USDC security best practices

The majority of people who lose crypto don't lose it to hackers exploiting sophisticated vulnerabilities. They lose it to phishing emails, fake websites, and social engineering. The good news: these attacks are predictable and easy to avoid once you know what to look for.

This guide covers the most common threats and practical steps to protect your USDC at every level.

If you hold USDC on Coinbase or another exchange, your exchange account is the front door to your funds.

Enable two-factor authentication (2FA). Use an authenticator app (Google Authenticator, Authy) rather than SMS. SIM-swap attacks can intercept text messages, but they can't access your authenticator app.

Use a unique, strong password. Don't reuse passwords from other sites. A password manager like 1Password or Bitwarden makes this painless.

Beware of phishing emails. Coinbase will never ask you to "verify your account" by clicking a link in an email. If you get an urgent email about your account, go directly to coinbase.com by typing it in your browser. Don't click the email link.

If you hold USDC in MetaMask, Coinbase Wallet, or a hardware wallet, your seed phrase (recovery phrase) is everything.

Write your seed phrase on paper. Not in a notes app, not in a screenshot, not in cloud storage. Paper, stored in a physically secure location.

Never share your seed phrase with anyone. No legitimate service, support agent, or website will ever ask for it. Anyone who asks is trying to steal your funds. There are zero exceptions to this rule.

Consider a hardware wallet for large amounts. A Ledger or Trezor keeps your keys offline, which means even if your computer is compromised, your keys are safe. Our wallet comparison guide covers the options.

Fake support accounts on social media. If you post about a crypto problem on Twitter or Discord, you'll get DMs from accounts pretending to be official support. They'll ask you to "connect your wallet" to a website or share your seed phrase. Block and report them.

Fake websites. Scammers create convincing copies of real websites (like coinbase-verify.com instead of coinbase.com). Always check the URL carefully. Bookmark the real sites you use.

Too-good-to-be-true yield offers. If someone promises 50% APY on USDC with "no risk," it's a scam. Legitimate yields on USDC range from 3-15% depending on the method and risk level.

Airdrop scams. Random tokens appearing in your wallet that ask you to visit a website to "claim" them are almost always phishing attempts. Don't interact with tokens you didn't buy or expect to receive.

Always double-check addresses before sending. Verify the first 4 and last 4 characters match what you intended. Some malware replaces copied addresses with the attacker's address.

Send a small test transaction first when sending to a new address. The cost of one extra transaction ($0.01 on Base) is nothing compared to sending your entire balance to the wrong place.

Don't sign transactions you don't understand. If a DeFi app asks you to approve an "unlimited" token allowance, be cautious. Set specific allowance amounts when possible.

Review what you're approving. When connecting your wallet to a new site, read the permission request. Legitimate DeFi apps ask for specific, limited permissions. Malicious sites ask for broad access to your tokens.

If you think your exchange account is compromised, change your password immediately, enable 2FA if it's not already on, and contact the exchange's official support. Most exchanges can freeze your account while you investigate.

If you think your wallet seed phrase is compromised, create a new wallet immediately and transfer all funds from the old wallet to the new one. Do this as fast as possible. Don't reuse the compromised seed phrase.

If you've sent funds to a scammer, the honest truth is that on-chain transactions are irreversible. You can report the incident to the FBI's IC3 (ic3.gov) or your local authorities, and to the platform where the scam occurred. But recovery is unlikely for direct on-chain transfers.

Run through this checklist to make sure your setup is solid:

1. Exchange account has 2FA via authenticator app (not SMS) 2. Unique, strong password for exchange account 3. Seed phrase written on paper, stored securely, never digitized 4. Seed phrase not shared with anyone, ever 5. Real website URLs bookmarked in browser 6. Hardware wallet for amounts over $1,000 7. Small test transactions before large transfers 8. Suspicious DMs and emails ignored and reported

Security isn't a one-time setup. Review these habits periodically and stay alert to new types of scams.