Metamask is an innovative tool that is available as a browser extension and as a mobile app. It is more than just a wallet. It’s a portal to the world of Ethereum. A crypto wallet & a gateway to blockchain applications that is trusted by over 30 million users across the world.
This tool allows users and crypto enthusiasts to access Ethereum blockchain system right from mobile device or a web browser extension. Not only it allows you to interact with the Ethereum blockchain and its DApps. But you can also explore other EVM based blockchain ecosystems like BSC, Polygon, Harmony, Avalanche, Fantom etc.
You can use it as a wallet to store, send, swap, receive, any coins, tokens & NFTs. Also you can use it as a portal to interact with decentralized apps and smart contracts built on Ethereum and other smart blockchains.
Metamask is the entry point to Web 3.0 that opens you to the world of DeFi allowing every users to easily access the next state of the web evolution. We strongly believe that the crypto space has greatly benefited from Metamask than any other services or tool.
But the problem is as this service and user adoption has grown exponentially it has become an increasingly hot target for scammers and phishers. They keep evolving and keep coming up with new techniques to scam newbies. If you are a Metamask user then you need to stay aware of all the latest scams and phishing attacks so that you can protect your metamask accounts from such attacks.
So how to protect metamask? Here in this article we’ll share some basic safety and security tips for Metamask users. Before we share the tips and security settings let’s first understand how secure is the metamask extension.
How secure is the MetaMask wallet?
Initially when you setup Metamask you are given a 12 word secret recovery phrase. Metamask uses BIP39 to generate seed phrase for your wallet. BIP39 is the standard most crypto wallets use for randomly generating seed phrase.
This randomly generated seed phrase is quite unique and it serves to generate addresses. This seed phrase covers every tokens, transactions and addresses generated by your Metamask wallet. Think of it as a master backup key for your metamask.
Backing up your secret seed phrase is essential as it ensures that you will always have access to your funds. So write it down in a paper and keep your recovery phrase safely offline, never online. Remember that anyone who gains access to your secret recovery phrase can completely take over your Ether and tokens from your account. So never ever share it with anyone, even to the Metamask team under any circumstances.
Metamask does not control your seed phrase, nor keeps any of your private data on its server. Metamask is a client side non-custodial wallet where everything is encrypted on your browser and is protected with a password. The software is open source that uses HD backup settings and it hasn’t suffered any major hacks.
However the thing you need to note is that metamask is a hot wallet meaning the wallet is connected online 24 / 7. Any wallets that stays online are at more riskier than say cold storage or hardware wallets. But that’s not the problem here.
Protect your wallet secret recovery phrase
Most users who report to have their asset stolen from Metamask is not because of metamask security. In fact Metamask extension is quite safe and secure. The reason why most users wallet get hacked and their assets get stolen is mainly because of their negligence. Especially beginners who easily fall for scams and phishing attacks. They simply lose or disclose their wallet seed words or private keys to the scammers and lose all of their assets.
You see Metamask is only as secure as your ability to keep your 12 word secret seed phrase secure and not visit any phishing websites which can steal your private keys. Metamask is a self custody wallet and with such great power comes great responsibility of safeguarding your wallet and its assets. You the wallet holder are solely responsible for protecting the wallet, and its secret recovery phrase.
The secret recovery phrase as the name suggests should be kept as a secret. If a hacker, scammer or phisher with access to your recovery phrase will have full access to your wallet, which enables them to transfer all of your assets to their wallet. So be very careful. Never ever share this information with anyone, including the metamask support team. They’ll never ask you to provide the seed phrase in any situation.
Here are the official links and support page for metamask:
Note: Metamask security team is only there to monitor and to take down any phishing infrastructure set by the scammers. Other than that they share official updates about the software. That’s it! Remember just because it says metamask support doesn’t mean they can help you with your account. Being a self custody wallet you are only responsible for your accounts. MetaMask cannot help you recover your account or its funds under any circumstances.
Now other than the official support you’ll also come across many fake websites and fake metamask support all targeting your recovery phrase. Beware of the common scams and phishing attacks targeting metamask users. Never ever give away your secret recovery phrase or private keys.
Common scams and phishing attacks targeting metamask
MetaMask security team is aware of all the common scams and phishing tricks. They continuously monitor and take down any phishing infrastructure set by they scammers however scammers evolve and keep changing their tactics. Here are some of the common scams and phishing attacks that you need to be aware of.
1. Fake Metamask support
One of the most common and successful attacks targeting metamask users is criminals impersonate as metamask wallet employees, help desk or as a tech assistance wanting you to help you with the metamask technical issues.
Remember metamask official team never ask you for your personal details and you should also never share them with anyone. Scammers main target is your recovery phrase. Somehow beginners fall for this common fraud and give away their secret recovery phrase or the private keys.
Seriously, stop displaying your seed phrase to the wallet inspector.
