How do I keep my money safe?
At Exodus, we are passionate about giving you full control over your funds. When we say “full control,” we mean FULL control. Exodus as a company does not store any data about your wallet; we cannot view, access or control your wallet in any way because all of your wallet’s information is stored locally on your computer.
This means that we do not know anything about your password, 12-word phrase, private keys, or even your public addresses. Essentially, your Exodus wallet is your own personal crypto-bank - you have the keys to the front door, and the combination to the vault.
With the power of controlling your own bank, comes the added responsibility of protecting your bank. The topics in this article will teach you how to protect your new “crypto-bank” and strengthen your security profile. As you wouldn’t want your actual bank to be a place where anyone could just walk in and take whatever they want, you shouldn’t let your wallet and computer be like that either.
Here’s how we suggest you use this guide:
- Browse through it once to get an idea what we’re talking about.
- It’s likely you’ll get discouraged by the number of things to do and all that information. Don't be. You don’t have to do all of it at once. We’ll take it step by step. But it's important that you implement these security practices otherwise your funds are at risk!
- So, start from the beginning and implement the suggestions in Tier 1. It’s easy!
- Give it a day, play around with your wallet, do your exchanges. Then start implementing Tier 2.
- Some things in Tier 2 can be done right away, others need some research, like which password manager or VPN to use. You’ll perhaps decide to make a small investment too. In any case, within a few days, you should be all set!
- Congrats! You deserve a little break to enjoy the fruits of your labour!
- Then move on to Tier 3. Here it will probably take a little longer and you’ll have to invest a little more to complete all the steps. Take your time. Start with those you can do right away and then slowly move to the next. Your hardware wallet will probably take some time to arrive anyway.
- Yes! After Tier 3 your protection is top-notch! You still have Tier 4 but you can bask in the glory of your security skills for a while. After all, Tier 4 is something that will be gradually accomplished. It needs to be done but here you can definitely pace yourself as there are some serious investments involved and things get more technical. But once you’re done, you’ll be as protected as you can be!
- Oh! And one more thing: Along with these Tiers, always keep in mind the last section when browsing the crypto space! Because there’s passive safety and active safety.
Now, if you feel that you can't or don't want to complete at least the first two Tiers to protect your funds, perhaps you'd like to consider alternative methods of storing them. Here's an article we've written on the subject. However, please keep in mind that many of the security practices discussed here are needed regardless of where you keep your crypto!
Exodus is only as secure as the computer it is installed on and your security practices!
So, please don’t skip on these protection measures. They’re the only thing standing between the hackers and your money!! And if you’re thinking “Why would a hacker bother to hack me?”, think again. Hackers may indeed not target you specifically but they do target you. If such an unfortunate incident were to happen it would be impossible to retrieve your funds; not even Satoshi could do it. It's how the blockchain works. On top of that, we don't reimburse hack cases. So, prevention is the only way here.
You need to ask yourself: “How much is my money worth to me?” and act accordingly to keep the Big Bad Wolves out!
Tier One covers the very basic security measures that everyone should be using to protect their computer, wallet, and funds. They’re the bare minimum of what you should apply. They won’t get you far, but without them, you might as well start throwing your money in the air out in the street. So, let’s get started!
1. Protect your 12 words
This is the number one rule! Your 12-word phrase is like the master key to your wallet. Anyone who has access to your 12-word phrase will be able to access any and all funds in your wallet. Since this is such an important piece of information, you will need to take the necessary steps to protect it from prying eyes.
- Keep your 12 words on paper.
- Print them on your home printer.
- It’s important that you do not print on any public printers, such as in your work or library.
- If you don’t have a private printer at home, write your 12 words by hand.
- They must be saved in the correct order and spelling. So, play it safe and triple check that your words are written in the same order and spelt the same as how they are presented to you in your wallet.
- Keep them somewhere private and safe. The drawer of your desk is not such a place unless it can be locked.
