Start here.

Before you connect a wallet or sign a transaction, run these checks. They are simple, but they block a huge amount of Solana phishing risk.

The GoldPhishy checklist

Use wallet separation: vault, daily, minting, testing, and burner wallets should not be the same wallet.
Never type a seed phrase or private key into a website, form, bot, popup, or support chat.
Open projects from known official links only, not DMs, not adverts, not fake search results, and not reply threads.
Read wallet prompts. Look for transfers, delegate approvals, authority changes, close-account instructions, and unknown programmes.
Assume unsolicited NFTs, spam tokens, and “claim now” messages are scams until proved otherwise (99.99% are).
Use a hardware wallet for meaningful value, but remember: hardware wallets do not save you from approving a malicious transaction. They are a seatbelt, not an autopilot.

Red flag: Any page asking for your recovery phrase is a scam. Every bit of guidance says never share it and never enter it on any website.