Signature Phishing (Web3).

A Web3 phishing pattern that tricks a user into signing an EIP-712 or `personal_sign` message that authorizes the attacker to move tokens, transfer NFTs, or take wallet actions — without ever asking for a seed phrase. It belongs to the Web3 & Blockchain category of cybersecurity.

A Web3 phishing pattern that tricks a user into signing an EIP-712 or `personal_sign` message that authorizes the attacker to move tokens, transfer NFTs, or take wallet actions — without ever asking for a seed phrase.

Signature phishing — sometimes called 'sign-in scam' or 'one-click drainer' — is the dominant Web3 phishing pattern of 2023–2025, displacing traditional seed-phrase phishing. The attacker convinces a user to connect their wallet to a malicious dApp (typically a fake mint, airdrop, claim, or 'verify your wallet for refund' page) and to sign one or more messages. Those messages look benign in older wallets — `personal_sign` shows opaque bytes, `eth_signTypedData` shows generic-looking JSON — but actually encode high-impact authorizations: an unlimited ERC-20 `Permit`, an ERC-20 `Permit2.transfer`, an `setApprovalForAll` on a high-value NFT collection, an OpenSea or Blur order to sell the user's holdings for ~zero, or, increasingly, a `safe.execTransaction` on the user's Safe / smart-contract wallet. The attacker submits the signature on-chain and drains the user. Defenses are unfortunately almost entirely UI-side: wallets that decode EIP-712 typed data into 'You are granting unlimited spend of X to address Y', anti-phishing extensions (Wallet Guard, ScamSniffer, Rabby, Pocket Universe, Stelo), and user education that any signature request is functionally equivalent to a transaction.

Defences for Signature Phishing (Web3) typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: Sign-in scam, One-click drainer.