2. Do not export your Private Keys
Your Private Keys are similar to your 12-word phrase, except they only allow access to certain assets. Your Ethereum and Ethereum Assets are all controlled by the same Private Key. So, if it’s compromised, all of these assets are in danger! Bitcoin and the other assets have a bunch of Private Keys, each controlling a single address. But still, a single one of them can compromise all of them. For this reason, we want you to keep your Private Keys as safe as possible and as such we’ve hidden them away. You can still get to them, they’re yours after all, but it’s not recommended.
- Exporting them to keep them safe doesn’t increase security. The safest place for them to be is in your wallet. Your wallet protects your Private Keys with heavy encryption, so exporting them actually weakens your security.
- For this reason, since version 1.57, Private Keys are no longer exported in a CSV file but they are shown on screen. That way you don't export them on your desktop (or in the trash perhaps) where they might be forgotten in their vulnerable, unencrypted form. You can still copy them, but they are now harder to get compromised. For this, don't forget to upgrade Exodus.
3. Create a unique, strong password for Exodus
You've heard that before, but do you know what it means?
- Unique means: Not at all similar to any other password you use. Your Exodus password should not be the same or a variant of your email password, your social network passwords or any other password for that matter.
- Strong means: At least 12 characters long, not based on words or personal info (like your birthday), and it should include numbers, symbols, and mixed capitalization. And don’t put these special characters at the beginning or the end; spread them within the password.
- This video goes into more detail with tips for creating a strong password.
THE ABOVE IS PRIVATE INFORMATION AND MUST REMAIN SUCH!
Do not share any of them with anyone, not even Exodus staff!
Do not store any of these on your computer, phone, cloud, flash drive, Dropbox or any other such service or device!
(The password managers discussed later are an exception because they were made for the purpose of keeping information private, but even those need care in how they are used)
4. Keep your (legitimate) OS and your apps up to date. Especially Exodus.
I know, those update notifications have a nasty habit of popping up right when you are settling in to (re)watch the third season of The Office - use that update time to make a snack and crack open a beer. That way you’ll have the peace of mind knowing your apps are up-to-date. Many people think that keeping their OS up to date is not important for security, but experts think this is one of the most important tasks a user can do to keep their computer safe.
- This reduces your chances of being targeted with zero-day exploits (What are zero-day exploits?).
- We’re not kidding about the legitimate copy of Windows (MacOS and Linux are free). It’s not worth compromising your computer to save a few bucks. Because you don’t know what backdoors you’re installing with a pirated copy.
- We roll out a new version every second Friday, so make sure to stay up to date. Also, whenever there’s a security patch, you’ll get notified from within the app itself. In that case, install it right away!
5. Don’t visit suspicious sites or download material from untrusted sources
While these seem obvious and well-known to most, it’s common to act against our better judgment in these cases, because we just must see that funny video of the puppy yawning a random contact in Facebook just sent us. Don’t!
- Do not follow links randomly sent to you in an email, messenger, Reddit, Telegram, or any other communication platform.
- Do not open attachments in emails if you do not trust the sender. Even if you do, be sceptical if anything seems out of place (like getting an email you didn't expect). If necessary contact the sender to verify they have sent the email themselves.
- You can use https://www.virustotal.com to check links for security flags.
- While rare, visiting a malicious website can download and install sophisticated malware that can open a backdoor and give an attacker complete control of your computer.
6. Don't boast about your crypto holdings
Especially publicly. Many YouTubers have fallen victim to hacks because they broadcasted their holdings to the world and on top of that, didn't take the necessary measures to protect themselves. There's no need to put a target on your back. Talk about crypto, definitely, just don't advertise that you hold a small (or big) fortune. This advise holds true up to Tier 4 and beyond!
After these steps, you’re protected against 50% of threats.
It’s not much, we know. But we didn’t do much either, right? We only went over the basics, things that you probably have already heard at some point, but perhaps didn’t take into account. Well now you do and perhaps that’s the biggest gain: the fact that you’re starting to develop a security-oriented way of thinking. That can go to great lengths in protecting you.
Was Tier One a breeze? Do you already keep your 12-word phrase in a steel trap? Are you that friend who looks forward to OS updates? Even if you weren’t you are starting to become, right?
In any case, you are ready for Tier Two! This is where you can really step up your game, and give yourself some added peace of mind that your wallet and computer are better protected.
