Verify Before You Sign
The transaction is the truth — not the website.
Most drains happen the moment you click "Confirm." A polished website can ask you to sign something completely different from what it claims. Before you approve anything, check what you're actually signing.
Insist on readable transactions
Good wallets translate a transaction into plain language ("send 50 USDC to 0x123…"). If your wallet only shows an unreadable string of characters and asks you to "blind sign," treat that as a red flag and stop.
Your hardware wallet screen is the final word
Malware can change what your computer or phone displays. The screen on your hardware device can't be faked the same way. If the details on your computer don't exactly match the device screen, reject the transaction.
Check the recipient, amount, and network
Confirm the destination address (not just the first and last few characters), the token and exact amount, and that you're on the chain you expect.
Verify the contract and the site
Make sure the contract you're interacting with matches the official one (check the project's docs or a block explorer like Etherscan), and that the URL is the real site.
Simulate — but stay skeptical
Tools like Rabby and Tenderly preview what a transaction will actually do before you sign. They're a great safety net, but a sophisticated scam can spoof a simulation too, so don't switch your brain off.