A sophisticated phishing campaign is targeting MetaMask users through fake two-factor authentication (2FA) security checks, tricking them into revealing their wallet recovery phrases. This scam highlights the evolving social engineering tactics used in crypto security breaches, where attackers are moving away from crude spam messages to carefully designed impersonations.

The scam typically starts with unsolicited emails that appear to be official communications from MetaMask Support. These emails often carry subject lines such as "2FA – Protect Your Wallet" or "Action Required: Secure Your Wallet with 2FA," creating a sense of urgency. The emails claim that enabling 2FA is mandatory to prevent unauthorized access and often include a fake deadline. These phishing attempts closely mimic MetaMask's branding, using the familiar fox logo, color palette, and layout to appear legitimate.

A key element of the deception lies in the web domains used by the attackers. In documented cases, the fake domain differs from the real one by only a single letter, making it easy to overlook, especially on mobile devices or when users act quickly. Once a user clicks on the link, they are directed to a website that closely resembles the actual MetaMask interface.

On the phishing site, users are guided through what seems to be a standard security procedure. The site reinforces the idea that the process is legitimate and designed to protect the account. However, at the final stage, the site asks users to enter their wallet seed phrase, presenting it as a required step to complete the 2FA setup. This is the critical moment of the scam because a seed phrase, also known as a recovery or mnemonic phrase, is the master key to a wallet. With it, an attacker can recreate the wallet on another device, transfer funds without approval, and sign transactions independently.

Cybersecurity firm SlowMist flagged this attack, noting that these fake web pages are designed to closely mimic official MetaMask interfaces. These pages often include countdown timers and "authenticity verification" steps to further convince users of their legitimacy. Once the seed phrase is submitted, attackers gain complete control and can instantly drain the wallet.

Wallet providers consistently warn users never to share their recovery phrases under any circumstances. No legitimate support team or security system will ever ask for the full seed phrase via email, pop-up, or website form. The use of a fake 2FA setup is a deliberate psychological tactic, as two-factor authentication is widely perceived as synonymous with stronger protection, which instinctively lowers suspicion.

To protect themselves, users should ignore unsolicited emails claiming to be from MetaMask, as official communications never create a sense of urgency or request seed phrases. It is crucial to check the sender's domain for legitimacy and manually type URLs instead of clicking on links. Users should only enter their seed phrase during the initial wallet setup or recovery on a trusted device. Enabling real 2FA on related accounts using authenticator apps instead of SMS can also provide an additional layer of security. Regularly revoking token approvals using tools like MetaMask Portfolio can limit access to malicious contracts.