1. Enable 2FA on all accounts.
This means emails, social media, exchanges and everywhere that’s available.
Don’t know what 2FA is? 2FA stands for Two-Factor Authentication and is usually implemented through your phone. It works on the principle that in order to log in to your account you need two things: something you know (your password) and something you have (your phone). Want more info? Sure you do, so here’s the Wikipedia page.
- Use Google Authenticator or Authy. Don’t use SMS or email 2FA. It’s bad!
- Here’s a video demonstration of Google Authenticator.
- Why doesn’t Exodus have 2FA? Great question! Take a look at this article which goes into detail about this very topic.
2. Use a password manager
In the first tier, you created a unique and strong password for your wallet. Now, you might be worried that your other passwords aren’t so secure. With so many accounts and passwords to remember nowadays, it’s easy to slip into the bad habit of reusing your favourite password. Don’t! Using the same or similar passwords for everything can unravel your whole security net!
An easy way to create strong passwords, and track them across your accounts, is to use a password manager.
- There are a number of free and paid high-quality password managers on the market. Depending on your preferences and your operating system, you will need to choose the option which works best for you. These are a few of our favourites:
- Keepass is a free, open-source option for Windows. They also have unofficial distributions for other platforms.
- A cross-platform app that has both a free and paid plan is LastPass.
- We as a company use 1Password. It has only a paid plan but we recommend it as a wise investment. At first, you can start with the online account but as we move forward things will move offline!
- For Mac users, there’s the option to use Apple’s own Keychain that can be synced through iCloud to all other Apple devices. Although such a solution might be acceptable for this Tier, it’s not recommended as a strong security practice, because the keychain is not protected by a second password other than your computer's password.
- And here is a review of free apps from PC Magazine if you want to explore other options as well.
- Change all of your important passwords to be strong and unique. Here are some accounts you should definitely consider important:
- Exodus (but see point number 7 below)
- Any platform that stores your financial information, such as:
- Bank accounts
- PayPal, Venmo, etc.
- Uber, Lyft, etc.
- GrubHub, Deliveroo, etc.
- Use your password manager to generate strong passwords for each of those accounts. Set your password manager to generate passwords that are:
- At least 30 characters long.
- With numbers, mixed capitalization, and symbols
- Check if any website that you log in to has been compromised with the website https://haveibeenpwned.com/ - if your password has been compromised, change it immediately!
IMPORTANT: Some browsers offer to remember your passwords. Don't use that feature! It's not safe. For example, if your Google account was compromised, all the passwords stored in Chrome would be compromised too! Delete any passwords stored by your browser and keep them only in your password manager.
3. Use a VPN and a firewall
A firewall is a necessary tool to have both on your computer and on your router. Firewalls protect your network from unauthorized traffic, especially from the Internet to your computer. A VPN gives you added privacy by securing and encrypting your communications and protects you from people intercepting your activity. It is especially important to use these tools when you are on an untrusted network.
- Don’t ever use public WiFis without them, and even then avoid any sensitive activity.
- Including a VPN and Firewall in your daily routine is especially important if you spend a lot of time working, studying, or just watching Netflix at your local cafés, bars, or bookstores
- All Operating Systems come with a default firewall nowadays, but there are some paid options that offer better functionality and protection. Here are our recommendations:
- There are many VPNs to choose from depending on your needs and the price you’re willing to pay. Some of them offer free solutions as well. Keep in mind though, that a VPN will slow down your internet speed and depending on whether it’s free or paid the impact might vary.
To learn more about how VPNs work, and why you should use one, check out our article: Why a VPN Matters for Crypto Users
4. Safeguard your network
Network security settings are often overlooked when learning how to protect a computer. Don’t make the mistake of ignoring these settings. These little soldiers quietly add layers of protection to bulk up your security profile and deter malicious activity. Learning how to increase security on your home network is a quick way to make huge strides in protecting your assets.
- Enable WPA2 encryption on your WiFi. If not possible, use WPA.
- Do not use WEP!
- WPA2 means nothing without a strong, unique password. You have all the tools now to use one.
