Scams and phishing

Self-custody means you fully control your funds and where they are sent, and that you don't need to ask any authorities for permission to send or approve transactions.

With that power comes an unfortunate externality. Scammers know that if they trick you into handing over your wallet backup or sending them funds, they can gain full control over them because every transaction is final and irreversible by design.

With this in mind, it's important to learn about some of the most common scams out there and how to avoid them.

Here are some of the most common tactics we’ve seen used against Trezor users, and how to recognize them before it’s too late.

Phishing

Phishing is the most common scam you will encounter in the cryptocurrency space.

The target is most likely your wallet backup, but it can also be other types of information such as passwords or identifying information that can be used to impersonate you later.

Trezor users are often targeted with fake emails, websites, or phone calls pretending to be from us. Scammers now use AI to imitate official support, not just in text but also in voice and video.

Because of this, you cannot judge safety by how “professional” a message looks or sounds.

The rule is simple: any request for your wallet backup, PIN, passwords, or codes is always a scam.

If you self-custody your cryptocurrency, you alone control it. No legitimate company, including Trezor, will ever ask for your wallet backup. It belongs to you, and only you.

This is why scammers try so hard to trick you into handing it over. If they get your wallet backup, they can move your funds.

The only legitimate actions you’ll ever need to take are updating your Trezor device firmware and Trezor Suite through the desktop app.

Always check that software updates and websites are authentic before proceeding.

How to identify phishing scams

• Be wary of urgent or threatening language. Scammers may use urgent or threatening language to pressure you into taking immediate action. For example, they may claim that your account will be suspended or that you'll lose access to your funds if you don't act quickly.
• Watch out for suspicious email addresses. Scammers may use email addresses that are similar to the legitimate company's email address but with slight variations, such as a different domain name or a misspelling. For example, instead of @trezor.io, the scammer may use @trezorr.io.
• Be cautious of unsolicited messages. If you receive a message from someone you don't know or weren't expecting, be cautious. Scammers may use fake social media profiles, emails, or messages to contact you and try to steal your information.
• Don't click on links or download attachments from unknown sources. Scammers may send links or attachments that can infect your device with malware. Always verify the sender and the contents of the message before clicking on any links or downloading any attachments.
• Look for spelling and grammar mistakes. Legitimate companies take great care to ensure their communications are free of spelling and grammar errors. Mistakes in a message can be a red flag for phishing attempts. However, even error-free messages are not always legitimate—modern AI tools enable scammers to craft highly convincing and professional-looking messages. Always verify the content and source of any communication.

By keeping these additional tips in mind and following the original ones, you can protect yourself from phishing scams and keep your digital assets safe.

Device deactivation threats

Trezor cannot and will not deactivate your device. We do not have the physical ability to impact your device in any way.

Any message claiming your Trezor will be disabled unless you perform an action (often citing KYC, account problems, or “security issues”) is a scam.

These phishing attempts try to create panic so you act quickly and hand over your wallet backup.

If you get one of these messages, do not reply, click links, or call any number provided. Never reveal wallet backup, PIN, or passphrase and report the phishing attempt to Trezor via our official support page so we can warn others.

Best practices to avoid phishing scams

Scammers often use AI to impersonate support agents, leveraging advanced text, voice and video technology to seem legitimate. Always scrutinize the content of any message you receive. If it asks for sensitive information like your wallet backup, password, or 2FA code, assume it’s a scam and stop engaging immediately. Protect your details and never share them with anyone.

Bookmark legitimate and trusted sites

One way to ensure that you are accessing a legitimate Trezor web wallet is to bookmark it in your browser. This will allow you to quickly access the site without having to type in the URL each time. Make sure to only bookmark web wallets that are known to be legitimate and trusted, such as https://suite.trezor.io/web. By doing so, you can reduce the risk of falling victim to a phishing scam and keep your digital assets safe.

Download Trezor Suite safely

To ensure that you download the genuine Trezor Suite application and avoid falling victim to phishing scams, it is crucial to only download it from the official Trezor website at https://trezor.io/trezor-suite.

If they reach out to you first, don't trust them

If you receive a message claiming to be from Trezor via text message, WhatsApp, Telegram, phone call, or postal letter, treat it as a phishing attempt. Report the message as spam and block the sender immediately. Trezor will never contact you through these methods. Exercise caution with unsolicited communications and verify their sources. Report any suspicious activity to Trezor's official channels. Stay vigilant and safeguard your digital assets.

Never share or create digital copies of your wallet backup

Your wallet backup is the key to your digital assets and should be kept confidential at all times. Sharing it or making digital copies can put your assets at risk, as they may become accessible to hackers or unauthorized individuals. To ensure the security of your investments, store your wallet backup in a safe and secure location, away from prying eyes. Protect your digital wealth by keeping your wallet backup private.

Only interact with Trezor's official channels for your safety and security

Authentic SatoshiLabs domain names:

• @trezor.io
• @invity.io
• @vexl.it
• @tropicsquare.com
• @satoshilabs.com

Our official social media channels are:

• twitter.com/trezor
• instagram.com/trezor.io

Our affiliate program also has unique links that help to identify them as partners, which include:

• https://trezor.go2cloud.org/
• https://affil.trezor.io/

How to report Phishing Scams

To report a phishing message, simply type “I want to report phishing” to Hal and follow the instructions. Hal will guide you through the process of reporting the message and provide you with any additional information you may need. By reporting phishing attempts, you can help protect other Trezor users and prevent cyber attackers from stealing digital assets.

Additionally, it's recommended to keep an eye on our official Trezor Forum for any news or updates concerning security.

By taking these precautions outlined in this article and staying informed, you can enjoy the security and peace of mind that comes with using your Trezor.

On-chain scams

On-chain scams usually involve airdrops or interactions with smart contracts.

This is why you should treat any token or asset that shows up in your wallet unexpectedly with caution and always check every smart contract you interact with before signing.

Address poisoning attack

Address poisoning is a type of scam where attackers send tiny amounts of crypto to your wallet from an address that looks almost identical to one you have recently interacted with. The goal is to “poison” your transaction history, hoping you’ll accidentally copy and paste their fake address instead of the real one the next time you send funds. Since crypto addresses are long and complex, many users rely on copy-paste, which is what makes this scam effective.

Dusting attacks & airdrop scam tokens

Dusting attacks are low-effort attempts to deanonymize or bait you.

An attacker sends tiny amounts of crypto to many addresses (the “dust”) and then watches for any on-chain activity from those addresses to link them together or to trick you into interacting.

If you receive dust, do nothing, do not move, consolidate, or “clean up” the tiny amounts.

Fake airdrops are another type of dusting attack, where attackers send tokens to blockchain addresses en masse. These tokens either contain a link to a malicious website, or contain a malicious smart contract themselves. They are often fake versions of existing tokens and NFTs.

Malicious smart contracts

Scammers will airdrop worthless or malicious tokens and then prompt you to “claim,” trade, or approve them by interacting with a malicious smart contract.

They can also create fake websites posing as well known Web3 portals, often relying on users to not pay attention to what they are signing.

Never connect your wallet to untrusted sites, never approve token allowances you don’t fully understand, and never follow urgent instructions from unsolicited messages.

If you’re worried about an approval you already made, review and revoke permissions only with a trusted tool.