# Address Spoofing While the Casa system is highly secure, the user still needs to obtain a destination address for each transaction from an exchange or wallet outside Casa’s systems. Malware on a user’s computer could theoretically cause their web browser or other communication software to display an incorrect address. This would defeat the security of any storage system, as it occurs outside of that system. **Mitigation:** * Use of a mobile app mitigates browser extension based address modification. * We re-derive receiving addresses independently on both server and mobile device. The app will throw an error if there is a mismatch between server and mobile device. * Use of a separate non-Casa "watch only wallet" allows for independent validation of addresses. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.casa.io/wealth-security-protocol/remaining-attack-vectors/address-spoofing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.