- Disable WPS. It makes your network insecure!
- Change the router’s default password. You know the drill: Unique, strong password created by your password manager.
- Upgrade your router’s firmware regularly.
- Want to read more? Then have a look here: How to Secure Your WiFi Network Against Intrusion
5. Use antivirus and anti-malware programs, and keep them up to date.
Antivirus and antimalware programs are great for keeping you ahead of the curve and adding yet another layer of protection. While these are great tools to have in your arsenal, it’s important that you don’t rely on them to catch every problem in your computer.
Antivirus isn’t a catch-all and won’t protect you from unsafe browsing/downloading. If you come across a link or file that you are unsure about, use virustotal.com to check for security red flags.
6. Keep your 12 words safe!
"Wait, didn’t we already talk about 12-words in the first tier?" You bet! Your 12-words are so important that they are worth mentioning twice. These Tier 2 tips will help you keep them extra safe:
- Don’t print them, write them down. Already mentioned it as an option in Tier 1, if you don’t have a printer at home, but it’s a good practice to do either way.
- Create two copies that you keep in separate, secure locations. One in your house, hidden away in the pages of a book or stashed behind old stuff in a cupboard. The other at a completely different location, like your parents’ house or buried in the yard, so if one is destroyed by fire or flood, you’ll still have the other.
- Laminate them to protect them from the elements (do it at home, don’t go to a store: Clear packaging tape or clear book cover work just fine)
- Don’t use them unless absolutely necessary.
- If you need to restore use your backup link first.
- After all these, our article: The Do's and Don'ts of 12-Word Phrases and Private Keys will likely be preaching to the choir, but do give it a read!
7. "I'm reading the article and I've been doing everything wrong! What should I do?"
If you found that your security practices haven't been the best ones so far, don't worry, you can always correct things. In some cases though, more drastic measures need to be taken.
- If your Exodus password hasn't been strong or unique, it's better if you create a new wallet with Exodus. Changing your password isn't enough, because your old backup link still works in combination with your old password.
- We know this isn't ideal, but because we don't keep your email we can't know what your old backup link is in order to invalidate it when you get a new one. But we are looking into how we can work around this.
- If you were keeping your 12 words on cloud services, or in another electronic form, deleting them from there might not be enough. You never know what traces might be left behind. In this case, it's better if you create a new wallet, like above.
- If you have been using untrusted or pirated software the only way to be sure that you're running a clean system going forward is if you do a clean install of your Operating System. We know it's a drag, but all the security measures are for nothing if your computer has malware on it.
After these steps, you’re 80% protected
“What?!?! Are you kidding me? After all these things I’ve done, I’m only protected like 80%??” Yes, but the most common attacks happen in that 80%. Truth be told, even if you stopped here and did nothing more, you’d probably be okay and it would likely take a careless act to compromise your wallet. But that’s not good enough, right? You want the peace of mind that your assets are truly protected! After all, it’s your hard-earned money we’re talking about here. So take a break as suggested, and then keep protecting.
You’ve made it through Tiers One and Two! Pat yourself on the back on a job well done! It’s as if you have a small army protecting your network and computer now. And yet, even with all of your new security measures in place, you still have a sneaking suspicion that there are lingering vulnerabilities. After all, there’s still 20% of attacks that might affect you.
That brings you to Tier Three. This is where you will really start to fortify your security profile and make it extremely difficult for anyone to capitalize on any remaining loose ends.
1. Don’t keep large amounts in Exodus, use a hardware wallet
Exodus, being a software wallet, is only as secure as the computer it’s installed on and your security practices, and that’s what we are addressing here. But still, even after Tier 4, you’ll only be 99.9% protected, because no computer can ever reach 100%. For that reason, we suggest that you use a hardware wallet to store significant amounts of money. We discuss this in a little more detail here. This article has some links which we strongly suggest you read, especially the one discussing the vulnerabilities of software wallets.
