Use a cold hardware wallet for long-term funds, keep your seed phrase offline in durable form, add a BIP39 passphrase or multisig/social recovery, and practice DeFi hygiene by reviewing approvals and avoiding blind signing. Turn on phishing-resistant MFA (security keys/passkeys) on your email, exchange, and password manager, and keep devices patched.
1) Custody choices: self-custody vs. custodial accounts
Self-custody means you hold the private keys; a custodian holds them on your behalf. Understand that U.S. deposit insurance does not cover crypto assets held at non-banks, and protections differ from bank deposits. Read official disclosures and risk policies before entrusting a custodian.
2) Hot vs. cold storage: build a two-tier setup
Hot wallets are connected to the internet and convenient for daily use but more exposed to attacks; cold wallets keep keys offline and are better for vault storage. Many users combine both: small operational balances in hot wallets, savings in cold.
3) Hardware wallets: authenticity and setup
Buy directly from the manufacturer or an authorized seller and complete the device’s built-in authenticity checks. Some vendors don’t rely on tamper seals; instead, they verify firmware signatures during setup and on each connection. Follow your device’s “genuine check” instructions and keep firmware current.
4) Backups done right: seed phrases, metal, and passphrases
Never store your seed phrase digitally, in cloud drives, screenshots, or password managers. Keep it offline and protected against fire and water; metal backups are a durable option. If supported, add a passphrase (sometimes called the “25th word”) to protect your wallet even if the seed is exposed.
If you need resilience against theft and loss, consider Shamir backup (SLIP-39), which splits a secret into multiple shares that require a threshold to recover. Store shares in separate secure locations.
5) Multi-key security: multisig and social recovery
Multisig requires M-of-N signatures to move funds, reducing single-key failure risk for both Bitcoin and smart-contract wallets. On Ethereum, smart-contract wallets such as Safe let you set owner lists and signature thresholds; newer account-abstraction designs add social recovery and programmable spend rules.
6) DeFi hygiene: approvals, allowances, and revocations
ERC-20/NFT approvals let contracts spend tokens on your behalf; scammers often exploit old or unlimited allowances. Regularly review and revoke unused approvals using reputable tools or block explorers; revoking is an on-chain transaction and costs gas.
Address-poisoning scams drop look-alike addresses into your history to trick you into pasting the wrong one. Always verify the full address or use ENS/verified contacts rather than copying from recent activity.
7) Safer signing: avoid blind signing and prefer human-readable requests
Blind signing means authorizing a transaction without seeing its full details. Prefer EIP-712 “typed data” signing, which shows structured, human-readable fields in wallet prompts; enable clear-signing features on hardware when available, and carefully inspect contract addresses and function names before approving.
8) Lock down your accounts: MFA, passkeys, and SIM-swap defenses
Turn on phishing-resistant MFA (FIDO2/WebAuthn security keys or platform passkeys) for your email, exchange, and password manager. Standards bodies note that manually entered OTPs (including SMS) are not verifier-impersonation resistant, and agencies promote phishing-resistant MFA. Use app-based or hardware factors over SMS whenever possible.
Protect against SIM-swap by setting carrier PINs, limiting personal info exposure, and moving critical logins to passkeys or hardware keys.
9) Device and browser hygiene: updates and safer browsing
Keep your phone and computer patched; today’s mobile updates routinely fix actively exploited bugs. Use a separate browser profile for wallet extensions, disable unnecessary extensions, and avoid scanning unsolicited QR codes, which are increasingly used for “quishing” attacks that lead to phishing or malware.
10) Privacy basics: limit address reuse and watch out for poisoned history
Using a new address for each incoming payment improves on-chain privacy and reduces the chance that counterparties can link all your activity. Be careful not to rely on transaction history for address copying due to poisoning.
11) Travel and daily-use tips
When moving funds on the go, prefer a small “travel” wallet with minimal balances and pre-whitelisted recipients if your wallet supports it. Keep your vault keys at home, and never type or read your seed phrase in public places with cameras. Vendor guidance emphasizes keeping recovery data offline and out of view.
12) Incident response: a checklist if something goes wrong
If you signed a malicious approval or interacted with a phishing site, immediately revoke approvals on affected chains, move remaining assets to a fresh wallet, and rotate any passwords to accounts tied to your wallet. Guides explain how these scams typically occur and the steps to mitigate impact.
Quick setup blueprint you can follow today
- Choose custody: decide what stays in self-custody vs. with a regulated custodian, noting insurance differences.
- Create tiers: hot wallet for small spends; cold hardware wallet for savings.
- Backups: write your seed offline, add a passphrase, consider metal or SLIP-39 shares.
- Multisig/social recovery: set an M-of-N or guardians for high-value accounts.
- DeFi hygiene: audit approvals monthly and prefer EIP-712 clear signing.
- Account hardening: enable FIDO2/passkeys on email, exchange, and password manager.
- Patch devices and beware QR codes.
