Beginners don't usually get caught by some brilliant scam — they get caught because the most basic lines of defense were never set up at all. The checklist below splits into three groups: account security, browsing and download habits, and funds and wallet habits. Tick each item; finished ones are remembered automatically. Get all 13 in place and most common scams simply can't get in.
- If you're new, work top to bottom in order, ticking each item as you finish it — the progress bar at the top follows along.
- Your tick state lives only in the browser on this device (localStorage); it isn't uploaded or recorded.
- Doing it once isn't the finish line — come back and re-check periodically, especially the wallet-approval items.
Why each item matters
A checklist isn't better for being longer. Each of these 13 items targets a category of scam that has really happened — and that often wipes people out the moment it does. Below, group by group, is what each one blocks. Understand the reasons and you'll actually do them, instead of ticking boxes mechanically.
Account security: lock down the account itself
Turn on authenticator 2FA. With a password alone, the moment it leaks on a fake site your account is wide open. The rotating code from an authenticator app (not SMS) is something a scammer can't grab — it's a second lock on the account. SMS codes can be SIM-swapped or relayed live on a fake site, so prefer an authenticator.
Set a withdrawal address whitelist. This is the most underrated line of defense: once on, withdrawals can only go to addresses you've added in advance, and adding a new one usually has a time lock. Even if a scammer gets into your account, they can't immediately send your coins to their own address — buying you time to notice and respond.
Use a unique, strong login password. Never reuse your exchange password for email or other sites. One leak shouldn't cascade into total loss. Pair it with a password manager to generate and store it — safer than keeping it in your head.
Clean out unfamiliar API keys and logged-in devices. Periodically check your account security page for unknown device sessions and suspicious API grants, and kick them out the moment you see them — these are often the earliest sign an account has already been breached.
Browsing and downloads: give fake sites and cloned apps no opening
Bookmark the official site and only enter from the bookmark. Confirm the official domain once, bookmark it, and from then on stop searching and stop clicking links other people send. This one habit blocks nearly every cloned fake site — because you never give yourself the chance to walk through the wrong door.
Install apps only from the official store / official site. Refuse any installer that isn't from the Apple App Store or the exchange's official download page. Cloned apps can look indistinguishable from the real thing, but as long as you don't install from a suspicious source, they can't reach you.
Don't click unfamiliar links or scan unfamiliar QR codes. Links and QR codes from DMs, groups, or posters hide their real address until you open them — and by the time it loads, you may already be on a fake site. Don't tap by default.
Be skeptical of any "opportunity that comes to you." An "inside channel" or "limited-time event" pushed to you in a DM by a support agent, mentor, or account manager — assume it's fake first, then verify. Genuine good opportunities don't chase down beginners.
Funds and wallets: protect your money and your private keys
Keep large holdings in a cold wallet. Don't pile coins you won't touch for a long time on an exchange or in a hot wallet. A cold (hardware) wallet keeps the private key offline, blocking the great majority of remote theft.
Check and revoke wallet approvals regularly. A lot of theft isn't stealing the private key — it's tricking you into signing an "approval" that lets a contract move your coins. Periodically using an approval-manager tool to check and revoke approvals you no longer need is the key habit for on-chain safety. See fake airdrops and wallet-approval drains.
Never tell anyone your private key / seed phrase, never type it into any site. This is the uncrossable red line. Any support agent, "official," or event page asking for your seed phrase or private key is 100% a scammer. A real platform will never ask you for these.
When pushed, stop for 24 hours. Any transfer or approval that rushes you with "now, immediately, miss it and it's gone" — stop and sleep on it. Urgency is a scammer's core weapon, and calm verification is its antidote.
Don't fall for "guaranteed, steady, high returns." Promises of a few percent a day or steady doubling are almost always a Ponzi scheme or a pig-butchering scam. The more certain and the more outsized the return, the further away you should stay.
The one-line principle
Anti-scam safety isn't about talent — it's about getting the basic settings right once and locking a few habits in place. Run through this checklist once and your security level is already ahead of the great majority of beginners. Come back to re-check every so often, especially wallet approvals — they pile up slowly as you use more projects. For ongoing guidance, the FTC's cryptocurrency pages and FINRA's crypto-asset scam alerts are worth bookmarking too. If you're ever defrauded, report it to the FTC and to the FBI's IC3.
Pair it with the scam field guide for better results
This checklist answers "which settings and habits should I have," while the scam field guide answers "what does a scam look like, and how do I recognize it on the spot." Together: the checklist builds your static defenses, and the guide helps you spot a scam as it comes at you. After finishing the checklist, spend some time on the high-frequency entries in the guide — fake exchanges, pig butchering, and wallet-approval drains. Once you've seen what they look like, you'll react much faster in real life. When you can't tell what a specific situation is, you can also run the scam self-check.
The first line of defense on this list starts with picking the right official channel
No matter how well you set up account security, if your very first step lands you on a fake platform, it's all for nothing. If you're planning to start trading, go straight to a major, reputable exchange through its official channel, then turn on each of these settings one by one. OKX is one such mainstream exchange, and its official domain is okx.com.
Related reading
- The universal 7-step anti-scam framework — the routine to run on any "opportunity" first.
- Fake airdrops and wallet-approval drains — why "revoke approvals regularly" matters so much.
- Official domain checker — use it alongside "bookmark the official site."