Anyone who has registered an account on the Binance official website has likely received emails claiming to be "from Binance." However, many of these are actually phishing links that are nearly impossible to distinguish with the naked eye. By opening the Binance official app and setting up an anti-phishing code, all genuine emails will include your chosen custom string. iPhone users can follow the iOS installation guide to set up their client and complete the configuration in under 5 minutes.

Summary: Go to your Binance account "Security" center -> "Anti-Phishing Code", enter an 8-20 character alphanumeric combination, and save it. From then on, all official Binance emails will display this string in the body or subject line. Any email missing this string is definitely a phishing attempt.

What Exactly Is an Anti-Phishing Code?

Definition: An Anti-Phishing Code is a personal "signature stamp" assigned by Binance to an account holder. It is included in every official email sent to you to prove the email originated from Binance's servers. Since attackers do not know your chosen code, their fake emails will either lack this string or contain an incorrect one.

The logic is simple:

  1. You save an arbitrary string (e.g., MyB1nance2026) in your account settings.
  2. The Binance server binds this string to your Account ID.
  3. Every subsequent email—login alerts, withdrawal confirmations, API creation notices, or security warnings—will display Anti-phishing code: MyB1nance2026 in the header or subject.
  4. If the string matches, the email is genuine; if it's missing or incorrect, it's fake.

Phishing emails cannot forge this code because attackers have no way of knowing what you set from the outside—it is stored in the Binance database and inserted only during outbound mailing.

Why You Must Set an Anti-Phishing Code

Reason: Since 2025, phishing emails targeting cryptocurrency users have become increasingly sophisticated. Simply "checking the domain" or "verifying the signature" is no longer enough. Attackers can clone complete Binance HTML email templates, including the legal disclaimers in the footer, making them indistinguishable to the average user.

Common Phishing Email Tactics

  • The sender name shows noreply@binance.com (this can be spoofed).
  • The HTML structure perfectly replicates official Binance templates.
  • Link text says binance.com, but hovering over it reveals the actual destination as binance-login.xyz.
  • Urgent tone: "Abnormal login detected, click here to verify immediately."
  • Fake withdrawal requests: "You have initiated a withdrawal of 5 BTC. This will execute in 10 minutes; click to cancel if this wasn't you."

With an anti-phishing code, you don't need to scrutinize the domain or the links. Just glance at whether your custom code is present. No code = Fake. Delete it.

Step 1: Log In and Access Security Settings

Recommendation: It is often easier to configure this on the web version than on the app. The entry point in the mobile app is tucked away a bit deeper.

On PC:

  1. Log in to your Binance account.
  2. Hover over your profile/email icon in the top right corner.
  3. Select "Security" from the dropdown menu.
  4. Scroll down to the middle of the page and find the "Anti-Phishing Code" section.
  5. Click "Enable" or "Edit."

On the App:

  1. Open the Binance app and tap your profile icon in the top left.
  2. Select "Security."
  3. Scroll to the bottom to find "Anti-Phishing Code."

Step 2: Set a Strong Anti-Phishing Code

Rule: A good anti-phishing code should meet three criteria: long enough, unique, and easily recognizable by you. Binance requires 4-20 characters, but 4 characters are too easy to guess via brute force or credential stuffing.

Recommended Formats

  • Length: 8-20 characters.
  • Character set: Mixed case letters + numbers (avoid numeric-only).
  • Structure: Include a personal memory anchor + some random characters.
  • Examples: Cat$BnB7724, SeaMoon2026Bn, Q3pPpYQ9.

Pitfalls to Avoid

  • Do not use your password—overlapping strings with your login password is a double risk.
  • Do not use your birthday19920328 is too easy to associate with you.
  • Do not use your full namejohndoe2026 is meaningless and predictable.
  • Do not use simple numbers12345678 is too weak.
  • Do not use common wordsbinance123 or password are found in leaked dictionaries.
  • Do not reuse strings from other sites—this reduces the risk of being cracked via association.

After setting it up, save the changes. Binance will require a 2FA code for confirmation. This string is not a password; if it leaks, your account isn't necessarily compromised, but the code loses its utility for verifying emails. Do not share it in chats or public notes.

Step 3: Locate the Code in Your Emails

Verification: Once successfully saved, Binance will immediately send you a confirmation email containing your new code. Use this as your test sample.

Open your inbox and find the latest Binance email. You will see a line at the top or bottom of the body like this:

Anti-phishing code: Cat$BnB7724

The location varies slightly depending on the email type:

  • Login alerts: Usually after the subject or in the first line of the body.
  • Withdrawal confirmations: Located above the "Confirm" button in the middle of the body.
  • Security warnings: Often included in the subject line.
  • Marketing emails: Usually do not have one (this is intentional by Binance; marketing emails don't affect core security).

