Approval phishing is a social engineering scam that tricks a crypto user into granting a malicious actor permission to move funds out of their wallet. The victim believes they're approving a harmless action (a trade or a small transfer) but the transaction actually authorizes the attacker to drain the wallet at will. Because the approval is technically valid and the victim grants it themselves, no system is ever penetrated, which is exactly what makes the technique so effective.
How it works
The on-chain step is quick, but it's usually the end of a longer manipulation:
- The setup. A scammer builds trust over days or weeks—often posing as an advisor, mentor, or romantic interest—and steers the victim toward a specific platform or transaction.
- The approval. The victim is walked through a transaction and clicks "approve," believing it's minor. Hidden inside is a token-spending approval that hands the attacker access.
- The drain. The attacker can move instantly or wait for an ideal moment—often right after a fresh deposit—then routes the stolen crypto through bridges and exchanges to cash out.
Because these transactions are irreversible, recovery after the fact is difficult—making early detection and user awareness the most effective defense.
Red flags
The technical attack is preceded by consistent behavioral signals: rehearsed answers from a victim who can't explain their own investment, being steered off regulated exchanges into self-custody, dependence on a "mentor" who demands urgency and real-time screenshots, and large transfers from someone with no prior crypto activity. These are human signals, not software alerts—which is why training people to spot manipulation is central to stopping the attack.
How to prevent it
- Verify before connecting. Check URLs carefully before connecting a wallet, and download apps only from official stores—never from links in a chat.
- Distrust urgency. Anyone you've never met walking you through an urgent transaction is a major red flag.
- Review approvals. Periodically audit active token approvals and revoke any that are unfamiliar or no longer needed.
- Train the human layer. Since the decisive moment is a person clicking "approve," awareness training and realistic social engineering simulations build the instinct to pause.