Security·7 min read

Security best practices

Name: Heldby
Author: Heldby

How to protect your recovery phrase, spot phishing attempts, and approve transactions with confidence.

Use read-only mode by default

Heldby opens in read-only mode every time you launch it. In this state you can view your portfolio, check balances, and monitor transactions — but nothing can be signed.

This is intentional. Most of the time you are just checking your holdings, not sending. Requiring a PIN to unlock signing means that even if a malicious website somehow triggers a signing request while your extension is open, nothing can happen without your explicit action.

Habit to build

After every send, let the wallet return to read-only. Never leave signing mode active when you are not actively transacting.

How to spot a phishing attempt

Phishing is the most common way crypto is stolen. It works by tricking you into signing a malicious transaction or revealing your seed phrase. Here is what to watch for:

🚩 Urgency pressure

"Your wallet will be suspended in 24 hours." Legitimate protocols do not work this way.

🚩 Seed phrase requests

No legitimate wallet, exchange, or support team will ever ask for your 12-word recovery phrase.

🚩 Lookalike domains

heldby.io vs heldby.app vs heldby-wallet.com. Always verify the exact URL.

🚩 Unexpected approval requests

If a wallet signing prompt appears when you did not initiate a transaction, close it immediately.

🚩 "Free mint" or "claim" links

These often request unlimited token approvals. Heldby blocks blind signing — but be suspicious of any unsolicited opportunity.

Understanding transaction approvals

Before you confirm any send in Heldby, you will see a plain-English description of exactly what the transaction does. Read it. Every time.

Safe example

"Send 0.1 ETH to 0x71C7…3Fab"

Clear recipient, clear amount. You recognise the address.

Warning example

"Contract interaction — data cannot be decoded"

Heldby blocks this. You should never sign raw unreadable data.

If the description does not match what you intended to do, do not sign. Close the prompt and investigate.

Verify addresses before sending

Address poisoning attacks send tiny transactions from addresses that look nearly identical to ones you have interacted with before — same first and last few characters, different middle. If you copy an address from your transaction history, you may copy the wrong one.

Always verify the full address before sending — not just the first and last 4 characters

Heldby checks every recipient address against known-bad address lists automatically

For large sends, send a small test amount first and verify it arrives

Copy addresses from chat messages or emails — always go to the original source

Trust an address just because it looks familiar at a glance

Keep your device secure

Your wallet is only as secure as the device it runs on. A compromised device can expose your PIN input and potentially your decrypted key material.

Keep Chrome updated

Security patches in Chrome protect the extension sandbox.

Use a strong device PIN

Physical access to an unlocked device is a real attack vector.

Be careful with other extensions

Other browser extensions can read page content. Minimise installed extensions.

Use a dedicated browser profile

A separate Chrome profile for crypto reduces cross-site exposure.

The 10-second contract rule

When a transaction destination is a smart contract (rather than a regular wallet address), Heldby enforces a mandatory 10-second countdown before the confirm button becomes active.

This is not a bug. It is a deliberate friction layer. Most phishing attacks rely on urgency and split-second decisions. Ten seconds forces you to actually read what you are about to sign.

← New to seed phrases?← All guides