Updated April 2026
Beginner Crypto Security Checklist
Most crypto losses aren't from exchange hacks — they're from phishing, SIM swaps, and account takeovers that could have been prevented. This checklist covers what every beginner should complete in the first 48 hours after opening a crypto account. Check off each step as you go.
Account access (Steps 1–4)
Step 1
Set a unique, strong password — not reused from another site
Use a password manager (Bitwarden is free) to generate a 20+ character random password. Never reuse passwords across financial sites.
Recommended: Bitwarden or 1Password
Step 2
Enable two-factor authentication (2FA) using an authenticator app
Google Authenticator or Authy is stronger than SMS-based 2FA. SIM swap attacks can hijack SMS codes. Every major exchange offers app-based 2FA in security settings.
Do not use SMS 2FA if app-based is available
Step 3
Save your 2FA backup codes somewhere offline
When you enable 2FA, your exchange gives you backup codes. Print them or write them on paper. If you lose your phone and don't have backup codes, you may be permanently locked out.
Store backup codes offline — not in the cloud
Step 4
Use a dedicated email address for crypto — not your main Gmail
If your main email is compromised, every account tied to it is at risk. Create a separate email (ProtonMail is free and private) used only for your crypto exchange accounts.
ProtonMail offers free encrypted email
Phishing & scam awareness (Steps 5–8)
Step 5
Bookmark your exchange's official URL — never use Google to find it
Scammers run paid Google ads for fake exchange sites that look identical to the real thing. Search results are not safe. Bookmark the real URL directly and only ever navigate there from that bookmark.
Check the URL in your browser bar every time
Step 6
Know what your exchange will and won't ask you
Exchanges will never ask for your password, 2FA code, or seed phrase via email, live chat, or phone. If anyone asks, it's a scam. Support agents access your account on their end — they do not need your credentials.
No legitimate exchange asks for your password
Step 7
Do not click links in emails claiming to be from your exchange
Phishing emails that mimic Coinbase, Crypto.com, and Kraken are common. If you get an urgent email about your account, go directly to the exchange by typing the URL yourself, not by clicking the email link.
Step 8
Never share your screen with someone claiming to be exchange support
Screen-sharing scams are rising. A person claiming to be support asks to "help" remotely, then steals your account. Real exchange support does not use remote desktop tools like AnyDesk or TeamViewer.
Official support never needs screen access
Withdrawal safety (Steps 9–11)
Step 9
Enable withdrawal address whitelisting if your exchange offers it
Coinbase, Kraken, and Crypto.com all let you whitelist specific crypto wallet addresses. Once enabled, withdrawals can only go to addresses you pre-approved. This stops attackers who gain account access from draining funds to an unknown address.
Find this in Security or Withdrawal settings
Step 10
Set a withdrawal limit or require 2FA for all withdrawals
Most exchanges let you require 2FA confirmation before any withdrawal goes through. Enable this even if you already have 2FA for login — some exchanges treat them as separate settings.
Step 11
Test a small withdrawal before trusting a wallet address
Before sending a large amount to any wallet, send $5–10 first. Crypto transactions are irreversible. A typo in a wallet address, or clipboard malware that swaps addresses, can cause permanent loss.
Always verify the first and last 6 characters of the address
Device & network (Steps 12–15)
Step 12
Keep your exchange app and phone OS updated
Security patches in OS updates often fix exploits being actively used in the wild. Enable automatic updates on your phone so you're not manually tracking this.
Step 13
Never access your exchange account on public WiFi without a VPN
Coffee shop and airport WiFi can be intercepted. If you must access your exchange on a public network, use a reputable VPN. Mullvad and ProtonVPN are well-audited and don't log traffic.
Or just use your phone's cell data instead
Step 14
Enable biometric lock on your exchange app
All major exchange apps support Face ID or fingerprint lock. Enable it. If someone picks up your unlocked phone, this is the last line of defense before they can view your balance or initiate a trade.
Step 15
Consider a hardware wallet if you hold more than $2,000 in crypto
A hardware wallet (Ledger or Trezor) stores your private keys offline. Exchanges can be hacked, frozen, or go bankrupt. For amounts that would significantly hurt you to lose, self-custody is worth the learning curve.
Ledger Nano S Plus starts around $79
🎉
All 15 steps complete. Your account is well-protected.
You've set up better security than most crypto users. The biggest remaining risk is phishing — stay skeptical of unsolicited messages claiming to be from your exchange.
Find the right exchange for your goals →
Not financial advice. This checklist covers security best practices, not investment decisions. CryptoPickr is independent and earns no commission from security tool recommendations on this page.