All emails involving account operations—login, withdrawal, API creation, password changes, 2FA resets—MUST contain the anti-phishing code. If it's missing, it's a fake.

Genuine vs. Phishing Email Comparison

Checklist: Use the following table to quickly identify the legitimacy of an email.

Feature Genuine Email Phishing Email
Anti-Phishing Code Present and accurate in every operational email Missing or contains random gibberish
Sender Domain @binance.com or @post.binance.com Spoofed as @binance-cn.com, @blnance.com, etc.
Actual Link Target Sub-paths of binance.com Leads to obscure domains like .cc or .xyz
Tone Objective and factual Urgent, pressuring you to click immediately
Attachments Almost never contains attachments Includes .zip, .exe, or .html files
Translation Quality Natural and professional Often shows signs of machine translation
Salutation Uses your registered nickname Generic "Dear user" or "Hello"
Legal Footer Complete with Hong Kong/Cayman addresses Missing or incorrect

The safest verification order: Check Anti-Phishing Code → Verify Sender Domain → Hover over links to check real addresses. If any step fails, delete the email immediately.

When Should You Change Your Code?

Action: You should update your anti-phishing code immediately in three scenarios: if you suspect your email has been compromised, if you receive a suspicious email that somehow contains the correct code (extremely rare but be alert), or if you haven't changed it in over a year.

Recommended Rotation

  • Once a year—Sync it with your password updates to build a habit.
  • After an email password leak—Change it immediately, as attackers might see your code in your email history.
  • After a login password leak—Update it to prevent association-based cracking.
  • If you suspect account monitoring—Change the code + enable withdrawal whitelist + clear authorized devices.

The update process is identical to the initial setup: Go to Security Settings -> Edit Anti-Phishing Code -> Enter new value -> 2FA confirmation -> Save. Binance will not show you the old value, so there's no issue of "forgetting the old one and being unable to change it."

Limitations of Anti-Phishing Codes

Warning: An anti-phishing code is not a silver bullet. It only identifies "if the email is real"; it cannot stop you from "entering your password on a fake website that looks real."

Scenarios Where the Code Can't Help

  1. Directly landing on a phishing site—If you visit a fake binance-login.com and enter your credentials, no email has been sent yet, so the code is irrelevant.
  2. Malicious App clones—If you download a counterfeit app, your password is intercepted upon entry.
  3. Customer support phishing—If someone on Telegram or Discord impersonates Binance support and asks you to click a link, the email code won't protect you.
  4. API Key leaks—If an attacker gains your API key and drains funds, the email is merely a post-facto notification.

Therefore, the anti-phishing code must work in tandem with other protections: Official URL bookmarks + 2FA + Withdrawal Whitelist + API IP Restrictions + Anti-Phishing Code. These five layers are all essential.

FAQ

Q: Can the anti-phishing code include non-English characters or special symbols? A: No. Binance only accepts uppercase and lowercase English letters, numbers 0-9, and basic symbols ($, #, @, etc.). Chinese characters, spaces, and emojis will trigger an error. Stick to alphanumeric combinations for the best display compatibility.

Q: Does the code appear in App push notifications? A: Usually not in the notification title, but once you tap into the notification and view the full content in the In-App Message Center, you will see the code. To verify a push notification, primarily check if it actually came from the official Binance app—99% of "Binance notifications" from third-party apps are phishing.

Q: What if I forget what my anti-phishing code is? A: Log in and go to Security Settings. You will see that the code is enabled, but the actual string is hidden. To find the string, check your recent emails from Binance. If you want to change it, simply click "Edit" and overwrite it with a new one—you don't need to know the old one first.

Q: Will Binance support ever ask for my anti-phishing code? A: Never. Official Binance support will never ask for your anti-phishing code, password, 2FA code, or email verification code. Anyone—even if their profile looks like "Official Binance"—who asks for this info is 100% a scammer. Support will only ask for a description of your issue, a ticket number, or screenshots.

Q: Do I need to reset my code if I change my email address? A: No. The anti-phishing code is bound to the Binance account itself, not the email address. After updating your email, messages sent to the new address will still include the same code. However, it is good practice to update the code when changing emails, just in case history in the old inbox provides clues to an attacker.

Q: Are anti-phishing codes independent for sub-accounts or institutional accounts? A: Every independent Binance account has its own anti-phishing code. Sub-accounts are derived from a master account, but their email codes can be set separately—for example, the master account uses MainCat2026 while the sub-account uses SubDog88. For institutional accounts, it is highly recommended to assign independent emails and codes to each authorized operator.