Final Burn is Live
View Artwork
Tips to Stay Safe in Web3
Beginner Lesson | 2 mins

10 Tips to Stay Safe in Web3

Courtesy of OpenSea

1. Use official support channels

We recommend only getting help on official channels, and if you do end up asking questions of the broader community, always be cautious. Soliciting help on social channels or Discord, where OpenSea does not provide official customer support, can also make you a target for scammers.

2. Never share your secret recovery phrase

It may sound obvious to all the crypto veterans out there, but you can never hear it enough. Your wallet’s secret recovery phrase is private to you and should never be shared, even with those you trust. OpenSea or SuperNormal is not a wallet provider and will never ask for your wallet’s secret recovery phrase.  

For details on the best way to keep your funds and tokens safe, head to your wallet provider’s website and browse the guides and tutorials.

3. Make sure your wallet app or extension is the official one

If you’re downloading a wallet browser extension, make sure to get your link directly from the provider’s website. When downloading an app, check the reviews and developer info to confirm you’re getting the right one, and not an imposter. If you’re unsure, there’s no harm in reaching out to the provider to clarify.

4. Never click on unknown or broken links

Stay vigilant when browsing websites and interacting with others on social media or Discord. Avoid clicking on ads, images, or links sent by strangers.

5. Never reuse passwords and use a password manager

We’ve all done it, but reusing the same password across multiple accounts makes you more vulnerable to account compromises. A password generator or manager like 1Password or LastPass can make life easier if you’re worried about getting lost in a web of special characters.

6. Use Two-Factor Authentication (2FA)

Enable two-factor authentication with apps like Google Authenticator and Authy, and avoid SMS 2FA where possible since it can be vulnerable to attacks. You may also want to consider upgrading to a hardware-based 2FA device for extra security. Google Titan, Thesis, and Yubico are some of the options available.

7. Use a crypto hardware wallet

Using a hardware wallet adds another layer of security for your funds and NFTs. Many users tend to go with Ledger or Trezor.

For extra security, consider using an “air-gapped” computer with your hardware device. An air-gapped computer is one that has never been connected to the internet before.

However, like other hardware items, you need to make sure to keep your wallet secure and not lose it!

8. Limit smart contract approvals

If you are using MetaMask, make sure to frequently review your spending limit when approving transactions. To do so, click “Edit on Permission” and customize the spend limit for each currency.

9. Avoid cold downloading files from strangers

It’s best to not interact with files, and QR codes sent by strangers. Attachments of all formats, including PDFs, have been known to contain harmful viruses or malware.

10. Email safety

It’s important to be vigilant about email safety, too.

  • Be cautious of phishing emails from addresses trying to impersonate OpenSea. OpenSea will ONLY send you emails from the domain: ‘’ Please do not engage with any email claiming to be from OpenSea that does not come from this email domain.
  • Never download anything from an OpenSea email. Authentic OpenSea emails do not include attachments or requests to download anything.
  • Check the URL of any page linked in an OpenSea email. We will only include hyperlinks to ‘’ URLs. Make sure that ‘’ is spelled correctly, as it’s common for malicious actors to impersonal URLs by shuffling letters.
  • NEVER share or confirm your passwords or secret wallet phrases. OpenSea will never prompt you to do this in any format, including email.
  • NEVER sign a wallet transaction prompted directly from an email. OpenSea emails will never contain links which directly prompt you to sign a wallet transaction. Never sign a wallet transaction that doesn't list the origin of if you were led there by email.