Phishing is the malicious act to obtain sensitive data from somebody, specifically done by “baiting” them into handing over that data.

Steemit, and the Internet in general, are absolutely not safe havens and one can be phished at any time.

Many phishing attempts online will try to imitate a site, or possibly a project which would seem to be a part of the site where they attempt to phish people. Phishing can also happen in email, instant messaging, or on social media. Fake airdrops are often also phishing efforts where the organizers want to obtain access to one’s account and social media profiles where possible.

On Steem(it) most phishing attempts known so far aimed to obtain one’s master key so they could highjack (and empty) the account. Sometimes this happens by tempting somebody to login to a steemit alike website (using condenser) or the phishers have setup a site which imitates SteemConnect but your account name and key are sent to them.

In worst case within seconds only they may have logged in (via a script) and reset your master key.

How to protect yourself?

Only you can protect yourself from phishing attempts on the internet, and also on Steem.

Always check the URL. If not sure do not click the URL and definitely do not enter your user details on any site you do not trust 100%. On the Steem blockchain most sites do not need your admin or master key and are happy with only your (private) posting key. Because both other keys are only required for wallet operations or account settings.

Ergo, only use your posting key on Steem. If a site wants a higher level of access, more often than not they will offer SteemConnect Authentication as login method. When using SteemConnect the site only receives tokens but not your password. These auth tokens can only be used by the app which received them. This means that Musing could not use the tokens generated from logging in to Musing with SteemConnect to post in name of your account via Steemhunt, for example.