Phishing & Scam Protection — 2026 Guide

The Reality of Crypto Scams

As the Algorand ecosystem grows, so do the tactics used to steal your assets. The good news: Pera is self-custodial, so no one can access your funds unless you give them your recovery passphrase or sign a malicious transaction. The bad news: scammers are creative, and they're betting that you'll make a mistake.

This guide covers the most common attack types and exactly how to protect yourself.

Scam Type 1: Fake NFTs in Your Asset Inbox

How it works

Scammers send fake NFTs directly to your wallet with messages like "Claim your prize," "Free airdrop," or "Verify your wallet." These NFTs link to malicious websites designed to steal your funds.

What the malicious site does

• Asks you to enter your recovery passphrase (instant theft)
• Asks you to sign a rekey transaction (transfers control of your account to the attacker)
• Prompts you to approve a transaction that drains your wallet

How to protect yourself

• Ignore and delete suspicious NFTs. They can't harm you if you don't interact with them.
• Never follow links from unexpected NFTs. No legitimate project sends prizes via random NFT drops.
• A phishing NFT sitting in your inbox is harmless — it only becomes dangerous when you click through and interact.

Scam Type 2: Impersonation (Fake Support)

How it works

Scammers pose as Pera support, Algorand Foundation staff, or project admins on Telegram, Discord, X (Twitter), and Reddit. They DM you offering "help" and ask for your recovery passphrase or ask you to connect to a "verification" website.

Red flags

• Anyone DMing you first about "wallet issues" you didn't report
• Being asked for your recovery passphrase for any reason
• Links to "verification" or "sync" websites
• Urgency: "act now or lose your funds"
• Requests to screen-share your wallet

How to protect yourself

• Pera support will never DM you first. We will never ask for your passphrase, ever.
• Pera support will never ask you to screen-share your wallet.
• Only reach out to Pera through official channels: the in-app chat, perawallet.app/contact-us, or support.perawallet.app.

Scam Type 3: Fake dApps and Phishing Websites

How it works

Attackers create websites that look identical to real DeFi protocols or wallet interfaces. They appear in search results (sometimes as paid ads), social media posts, or links in Discord/Telegram. When you connect your wallet and "approve" a transaction, you're actually signing away control of your assets.

Red flags

• URLs with subtle misspellings (perawalet.app, pera-wallet.com, etc.)
• Pop-up windows asking you to connect your wallet immediately
• dApps not listed in Pera's Discover tab
• Requests to sign transactions you didn't initiate

How to protect yourself

• Bookmark the real URLs for dApps you use regularly
• Use Pera's Discover tab to find verified dApps — this is curated
• Always check the URL in your browser before connecting
• Read what you're signing. Pera shows transaction details before you approve. If you see "rekey" and you didn't initiate one, reject it immediately.

Scam Type 4: Social Engineering

How it works

Scammers build trust over time — in Discord communities, Telegram groups, or even dating apps. They eventually direct you to a "great investment opportunity" or ask you to "help test" something that requires sending crypto or connecting your wallet.

How to protect yourself

• Never send crypto to someone who promises guaranteed returns.
• Never connect your wallet to a site a stranger recommended.
• If something sounds too good to be true, it is.
• Legitimate projects don't need your recovery passphrase to give you rewards.

The Rules That Keep You Safe

These are non-negotiable. Memorize them.

1. Never share your recovery passphrase. Not with support, not with friends, not with anyone. Ever.
2. Never enter your passphrase on a website. The only place your passphrase goes is inside a wallet app during recovery.
3. Read before you sign. Every transaction in Pera shows you what you're approving. If you don't understand it, don't sign it.
4. Watch for "rekey" transactions. Rekeying transfers control of your account to another key. Unless you intentionally initiated a rekey, reject it.
5. Verify URLs. One wrong letter in a URL can send you to a scam site.
6. Don't trust DMs. Pera and Algorand Foundation staff will never DM you first.

Official Pera Wallet Addresses

If you receive assets from Pera Wallet, these are the only legitimate sender addresses:

• Account #1: V73GWLED56UUKKGOESJYHQADILUFMDM4RIBZZOLOOR4RKONZFDXYTVPMRM
• Account #2: PERAAAA6L3OR2Q66TF3CUWDZBVWKDXQKSMEHR2PGDE2QW3KHOOX27MGNCU
• Account #3: DISTRUH5PK662TTUUGRQBO44XDIUDQFWUJXH5EKRJ7L5CW3XUKPCHU3TGI

We will never send NFTs with external website links or ask for your passphrase.

What to Do If You Think You've Been Scammed

If you shared your recovery passphrase:

1. Immediately create a new account in Pera
2. Transfer all assets from the compromised account to the new one
3. The old account should be considered permanently compromised — never use it again

If you signed a suspicious transaction:

1. Check your account on Pera Explorer to see what happened
2. If your account was rekeyed, see How to Rekey an Algorand Account — you may be able to rekey it back if you act quickly
3. Contact Pera support through the in-app chat

If you received a suspicious NFT:

1. Don't interact with it
2. You can remove the asset from your account — see Removing an Asset

Related Articles

• Spotting Phishing Scams (original guide)
• How to Rekey an Algorand Account with Pera Mobile
• Removing an Asset
• Self-Custody Explained: Why Pera Never Holds Your Keys
• Backing up your Recovery Passphrase

Think you're being targeted? Chat with us immediately or visit perawallet.app/contact-us.

Updated on: 14/05/2026