If you choose to use a hardware wallet, make sure to buy it directly from the manufacturer. Do not purchase a hardware wallet on eBay, Craigslist, or any other retailers as you do not know if the product has been tampered with. Which hardware wallet you use is basically a preference issue, based on its features, the assets it supports, its ease of use and of course its price. Here are the most well-known wallets:
2. Bring your password management to the next level
- Change all your passwords to the strongest type available
You already changed your important passwords, now it’s time to change all of them and let your password manager handle them for you. Use the strongest, longest, baddest option available: 64 characters with 10 numbers and 10 symbols (that’s what 1Password offers). This kind of password will take several times the age of the known universe to crack with today’s computers. I’d say any potential hacker would have their work cut out for them.
- Remember part of your passwords
If you want to really take it to the next level you can memorize the last 4 characters of your most important passwords and delete those characters from the passwords stored in your password manager. That will protect these accounts in case your password manager account is compromised somehow. But don’t do this if you are not absolutely certain that you’ll remember those characters and don’t do it for more than 2 or 3 of them (your Exodus and your email, for example).
3. Further network optimization
- Regularly check the router’s logs for unauthorized activity
By checking the router’s logs you can see whether any unauthorized devices have been using your network. Each router is different but here’s a guide generally describing the procedure. Set a calendar reminder to check on this periodically so you don’t forget.
- Use VPN on the router too so that all your devices go through it
Most VPN providers offer solutions for certain routers that support VPN. If your router is one of them, enable the VPN on it as well. This will allow all traffic from your home network to the outside world to be encrypted. But still keep the VPN on your computer that has Exodus installed as well, for a complete end-to-end encryption.
- Here are some more articles on how to secure and optimize your router.
4. Save your Backup Link offline
We typically don’t suggest this, but you’re a pro now, so you need pro protection. Here are the steps you should follow:
- Save the email in a folder on a flash drive
- Delete it from your email and empty its trash
- Encrypt the folder and use your password manager to create the password. Here are some guides on how to do that on Windows, MacOS, and Linux.
- Confirm that the file opens correctly.
- If the original (unencrypted) folder remains on your desktop or the flash drive, delete it and empty the recycle bin.
- Copy the encrypted folder on a second flash drive in case one of them fails.
Keep in mind though that the email is most likely never truly deleted. Most email providers keep the deleted emails on their servers. But it will definitely add a level of difficulty to any attack attempt!
5. Encrypt your hard drive
Encrypting your hard drive will protect your data if it gets stolen or lost. Here’s how you can do that for all platforms. This password along with your password manager’s master password can and should be the only ones you’ll have to remember. However, keep in mind that encryption won’t protect your data once they’re decrypted, ie. while you’re using your computer. For that reason:
- Have your computer lock after a few minutes of inactivity or when you close your laptop’s lid. It’s no use to encrypt your hard drive if your computer is always unlocked and available for anyone to access.
6. Install Metamask and EtherAddressLookup Chrome extensions
These extensions will warn you if you visit any malicious sites that they have blacklisted. MetaMask is available on other browsers as well, but keep in mind that they won’t warn you for sites that they don’t know about. You will need to remain diligent and not rely solely on these tools to warn you of all malicious sites.
7. More and more protection for your 12 words
You guessed it! 12 words again. They are so important that we’ll come back to them in Tier 4 too. In Tier 2 you created two paper copies of them, now it’s time to really protect them:
- Keep one copy in a fireproof safe hidden somewhere in your house and the other in a safety vault in the bank. Seriously.
- Instead of paper, use something like CryptoSteel: https://cryptosteel.com. It guarantees your 12 words are protected from the elements. You can get one for your hardware wallet too.
After these steps, you’re protected against 95% of attacks.
You’ve locked down everything, your passwords are unbelievably strong, encryption is your middle name and your 12 words are stored in metal for crying out loud! Yes, all you need is careful online activity and you’re solid. It will take some really bad luck or a coordinated attack to break down your defences. But you don’t want to leave anything to chance. 95% is not good enough for you. You want the ultimate protection for your funds. You want The Fort Knox. Cause you ain't kidding!
You’re here! At the top tier of wallet security. It’s certainly no easy feat so well done! But you still got to actually implement "The Fort Knox", so no time to twiddle our fingers. Straight to action!
