Many websites, emails, and social media profiles imitate MetaMask, attempting to access your accounts and steal your funds. Let's take a look at how you can tell them apart from the real thing.
If you're already looking at a site or popup and wondering whether it is legit, scroll down to Fake MetaMask variants or click here.
Otherwise, here are some principles that will apply regardless of the situation you're in:
- There are only two forms of MetaMask wallet: browser extension and mobile app. These are the only places you can sign transactions. Do not click any other prompted 'transactions' or buttons.
- MetaMask will not give you assets. This includes NFTs, tokens, fiat currency, airdrops, or random giveaways.
- MetaMask does not need you to routinely enter your Secret Recovery Phrase (seed phrase). The only times you need to enter it for legitimate reasons are:
- When you create your wallet for the first time, to confirm that you've recorded it somewhere.
- If you try to restore your wallet or reset your password.
- Scams can often be recognized. Some scams are sophisticated, but many are not. Compare it with official sites like metamask.io and support.metamask.io, as well as your wallet itself. Look for telltale cosmetic signs like:
- Grammatical errors
- Shoddy or outdated branding/images, and poor formatting generally.
- If you're suspicious, don't take the risk. If you want more opinions on the potential scam you've encountered, contact Support via the 'Start a Conversation' button on our homepage or ask others in our Community.
Fake MetaMask variants
The Chrome Web Store and Firefox extensions are moderated by the stores themselves to ensure no fraudulent apps are available; naturally, this covers MetaMask too.
Nevertheless, sometimes you may be asked to download MetaMask from elsewhere. Never download MetaMask from anywhere other than:
- Clicking the 'Install' button on metamask.io/download
- The official browser extension store (Chrome Web Store, Firefox Add-ons store, etc.)
If you download directly from a fraudulent website and enter your SRP, your wallet is compromised.
Many websites will attempt to replicate MetaMask in some way or other. The main, lucrative objective is usually to trick you into entering your Secret Recovery Phrase somewhere.
You should never enter your Secret Recovery Phrase on any website, regardless of how convincing it is. No legitimate MetaMask website will ever ask for your Secret Recovery Phrase. Non-malicious dapps will never do so either — so if any website does, don't enter it under any circumstances.
If you recall first setting up your MetaMask wallet in a desktop browser, you may remember something that looks and feels like a web page: full-screen MetaMask Extension. When you re-enter your Secret Recovery Phrase whilst setting up your wallet for the first time, it will have been in the full-screen version of MetaMask.
It isn't, however, a conventional web page, but just a different way to view certain pages built into the extension. You can tell it apart by the contents of the address bar, which clearly show it's part of MetaMask Extension (this is Chrome, but other browsers are similar):
If you think you're on a full-screen version of MetaMask and it doesn't have a URL that clearly shows it as an extension page, it's not a legitimate version of the wallet, and you should close it immediately.
Imitation is supposedly the highest form of flattery, but flattery for phishing's sake is substantially less endearing.
Posing as a support agent is a classic phishing method, since it gives scammers a pretext for asking for sensitive information. You can identify fraudulent 'support' by looking out for:
- Unsolicited contact. Our Support team never contacts you first.
- Location. Official Support is delivered through the chat window available on the homepage of this site, and, sometimes, Zendesk tickets (also accessible via email). We never discuss specific support cases on social media like Twitter, Telegram, Discord, Instagram, or others, even in direct messages.
- Asking for your Secret Recovery Phrase. We never do this.
If you're ever unsure how to reach legitimate MetaMask Support, click the buttons in MetaMask itself. On Extension, click your account icon and then 'Support'; on Mobile, tap the menu button.
Remember how the MetaMask Extension pops up when you're prompted to sign a transaction? Well, some scams take advantage of this by creating similar pop-up windows.
Here are some principles to keep in mind, and to prevent yourself from becoming a victim:
- MetaMask will never pop up without you initiating a transaction. This means you need to click on some kind of button on a connected dapp for the genuine MetaMask to respond. If something appears as soon as you enter a site, or just randomly, it's likely a scam.
- MetaMask will almost never require you to enter your Secret Recovery Phrase. The only times you should be asked to enter it are when you're confirming a new Secret Recovery Phrase or restoring MetaMask from an existing one. Your Secret Recovery Phrase is likely to be the scammer's main target when confronting you with pop-ups.
- MetaMask provides you with information on the transaction you're signing. If a pop-up is asking you to sign a 'transaction', or anything else, with very little context (destination address, amount, gas price, etc.) it is most likely fraudulent. Transactions involving smart contracts often provide additional contextual information too — if this is absent, you may be interacting with a scam.
Remember: if, at any time, you think you might have encountered a scam, please get in touch with us via the chat window on the homepage of this site. If you're unsure how to get there, check here.
If you report the scam, there's a higher chance that we'll be able to prevent other users from encountering it. We appreciate any contributions to helping us make web3 safer.