1. Get a Ledger or TREZOR Hardware wallet. These hardware wallets are one of the easiest, and safest ways to store your Bitcoins, Ethereum, Litecoins and many others. Don’t trust your coins and private keys to software wallets or online services. Best of all, both cost less $75.
If you don’t want to spend the little bit for one of these hardware wallets to secure your coins, at least consider using cold storage for the bulk of your savings. You’ll thank me.
2. Bookmark your crypto sites. Only use those bookmarks to access the sites.
3. Always be vigilant of potential phishing ploys. Thieves in the crypto-world are becoming increasingly savvy and developing ingenious new ways to trick you and empty your wallet. Always remain vigilant when visiting ANY site connected to cryptocurrencies, especially if the site is asking for your private keys, or if you need to log into that website.
4. Always use your wallet offline. This is automatic if you’ve gotten one of the hardware wallets, but some software wallets (like Armory for Bitcoin and MyEtherWallet for Ether) can also be used offline. Just get used to doing it always.
5. Never trust a URL or message you receive via private messaging apps, even if you think you know who’s sending the message. Always verify with the sender via voice or in person.
6. The same goes for email. Don’t ever click a link in an email that pertains to anything crypto, banking, money or any shared storage such as Google Drive/Dropbox, etc. If you simply can’t resist and end up clicking the scammy clickbait, please don’t enter ANY information on the resulting page. And don’t EVER enter your private keys, passwords, or any personally sensitive information on any website that was sent to you via email.
7. Turn on 2FA for everything you can. Don’t wait, just go do it. Immediately. I’ll wait right here. Google Authenticator is a best choice for this over Authy. If you bought one of the hardware wallets above, they can also be used as 2FA authentication devices. Also, do not use your phone number and make sure your phone number is NOT tied to your Google account. You can change this in your privacy settings if you’ve already added your phone number to your Google account. You may not know it, but it has become increasingly common for hackers to target phone numbers. Once they take control of your phone number (not so hard as it turns out), they can then use that to recover access to your Google account and completely bypass any 2FA you’ve set up. Also, please be sure to cold storage all your recovery words and phrases for your 2FA’d things. If your entire life is 2FA’d and your phone is lost or destroyed your life will be hell trying to recover your accounts.
8. For ICO’s, token sales and airdrops do not trust any URL/address except the one that is posted on the official site. You should bookmark the URL before the sale/airdrop begins and use your bookmark to purchase tokens. Never trust a link from another source like Slack, Reddit, etc.
9. Double check all URLs. Seriously. Check it and then check it again. This is especially crucial for any site that requires a password, username, your private keys, an email address, or any other personal information. Don’t think that because the site has an SSL certificate that it is secure or safe. Anyone can buy an SSL certificate and install it on their site. If you don’t know what the correct URL is use Discord, Slack, Reddit, Twitter or wherever else the project hangs out to verify the correct URL. And triple check any Github URLs, because they are much easier to fake and its much easier to miss a fake Github URL. Rather than downloading something from that random link on Twitter do your own research to find the correct download URL. Following the developers on Twitter or starring the repos on Github are good ways to make sure you’re getting to the right URL.
10. Always verify that the site you’re on is legit. Starting to see a trend here regarding URLs? Seriously, if you’re about to download something or expose your private keys you better be sure that you’re on a legit site. How do you know if it’s legit? Any service that’s been used by many people for a decent period of time can be considered legit. If it’s a domain that was registered earlier this month, a service that has just launched, or you can’t find any additional information about it you should probably give it a pass for a while.
11. Google the service name + “scam” or “reviews”. Any scam site won’t last long, but it can last long enough to rip you off. It soon becomes evident that a site is a scam and a search should bring you a number of sites with comments from real people about how they were robbed. Also watch out if there is no information or reviews about the site (could be a new scam), or if all the reviews seem far too perfect (could also be a new site + social engineering).
12. Don’t ever run remote-access software on your computer (e.g. TeamViewer/LogMeIn). Running remote access software is never a good idea, but it’s an especially bad idea to run on a computer that has your private keys on it. Aside from giving someone complete access to your system, the number of security holes in any of these programs is horrendous. Why would you 2FA everything and then hand over access to your entire computer, all your accounts and your private keys?
13. Don’t use brain wallets that allow you to choose your recovery seed. Human brains are not capable of creating high-entropy seeds and you’re just asking for some hacker to come along and bruteforce your wallet, walking away with all your Bitcoin or other tokens.
14. If you have accidentally visited or typed a malicious site, clean out your recent history and autocomplete. This will prevent you from typing kra… and having it autocomplete to the malicious krakken.com.
15. No one is giving you any significant quantity of free or discounted Bitcoin, Ether, or any other coins. Yes you can get a small bit from faucets, but beware of any site that offers you a significant amount of free coins. This includes airdrops. These can be legit, but they can also be a way for a scammer to install malware on your machine along with their custom wallet. Be wary of any site that is giving away coins.
16. The guys who just finished their token sale don’t want to sell you discounted tokens via Slack DM. Neither does that smokin’ hot 125x125px avatar. Nor does anyone on Reddit, LinkedIn, Facebook, Twitter, or any forum.
17. ONLY unlock your wallet or put it online when you want to send a transaction. Otherwise check your balances offline.
18. Finally – use your brain. Just think about what you’re doing. Never assume something is safe or secure. Ask questions and if something doesn’t seem right, get out of there. It isn’t likely you’re the lucky one to stumble upon the opportunity of a lifetime. If you haven’t heard of some GREAT new thing, changes are there’s a reason.