A word of caution: Some of the suggestions in this Tier require a level of technical expertise and familiarity with computers and networks, so make sure you fully understand the guides provided and know what you’re doing before implementing any of them.
1. Top level password management
As you’ve become more security conscious perhaps you’ve asked yourself this question already: “Is it safe that I use the password manager’s servers to sync my devices?” The answer is probably yes, but there’s no reason to put your trust and faith in that. You can save your passwords on your computer and sync them through your local network, so nothing leaves the safety of your home.
The instructions below are for 1Password. If you’re using another password manager please search for similar functionality on their sites.
- Create a local vault in your app (File > New Vault > New Standalone Vault...)
- Move all your items from your account vault to your local vault.
- Make your computer a WLAN server to sync your passwords with your iOS and Android devices.
- Make sure to sync all your mobile devices in that manner. That way you’ll have your passwords on all of them and they will also work as your backup in case your computer crashes.
In addition to the above make sure that you enable the following in your password manager’s settings:
- Anything you copy from your password manager is deleted from your clipboard after 1 minute tops.
- Your password manager is locked after a few minutes of computer inactivity.
2. Protect your 12-words
At this point, you can safely say that we are a broken record. But these final tips will help secure your passphrase to the maximum level and give you added peace of mind.
- Store them in your password manager. Make sure that they are hidden and you have to reveal them in order to see them.
- Store only 11 of them. Remove one from a random position. Make absolutely sure you remember both the word and the position! Do not use this tip unless you’re absolutely certain you’ll remember both word and position!
- Destroy any paper versions. Okay, you can probably keep the one in the security vault if you want.
3. Network fortification
Here comes the heavy artillery of network defences! With these tips, your local network will be virtually impenetrable. However, because these settings differentiate greatly between routers and VPN providers we can’t provide detailed instructions.
- Create different SSIDs on your router. SSID (Service Set IDentifier) is your network’s name basically and depending on your router you’ll be able to set up more than one:
- One for your home devices
- One for guests
- One for your dedicated crypto computer (see below)
- Each one of them should be isolated from the rest and have a strong, unique password.
- You could add a time limitation on how long a device can stay logged in the guest network.
- Use OpenVPN protocol from your VPN provider with TOR network connections. Keep in mind, though, that VPN and TOR will significantly reduce your internet speed. In order to avoid that affecting your overall connection speed, TOR connections could be applied to the dedicated computer only (again, see below). Speed limitation isn’t a factor there.
4. Have a computer dedicated to Exodus
This is the quintessential protection method. A computer just for Exodus! Many people do this before many of the above steps. But we recommend it here, as the last step in protecting your crypto, because unless the proper security methods have been applied to everything else first, this measure is likely to provide only false protection. So here’s how to go about setting that computer:
1. First, do a clean install of your OS. Do not do anything else before doing that!
2. This computer should have installed on it only:
- A good firewall
- A VPN
- Your password manager that will have:
- Your Exodus password
- Login info for VPN and firewall
- Your 12 (or 11) words for Exodus and your hardware wallet
To make sure that this information isn’t lost in case your computer crashes you should sync your passwords with a local folder and then save that folder on two flash drives. You can use the same flash drives that you used to store your Backup Link in Tier 3.
3. The computer should be kept offline and turned off, and only connect it to send or receive funds, or to exchange assets within the wallet.
- No internet browsing or any other activity whatsoever! It’s called dedicated for a reason.
4. Keep your OS and your apps up to date!
After these steps, you’re 99.9% protected
Congratulations! You've done it! You’ve reached the pinnacle of protection. You’ve turned your computer into a digital Fort Knox. It will take an attack from ninja assassins to break through your defences now! Or some unsafe action, like exporting your Private Keys. So stay vigilant and keep the next section in mind in case you have to do such an action.
But before that, another turn of applause and congratulations are in order we believe. It was no easy task for sure and we all admire your perseverance!
Now you have both the freedom that comes with controlling your wealth and the peace of mind to enjoy it!
Things that you might do that can weaken your security and how to do them “safely”
After trekking up those four tiers, it’s hard to believe that there is more on the security to-do list. In this section, we’ll cover some safety practices to further strengthen the security measures you just put into place.
