Wallets · Security · Part 4 of 4
Crypto Wallets Part 4: Red Flags, Scam Prevention and How to Choose
Self-custody removes counter-party risk but does not eliminate all risk. It shifts the threat model: instead of worrying about an exchange failing, the primary risks become losing access to your own keys and being socially engineered into disclosing them. This final part covers how wallet attacks work in 2026, the warning signs to recognise, and a practical framework for choosing the right wallet. For the hardware wallet comparisons that inform the choices described below, see Part 1 (Ledger and Trezor), Part 2 (air-gap and alternative devices) and Part 3 (hot wallet pairing).
- Never share your seed phrase — there is no legitimate scenario that requires it
- Attackers in 2026 use legitimate email addresses and convincing replica sites
- Stop, Verify, Confirm: a three-step routine for suspicious requests
- Always buy hardware wallets directly from the manufacturer's official website
The one rule that covers most of it
Protecting your seed phrase
Never share your seed phrase or private key with anyone, under any circumstances. There is no legitimate scenario in which a wallet provider, exchange, support team or any other party needs your seed phrase. Your seed phrase is the master key to everything in that wallet. Anyone requesting it is attempting to steal your funds.
This rule covers the majority of hardware wallet and software wallet losses. Attackers create urgency, impersonate legitimate services and construct convincing scenarios to obtain seed phrases. The rule has no exceptions.
What this means
Seed phrase security is the final backstop for non-custodial wallet holders — no platform, no regulator, and no support team can recover access if a seed phrase is lost or compromised. This responsibility is absolute. This is context, not advice.
How attacks work
Real attack patterns in 2026
Attack methods have become more sophisticated but the underlying patterns are consistent. A BleepingComputer investigation found that attackers sent phishing emails using Trezor's legitimate support email address — the sender field appeared genuine because it was routed through a compromised support platform. The emails directed recipients to a convincing replica of the Trezor website, which requested seed phrase entry to verify the device. For a broader look at how clone-firm and Companies House scams operate in the UK crypto space, the FCA's guidance on clone firms and our dedicated scam anatomy guide cover the wider pattern.
The attack succeeded in some cases not because users were careless, but because the technical signals of legitimacy — the correct sender address, a professional-looking site — were present. This illustrates why verifying through independent channels matters even when communication appears genuine. Checking that a link goes to the correct domain, typed manually rather than clicked from an email, is a basic step that stops the majority of these attacks.
As the FCA develops custody standards under the FSMA framework, self-custody remains outside the regulatory perimeter — meaning holders bear full responsibility for their own key management with no consumer protections.
Warning signs
Consistent patterns across wallet and crypto scams
- Urgency and time pressure: Messages claiming an account will be closed, funds will be lost, or action must be taken within hours. Legitimate services do not operate with artificial urgency around your private keys or seed phrase.
- Guaranteed returns: Any promise of high, risk-free profit. No investment instrument generates guaranteed returns; any such claim should be treated as fraudulent.
- Requests to move to private channels: Asking a user to continue a conversation on Telegram, WhatsApp or another platform away from official support is a consistent pattern across social engineering attacks.
- Remote access requests: Any request to install TeamViewer, AnyDesk or equivalent software to help resolve an issue. Remote access to a device holding crypto credentials should be treated as an attempted theft regardless of the stated reason.
- Off-domain URLs: Ledger.com and ledger-support.com are different domains. Always type official URLs manually rather than following links from emails or messages. Verify the full address before entering any information.
- Unexpected approval prompts: DApps requesting unlimited token approvals, or presenting transaction signing requests that were not explicitly initiated by you. Reject and close the site immediately.
- Refusal to provide verifiable credentials: Legitimate support teams will provide official contact details and can be verified through independently sourced channels. Reluctance to be verified is a warning sign.
A practical approach
Stop, Verify, Confirm
Stop
Do not act immediately when a message or prompt creates urgency. Screenshot the communication and close any browser tabs or applications involved before doing anything else.
Verify
Look up the official support page for the service independently — type the domain manually, do not use any link from the suspect communication. Contact support through the official channel only.
Confirm
Review the transaction details on the hardware device screen before signing. If the details shown do not match what was intended, do not sign. If multiple warning signs are present, disengage entirely.
Making the right choice
Four factors that actually matter when choosing a wallet
Security versus convenience. Hardware wallets keep private keys offline and are the most secure option for significant holdings. Software wallets are more convenient for frequent transactions but are exposed to device-level threats. The established approach is to hold the majority of funds in cold storage and use a hot wallet for day-to-day activity, pairing the hot wallet with a hardware device where the wallet supports it.
Open source versus proprietary. Open-source firmware allows independent verification of what runs on the device. Proprietary firmware may carry higher security certifications but requires trusting the manufacturer's implementation. Trezor, BitBox02, Coldcard and Keystone all publish fully open-source code. Ledger uses proprietary firmware but undergoes external audits. The appropriate weight given to this distinction depends on individual risk tolerance and technical capacity to verify code.
Recovery model. Standard recovery phrases (12–24 words) provide complete independence from the device manufacturer but require secure physical storage — a fireproof location, separate from the device. A lost or destroyed phrase with no backup means permanent loss of access. MPC-based wallets such as Zengo remove the seed phrase but introduce reliance on the provider's servers for recovery. The right choice depends on how you assess physical security risk versus institutional risk.
Ecosystem fit. Bitcoin holders focused on cold storage will find Coldcard the most appropriate choice — its architecture is described in full in Part 2. Users active across multiple EVM chains will find Trezor or Ledger paired with MetaMask or Rabby better suited to their workflow — both are covered in Part 3. UK traders using Coinbase and Kraken as their primary exchanges will find the most friction-free experience using Coinbase Wallet or Exodus as the hot wallet layer, paired with a hardware device for larger holdings. A practical reference for how both exchanges operate for UK users is available in the Coinbase & Kraken UK guide.
Supply chain
Where to buy hardware wallets
Hardware wallets should always be purchased directly from the manufacturer's official website. Devices sold through second-hand markets, third-party online retailers or unofficial resellers carry a risk of physical tampering that cannot be detected without specialist equipment. The cost saving does not justify the risk.
When a device arrives, it should not have a pre-set PIN. If a PIN or seed phrase is already configured on an unboxed device, return it immediately — this is a tell-tale sign of tampering. During setup the device will generate a unique recovery phrase. This should be written down using the provided recovery sheets, stored securely, and never entered into any website or application at any subsequent point.
Market impact snapshot
Industry surveys consistently show that a significant proportion of UK crypto holders do not have a secure, offline backup of their seed phrase — representing substantial uninsured risk.
Full series
Read the complete Crypto Wallets guide
All four parts cover self-custody fundamentals, hardware wallet comparisons, hot wallet pairing, and security — a complete reference for UK crypto traders.