Approval phishing does not need your keys or your seed phrase. You visit a site, it asks you to sign or approve something, and that approval quietly hands a contract standing permission to move your funds. It can sit unused for a while, then drain the wallet later.
A few habits that hold for any wallet:
\- Treat every signature request as a permission grant, not a formality.
\- Check what contract you are approving and what it is allowed to do.
\- Revoke old approvals you no longer use (revoke.cash and similar make this quick).
\- Reading the real transaction on a separate screen beats trusting the website popup.
How do you all vet an approval before signing?