These tips are called “practices” because they require ongoing diligence. Much like you should apply sunscreen every day, you should also apply good computer security measures every day. In the long run, these habits could be your saving grace against scammers or prying eyes.
Keep in mind that the most important thing when maintaining security is to protect your private information. This means you’ll need to fiercely guard your private keys and 12-word phrase, and take extra care when engaging in risky business, such as:
- Claiming airdrops or forks
- Sending unsupported tokens
- Using some contracts, like EOS registration
Those three tasks will almost always require you to export and share your private key. As you know, sharing your private keys weakens your security profile, and should only be done if absolutely necessary. So, before you are seduced by the next up-and-coming airdrop or fork, take the time to learn and recognize the signs of a scam.
Things to keep in mind when asking questions about Exodus online:
- Exodus support will never ask you for your 12-word phrase, private keys, backup link, or password
- Exodus does not offer phone or video support.
- The only official channels of support are through email (firstname.lastname@example.org) and in our Slack channel:
You can also reach out to us through our social media presence on Twitter and Facebook, but these channels are mostly for general, easy to answer questions.
Common signs of a scam
- Someone or something asking for your 12-word phrase or private keys
- Anything that guarantees returns or profits, especially high ones. Bitconnect is a prime example.
- There are many ETH, BTC, LTC, etc. giveaways on Twitter that are always scams. Always double check Twitter handles and report scammers. Our official Twitter handle is @exodus_io.
- We don't have a verified account yet (the ones with the blue tick mark) because one of the requirements is providing a phone number, which can easily be used as an attack vector.
- Avoid anything that says they will send you crypto once you send them a small payment of crypto. For example, there are many scam crypto faucets and cloud mining scams which ask for deposits before sending any payouts.
- If you aren’t sure about the legitimacy of a site or address, you can check them on these sites:
- As mentioned in Tier 3, install MetaMask and EtherAddressLookup Chrome extensions to warn you if you visit any malicious site that they have blacklisted. MetaMask is available on other browsers as well, but bear in mind that they won’t warn you for sites they don’t know about.
- Be sure to check out our article on How to Spot a Crypto Scam
Common phishing signs
- Emails or direct messages with multiple spelling and grammatical errors
- Emails or direct messages randomly sent to you offering a crypto giveaway
- These will usually ask you to submit your private key or send a “deposit”
- Incorrect sender’s address. Always check the sender’s address domain to confirm it is the correct one. If it is not the correct address, do not reply, follow any links, or open any attachments. Simply delete it!
- Any well-known company asking for private information or claiming that your account will be blocked/turned off without any apparent reason.
If you do find yourself tempted by the promise of free coins, be sure to follow these guidelines to keep your current assets safe:
- Look before you leap! When you find a project you’re excited about, do your due diligence by researching it extensively.
- If you export your private key, delete it immediately after you use it!
- You must delete it from your desktop and empty the recycling bin/trash.
- You can also use a program that safely and permanently deletes files, like CleanMyMac for MacOS.
- IMPORTANT: Since version 1.57 Exodus shows the Private Keys instead of exporting them, saving you the trouble of deleting them or preventing you from accidentally forgetting to do that!
- Move all of the funds out of your address before you enter your private key to claim any forks.
- Always make sure the site is legitimate before entering your private keys:
- For known sites (like MyEtherWallet) always type the address manually or use your own bookmarks
- Never follow links, even from search results
- Check that the site address is exactly correct
- Check for the security certificate
- Use Metamask to access MyEtherWallet. A benefit of Metamask is that you only need to export your Private Key once.
- Better yet! Use Metamask’s own address for any unsupported tokens or MyEtherWallet related activity. Don’t send any unsupported tokens to Exodus, so you don’t have to export your ETH Private Key.
- For unknown sites, like when you want to claim an airdrop:
- Never follow links to those unless you have searched them online and made sure they are legit
- Any site that asks you for a Private Key or your 12 words to claim something or give you access to airdrops is potentially a scam.
Practice safe forking, friends!