2. Email phishing alert
You see metamask never collects your email address or personal information in any situation. But somehow you’ll get emails from metamask. Its an email phishing campaign set by the scammers asking you to verify the wallet to comply with KYC regulations. They say failing to do KYC will force them to close your metamask account. Its a scam. Don’t trust any inbound emails or click their links.
We're aware of a recent email phishing campaign asking users to "verify" their wallet to comply with KYC regulations. This is a SCAM, please report as spam and delete it! pic.twitter.com/0yKifU7oLA
— MetaMask Support (@MetaMaskSupport) November 18, 2021
The link will usually take you to the google docs where they’ll ask you to enter your wallet seed phrase. Never click on suspicious links and never enter your seed phrase on any online forms.
MetaMask doesn't even collect your email address, so you can be sure that any email asking you to "verify your wallet" is a big ol' scam. pic.twitter.com/ROghLYClyy
— MetaMask 🦊💙 (@MetaMask) October 25, 2021
3. Fake NFT website / metamask download links
Metamask is a target for phishing attacks. Its a most common way to steal your credentials by tricking you into downloading and installing a malicious version of the app.
One of the common tactic is phishers purchase a domain name similar to metamask and design it to look very similar to the legitimate site. Some advanced phishers even install an SSL certificate on their phishing site to make it appear genuine.
Not only fake metamask website but there are also several fake NFT minting websites that looks similar to the original website like OpenSea or Rarible.
Remember when browsing through DeFi space do not use google search links. Always save trusted URLs in your browser and make sure you are interacting with the correct URL before you interact with a DApp and make any transactions.
Note: By mistake if you’ve installed a fake metamask extension / app or downloaded a malicious software or a wallet then uninstall immediately and clean your computer. You might be using a rotten seed (secret phrase generated for you by the scammer). Also do not open the infected file, document, software that you’ve received via email, chat or social media message. Doing so could infect your device with with key logger or a malware that could steal your secret recovery phrase or private keys.
4. Scam airdrop
Here is how the scam airdrop token works. First of all scammer sends you a message stating that they are offering a free token (airdrop). However to claim that you’ll be asked to enter your wallet information including your secret recovery phrase. Most beginners think the airdrop is legit and enter their recovery phrase into the phishing software or fake metamask website, support forms. Only after giving away their seed phrase and losing all their funds they realize that its a complete scam.
5. Fake token airdrops
Another common scam is sending you a fake token. Did you get sent a random token to your metamask address? If you’ve connected your metamask and interacted with so many DApps then you’ll keep getting random tokens and #NFTdrops to your address. If so then probably you shouldn’t touch it.
🚨Scam alert! 🎣
Learn about the latest phishing attack that is sweeping the block explorers and other wallets, and learn how MetaMask helps keep users safer from this attack. https://t.co/UICGGmcOC0
— MetaMask 🦊💙 (@MetaMask) September 26, 2021
Bad actors create a fake token similar to the original one and send it to your wallet address.
There are gazillions of token out there in existence and MetaMask has a token auto detection system. It only detects and includes the most popular tokens that meet a high bar of credibility and excludes unknown tokens by default. This way users don’t get confused and exposed to a phisher’s scam token.
Remember that anybody can mint any kind of token. A scammer can even mint a popular ERC20 token and block explorers still displays that token. So don’t trust strange tokens and don’t go looking around the block explorer for token balance. Beware of malicious tokens and malicious smart contracts.
6. Malicious smart contract
There are many fake token scam airdrops going on where in order to claim the website asks you for unlimited token (BEP20 or ERC20) allowance which sets unlimited spend limit so they can steal from users wallet.
Phishing alert ⚠️
There's a fake VERA / EVER token scam using an airdrop of tokens where the claim website asks for unlimited (BEP20) token allowance (Spend Limit) to steal user's funds.
Please, be extremely careful which sites/dapps you give permission to spend your tokens. ⚠️
— MetaMask Support (@MetaMaskSupport) August 12, 2021
This is another common scam going around. Understand the DeFi risks and please be extremely careful on which sites/dapps you interact with and give permission to spend your tokens.
Also if you have your metamask wallet unlocked then you could receive a fake failed transaction notification: Based on your recent transaction a malicious Dapp can produce you a fake transaction for the same amount, but to a different address stating that your most recent outgoing transaction has failed. Always remember to verify all the details before you authorize any transaction on your metamask. Also note that the incoming transaction to your metamask address do not require any action.
Alright! Now let’s look at the common settings and best practice to protect your metamask wallet.
How to protect metamask? Enhance metamask security
How to secure or prevent Metamask from being hacked? Here are some common tips and settings for improving the security of your metamask wallet.
1. To maximize security, consider running MetaMask in a separate web browser. This way you can create a separation between metamask activities and your regular browsing activities.
2. Do not login or use metamask from public WiFi or shared computer.
3. Write down your recovery phrase and keep it offline. Do not take screenshot and never keep a backup online. Also never ever share your secret phrase with anyone. If they get access to this information they can steal all your assets.
