Key Takeaways

• A new phishing campaign is impersonating MetaMask, using fake “2FA security checks” to trick users into revealing their 12-word recovery phrases.

• Security firm SlowMist warns that these scams use high-pressure tactics, claiming users will lose wallet access if they don’t “verify” their account immediately.

• Despite the rise in sophisticated AI-generated scams, total losses to phishing in 2025 dropped by 83% as investor education improves.

MetaMask Users Targeted by Fraudulent Security Alerts

Cybersecurity experts have identified a dangerous new wave of phishing attacks specifically designed to exploit the growing demand for account security. Scammers are getting way more professional. According to the security team at SlowMist, there’s a new wave of fake emails going around that look exactly like MetaMask alerts. They’ll tell you that you “must” complete a 2FA security check right away to keep your funds safe. It sounds legit, but here’s the catch: the link sends you to a fake page that asks for your Secret Recovery Phrase. Remember, MetaMask will never ask for your seed phrase for 2FA. If you see an email like this, don’t click—it’s a direct play to drain your wallet.

This tactic is particularly effective because it preys on the user’s desire to be secure. The phishing domains often look identical to official Consensys or MetaMask pages and use a sense of urgency—stating that the wallet will be “restricted” or “locked” within a few hours if the check is not completed.

SlowMist’s Chief Security Officer, 23pds, reminded the community that MetaMask is a decentralized, self-custodial wallet and will never ask for a recovery phrase, as that phrase provides total control over the user’s funds.

Phishing Losses Decline Amid Better On-Chain Security

While the emergence of fake 2FA checks is concerning, broader industry data suggests that the “war on phishing” is starting to turn in favor of users. A 2025 year-end report from Scam Sniffer revealed that total losses to phishing plummeted to $83.3 million in 2025, a massive 83% decrease from the $494 million lost in 2024. The number of victims also dropped significantly, from 332,000 to approximately 106,000. Experts attribute this decline to better browser-level security alerts and a more cautious investor base.

MetaMask does a lot of the heavy lifting with tools like Blockaid to flag “drainer” scripts before they can wreck your wallet, but it isn’t foolproof. The one thing technology can’t fix is the “human error” of typing a recovery phrase into the wrong box. To keep your assets safe, treat your 12-word seed phrase like a physical key to a vault. You only ever enter it directly into the official MetaMask app or your hardware wallet. If a website asks for it—even for a “security check”—it’s a scam, period.

Final Thoughts

Phishing scammers are moving from simple “giveaways” to complex “security audits.” Always remember: your recovery phrase is your digital key—never share it with anyone, for any reason.

Frequently Asked Questions

Does MetaMask have 2FA?
MetaMask does not have traditional email/SMS 2FA; however, you can add security by using a hardware wallet like Ledger or Trezor.

Why did I get an email from MetaMask?
You likely didn’t. MetaMask does not collect user emails, so almost any unsolicited email claiming to be from them is a scam.

What should I do if I shared my seed phrase?
If your phrase was compromised, immediately create a new wallet and move all remaining funds to the new address before the scammer can drain them.