CoinTN
Phishing attacks in the cryptocurrency space are becoming increasingly rampant, and every day someone suffers heavy losses simply because they clicked a fake link or believed a scam message. Protecting your account on the Official Binance Website requires you to have a thorough understanding of various phishing tactics. Using the Official Binance App is somewhat safer than accessing via a browser, as the App is not easily deceived by phishing websites. It is important for Apple phone users to install the genuine App via the iOS installation guide.
What is a Phishing Attack
A phishing attack is a form of social engineering attack. Attackers disguise themselves as a trusted entity (such as official Binance) to trick you into voluntarily handing over sensitive information like your account password, verification codes, or private keys.
Phishing attacks do not directly breach your account's security systems; instead, they exploit human psychological weaknesses to obtain information. Therefore, no matter how strong the technical security measures are, if you tell the scammer your password yourself, those measures are rendered useless.
In the cryptocurrency space, losses from phishing attacks are particularly huge because cryptocurrency transfers are irreversible. Once the money is transferred out, it is basically impossible to get it back.
Common Phishing Methods
Fake Websites
This is the most classic phishing method. Attackers create a fake website that looks almost identical to the official Binance site, and the domain name might differ by only one or two letters. For example, changing "binance.com" to "binanace.com" or "b1nance.com". If you don't look closely, you simply cannot tell the difference.
When you enter your account and password on the fake website, this information is captured by the attackers. They will immediately use this information to log into your real account and transfer away your assets.
Phishing Emails
Attackers send phishing emails that look very much like official Binance emails. The content is usually something like "Your account has security risks", "You have a reward pending to be claimed", or "Please verify your identity immediately". The links in the emails point to fake websites.
Some phishing emails are crafted very meticulously, making even the logo, layout, and sender's name look identical to the real ones.
Social Media Scams
On social platforms like Telegram, Twitter, and Discord, people impersonate Binance customer support or administrators. They might contact you proactively, claiming to help you solve a problem, and then ask you to provide your account password or verification code.
There are also people posting "Binance Airdrop" links in groups, which lead to phishing websites when clicked.
Malware
Some phishing attacks do not trick you into typing your password directly, but instead steal information via malware. For example, a keylogger will record everything you type, and clipboard hijacking software will replace the withdrawal address you copied with the attacker's address.
Fake Apps
"Binance Apps" downloaded from unofficial app stores might be fake malware. These fake apps have an interface identical to the real one, but the account passwords you enter are entirely sent to the attackers.
How to Identify Phishing Attacks
Check the URL
Before accessing Binance, you must look carefully at the URL in your browser's address bar. The real official Binance domain is "www.binance.com". Pay attention to see if there are extra letters, number substitutions, or spelling errors.
Check if the URL starts with "https://" (has a secure lock icon). Although phishing websites can also have https, those without https are definitely fake.
The safest practice is to save a bookmark of the Binance official website in your browser and access it through the bookmark every time, rather than clicking links through search engines.
Check the Anti-Phishing Code
If you have set up an anti-phishing code on Binance, every genuine email from Binance will contain the anti-phishing code you set. After receiving an email, check for the anti-phishing code first; if it doesn't have one, it's fake.
Be Wary of Urgent and Intimidating Tones
Phishing messages usually create a sense of urgency: "Your account will be frozen within 24 hours", "Operate immediately otherwise your assets will be cleared". The real Binance rarely uses such an intimidating tone. When encountering such messages, stay calm first, and don't rush to click the link.
Do Not Trust People Who Contact You Proactively
Binance customer support will not proactively contact you through channels like Telegram, WhatsApp, or WeChat. Anyone proactively contacting you claiming to be Binance staff is 99% a scammer.
Use the Binance Verify Tool
Binance provides an official verification tool called "Binance Verify". You can input the email address, phone number, URL, etc., that you received, and the system will tell you whether it is truly from official Binance.
Specific Measures to Prevent Phishing Attacks
Set Up an Anti-Phishing Code
Enable the anti-phishing code feature in your Binance security settings. Afterward, every official email will contain your exclusive anti-phishing code.
Use Bookmarks for Access
Add the official Binance website address to your browser bookmarks, and access it through the bookmark every time. Do not click through Google search results, as search ads might be placed by phishing websites.
Only Download the App from Official Channels
For Android phones, download from the Google Play Store, and for Apple phones, download from the App Store. Do not download the Binance App from third-party websites or unofficial stores. Confirm the developer is "Binance" before downloading.
Enable All Security Verifications
Enable Google Authenticator, SMS verification, and email verification all at once. This way, even if your password is leaked, attackers will still need to breach multiple verifications to log into your account.
Use Hardware Security Keys
Hardware security keys like YubiKey can provide the highest level of login protection. It will not be deceived by phishing websites because it verifies whether the website's domain is correct.
Install Antivirus Software
Install reliable antivirus software on your computer and phone, and run regular scans to check for malware. Keep your operating system and browsers updated to the latest versions.
How to Handle Receiving Suspicious Messages
Do not click any links. If you have already clicked, do not enter any information on the page. If you have already entered your password, log into the real official Binance website immediately to change your password. If you have already entered a verification code and your assets have been transferred out, contact Binance customer support immediately to report the situation.
Suspicious emails you receive can be forwarded to Binance's official reporting email address. If you encounter scam messages on social media, you can report and block the other party.
Daily Habits to Improve Security Awareness
Never tell anyone your password, including people claiming to be Binance customer support. Do not expose your cryptocurrency holdings on social media. Do not join cryptocurrency groups of unknown origin. Do not believe in news like "free giveaways" or "airdrops" that sound too good to be true. Regularly check your account's login history and security settings.
When encountering any situation you are unsure about, first go to the official Binance website or App to verify, and do not verify through third-party channels. It's better to take an extra step to confirm than to risk making a move.
What to Do If You've Already Been Phished
If you realize you have already fallen into a phishing trap, handle it urgently with the following steps:
Step one, immediately change your Binance password. Use a device you confirm is safe to log into the real official Binance website to change your password.
Step two, check if there are any abnormal withdrawals or trades. If so, immediately contact Binance customer support to request an account freeze.
Step three, reset all security verifications. This includes rebinding your Google Authenticator, changing your anti-phishing code, etc.
Step four, check if your device has malware installed. Do a full scan of your computer and phone with antivirus software.
Step five, check other associated accounts. If you used the same password on Binance and other platforms, you also need to change the passwords on those platforms.
FAQ
Will Binance call me to ask for my password?
Absolutely not. Binance customer support will not ask you to provide sensitive information like passwords, verification codes, or private keys under any circumstances. Anyone contacting you for this reason is a scammer.
Is it safe to click on results after searching for "Binance" on Google?
Not necessarily safe. The ad spots at the top of the search results might have been purchased by phishing websites. It is recommended to type "www.binance.com" directly into the address bar or use a bookmark to access.
What is a good anti-phishing code to set?
Set a combination that is easy for you to remember but hard for others to guess. It could be a combination of a special word of yours plus a few numbers. Do not use easily guessable information like your birthday or name. It is recommended to change it every few months.
Are the "Official Binance Groups" on Telegram real?
You need to identify them carefully. Binance does have official Telegram groups and channels, but there are also many fake ones. The real official channels can be accessed through the links published on the official Binance website. The "customer support" who proactively direct message you in groups are basically all scammers.
What should I do if my password has leaked but my assets haven't been transferred yet?
Immediately change your password, enable or reset all security verification measures, turn on the withdrawal whitelist (if you haven't already), check and clear any unrecognized login devices, and consider temporarily transferring your assets to a secure wallet.