Here is how to backup if you have not backed up previously. Open metamask, unlock using your password, next drop down accounts and click on settings. Go to settings >> security & privacy and click on “Reveal secret recovery phrase”. You’ll be asked to enter your metamask password to reveal the seed phrase. Write it down in a paper and keep it safely offline.
Note: Creating a new account doesn’t help if your seed word is compromised. Because all accounts are associated with your seed word. So you need to setup a new wallet by generating a new seed.
4. Never keep your metamask unlocked. An unlocked MetaMask means a site will know your wallet address, its balance, its tokens, and all of your transaction history. So lock your wallet whenever metamask is not in use. Here is how to lock metamask. Open metamask >> drop down accounts menu and click on the lock button.
5. Have a habit of cleaning your browser cache, cookies and histories regularly. At least do it once a week. Also keep an eye on the browser extensions. There are certain malicious programs that can log your keyboard or record a screenshot without your knowledge. If you find a suspicious extension then remove it from your browser.
6. If you are not using metamask for a long time then disable it and remove it. You can restore it using your recovery phrase later on.
7. Run anti malware and anti virus programs from time to time to detect and remove any key loggers or malicious programs from your computer.
8. Use a strong password for your Metamask. The password should be between 8-12 alphanumeric, also include 1 number and 1 alphabet.
9. Disconnect from suspicious websites – First of all disconnecting does not affect your staked coins in anyway. Also active connections only allows the site to read balances and see what kind of tokens you have in your wallet. And site owners can use Etherscan to see your most recent incoming and outgoing transaction. That’s it! Other than this having connected to a site is not going to harm your wallet in any way.
Anyways you have to find scam websites that you’ve authorized connection to previously and remove all those unnecessary websites. Here is how its done.
Open metamask >> click on the three dots next to your address and click connected sites. It’ll show the list of connected site that can view your account address. Disconnect from sites you’ll no longer be using.
10. Revoke unlimited spend – Your metamask simply can’t get hacked by just connecting to a malicious website. However if you connect to a scam website and approve any transaction then there are chances for it to get hacked.
If you’ve previously connected and approved any transaction then you need to disconnect and revoke from the malicious smart contract.
By authorizing sites and allowing a smart contract to sign you might have given permission to access unlimited spend. Basically when you authorize a contract you are giving permission to do what ever they want with your coins.
If you’ve signed a bad contract of course you could have authorized unlimited spend and the website could wipe out your metamask clean.
Unlimited spend could be just for a specific coin or for multiple tokens and it depends on the contract you signed. Use sites like https://revoke.cash/ to revoke unlimited spends on your wallet.
11. Lastly use metamask with hardware wallet: If you have a large amount of ETH or tokens in your accounts then consider getting a hardware wallet. Hardware wallets like Ledger and Trezor are considered to be the safest, and most robust device to store your Ether and tokens. It signs all transactions through the private keys which are safely stored offline.
Here is a guide to connect and use Ledger & Trezor with Metamask.
Also just connecting hardware wallet to Metamask doesn’t protect your accounts completely. You still need to stay away from signing a bad contract.
Now let’s look at the recommended metamask settings to secure your wallet further.
Recommended metamask settings
- Auto lock wallet – Open metamask >> settings >> Auto-Lock Timer (Minutes) and set it < 5 minutes.
- Advanced gas controls – Open metamask >> settings >> turn on advanced gas controls which will show the gas price and limit controls directly on the send and confirm screens.
- Turn off experimental – Go to metamask settings and turn off any experimental settings. Experimental settings should be used at your own risk. For most users these settings can remain turned off.
- Turn on phishing detection – Open metamask settings >> go to settings & privacy >> turn on phishing detection. This will display a warning for phishing domains targeting Ethereum users.
- Show incoming transactions – On the same settings & privacy page you can turn on show incoming transactions. This will use Etherscan to show incoming transactions in the transactions list.
- Turn off MetaMetrics – Participating in MetaMetrics helps make metamask better. You can turn this off under settings & privacy.
- Alerts – Next go to settings >> alerts >> and turn on all the alerts that you find on the alerts page.
- Experimental features – Again go to settings >> experimental tab and turn off all the experimental features.
Metamask wallet mobile settings
For mobile app all these settings can be found under the security and privacy tab. Open your metamask, go to settings >> and tap security and privacy. Here you can set auto timer lock, turn on privacy mode, turn off experimental features, clear privacy data, browser history and cookies at regular intervals. Also you can choose your preferred login method that is either face ID or password. We recommend you to use password / passcode instead of the facial recognition.
That’s it! With all these settings you’ve drastically improved the security of your metamask wallet. Anyways your metamask can still get hacked if you stay negligent. So be aware of sites you connect to and the contract that you are signing. If you are not sure about the DApp then simply stay away and don’t sign anything. Also don’t easily fall for phishing scams. Being a savvy Web3 user requires a high level of personal responsibility.