable users to prey on.

Scammers will initially offer you some good advice to trick you into believing they are legitimate. Once they win your trust, they’ll direct you to a fake website asking for your private information. They will use official-sounding terms like “validate your wallet” and “verify your info”.

Watch out for malicious wallets and apps

While Apple and Google are really good at screening their app stores, fake and malicious apps can still sometimes get through. When scammers get fake versions in official stores, they use screenshots and pictures from the real app as well as fake reviews to make their wallets look legitimate.

Checking to make sure your app is authentic is key to protecting your funds. We go into this information in depth in this article here:

If you are more technical, you can use a checksum and look for the release hashes and verify that the download you have is signed. You can also turn on auto-update in your mobile phone settings or in the desktop app.

Exodus Mobile is offered on Apple devices running iOS 12 or higher as well as Android devices running Android 8.0 Oreo or higher. We offer no other way to download Exodus apart from using the Google Play Store for Android, App Store for iOS, or the direct download links on our website.

Spear phishing via your information that has been leaked

Some scammers use personal information leaked from data breaches to launch targeted attacks. This is called spear phishing. If your email address has been involved in a data breach, then you could be at risk.

A great example of this is the Ledger data leak. As Ledger is a crypto company, the people on the breached email database were likely to have crypto. Knowing this, scammers targeted campaigns to the leaked email addresses. They sent information from spoofed email addresses directing users to “validate” their wallets on malicious sites or apps.

Knowing if your email address has been compromised and being aware that scammers might contact you via email will keep you on alert. We recommend that you check here to see if your email address has been leaked:

Hallmarks of a scam

Be on the lookout for celebrity giveaways, time crunches, and double-back promises. While these are not phishing, they are worth noting while we are talking about scams. Elon Musk, Vitalik Buterin, and Changpeng Zhao (CZ) don’t give away crypto. Adding a famous name to a “promotion” is a way to trick you into a false sense of security.

There are many scam websites that push a very tight time limit or “limited space” so you’ll be rushed to send funds quickly. This is often done on YouTube live streams that have comments disabled. The focus is put on getting double the amount back to make you concentrate on the reward. If it ever sounds too good to be true, especially with crypto, it most certainly is.


How can I protect myself from scammers?

Protect your private information

The easiest way to protect yourself from being phished is to know what information is for your eyes only. Your 12-word secret recovery phrase and your private keys should not be shared with anyone. There is no legitimate reason why anyone, including crypto support staff, would need this information. The only reason someone would ask you for this information is to steal your funds.

Never enter your private keys or 12-word phrase into any website. For more information on this, you can check out this article here:

Remember as a non-custodial wallet Exodus does not collect any user information. Our staff will never ask you for personal information or to verify your wallet. They will never ask you for your 12-word phrase or private keys. Should you ever receive this type of email or direct message (DM), please ignore the contents and do not click on any links.

For more information about this, you can read these articles:

How to contact Exodus Support

Remember there is no signup necessary or traditional account log in with Exodus. This means Exodus doesn’t have your email address. We will only contact you via email as a reply to an inquiry you’ve already sent to us.

If you need to reach out to Exodus Support, please do so through our official channels. While we do have staff on the major social media channels, our staff will never DM you. If someone is DMing you on a social media platform, they are likely a scammer. Our social media team will only post public replies. Please see the following for more information on how to get in touch with us.:


Further resources

If you are interested in reading more about how to keep yourself and your crypto safe, you can visit these resources: