How to Identify Real vs. Phishing Binance Emails

Q: Can I open attachments like PDFs or DOCs in a Binance email?

No. Official Binance emails never contain attachments. All information is written directly in the email body. Any "Binance email" with an attachment is a phishing attempt likely containing malware or keyloggers.

Binance uses email to send login confirmations, withdrawal verifications, KYC status updates, and risk control alerts. While email is an essential part of the Binance service, it is also a primary vector for phishing attacks. Scammers use fake logos, mimic layouts, and use similar-looking domains to trick users into clicking malicious links in a panic. This guide teaches you how to identify real vs. fake emails across four dimensions. Remember: never click links directly in an email; instead, manually visit the Binance official site or log in via the official Binance App. iOS users can refer to the iOS Installation Guide to install the app and verify all notifications within the secure environment.

The core criteria for identifying an official Binance email are: the sender domain must be @binance.com, the body must include your personalized anti-phishing code, all links must resolve to binance.com, and the email headers (SPF/DKIM/DMARC) must pass validation. If any of these are missing or incorrect, it is a phishing attempt.

Dimension 1: Sender Email Suffix

Official Binance emails always use the @binance.com suffix. No exceptions.

Genuine Sender Addresses

Common official Binance sender addresses include:

do-not-reply@directmail.binance.com
do-not-reply@ses.binance.com
no-reply@post.binance.com
do-not-reply@accounts.binance.com

Key characteristic: The primary domain is always binance.com. While there may be subdomains (like directmail, ses, post, or accounts), the root domain never changes.

Fake Sender Addresses

Common phishing disguises include:

no-reply@binance-cn.com         (Fake: contains "-cn")
support@binance.support         (Fake: .support is not a Binance domain)
service@binance.help            (Fake)
admin@binance-vip.com           (Fake)
no-reply@binance.com.cn         (Fake: .com.cn is not used by Binance)
no-reply@binnance.com           (Fake: misspelled with double "n")
no-reply@b1nance.com            (Fake: "i" replaced with "1")
no-reply@binance-app.com        (Fake)

How to Check the Actual Sender

Do not rely on the "Sender Name" (e.g., "Binance") displayed in your email client, as this field is easily spoofed. You must view the full email address:

Gmail: Open the email -> click the small arrow to expand details -> check the "from" field.
Outlook: Hover your mouse over the sender's name to reveal the actual address.
Apple Mail: Click on the sender's name to show the full address.

If your client only shows "Binance" without an address, click into the details to verify.

Dimension 2: Anti-Phishing Code

Once you set an anti-phishing code on binance.com, all genuine emails will include this code. Phishing emails will not.

What is an Anti-Phishing Code?

An anti-phishing code is a custom string of text (4-20 characters, ideally including special characters, e.g., MyAnti2026!) that you set in your Binance account settings. Once configured, Binance will include this exact string in the header or footer of every official email sent to you.

Phishers do not know your code, so their fake emails will either lack this string entirely or use a generic placeholder.

How to Set It Up

Log in to binance.com.
Go to the profile icon in the top right -> Security.
Find the "Anti-Phishing Code" section.
Click "Setup" or "Change."
Enter a unique code that only you know.
Confirm with your 2FA/Email verification.

After Setup

Subsequent official emails will display something like:

Anti-phishing code: MyAnti2026!

If you receive an email claiming to be from Binance that does not have this code or shows an incorrect one, it is a phishing email.

What if I Haven't Set It Up?

Set it up immediately. It is the simplest and most effective way to distinguish genuine Binance emails from fakes.

Dimension 3: Actual Link Domain

Hover over any link in an email to check its actual URL. It must lead to a subpath of binance.com.

How to Verify Links

On Desktop: Hover your mouse over the link (without clicking). Your browser or email client will show the destination URL in the status bar at the bottom.
On Mobile: Long-press the link (do not release) until a menu pops up showing the full URL.

Genuine Links

https://www.binance.com/en/support/announcement/...
https://accounts.binance.com/en/login
https://www.binance.com/en/my/wallet/...

Characteristics: Uses https, domain is binance.com or its subdomains, and the path remains within binance.com.

Fake Links

https://binance-cn.com/login              (Fake)
https://binance.com.security-check.cc/    (Fake: real domain is security-check.cc)
https://binance-app.support/              (Fake)
https://www.binance.com.akamaiprotect.net/ (Fake: real domain is akamaiprotect.net)

Be wary of "subdomain spoofing" (examples 2 and 4), where binance.com is placed at the beginning of a URL to make it look official, while the actual domain is at the end.

Identifying the Real Domain

A URL is structured as Protocol://Subdomain.PrimaryDomain.TLD/Path. The Primary Domain + TLD determines ownership:

https://accounts.binance.com/login
        └─Sub──┘ └─Primary─┘└TLD┘└Path┘

Primary + TLD = binance.com (Genuine).

https://binance.com.fake-site.cc/login
        └────Sub────┘ └─Primary─┘└TLD┘└Path┘

Primary + TLD = fake-site.cc (Fake).

Dimension 4: Email Header Verification

By checking the SPF, DKIM, and DMARC records in the raw email headers, you can determine if an email has been forged.

Three Key Validations

Protocol	Purpose	Genuine Binance Email
SPF (Sender Policy Framework)	Verifies if the sender IP is authorized by the domain.	spf=pass
DKIM (DomainKeys Identified Mail)	Verifies if the email signature matches the domain's public key.	dkim=pass
DMARC	A policy that combines SPF and DKIM.	dmarc=pass

How to View Headers

Gmail: Open the email -> click the three dots in the top right -> "Show original" -> check the SPF/DKIM/DMARC status in the summary.
Outlook: Open the email -> File -> Properties -> "Internet headers."
Apple Mail: View -> Message -> Raw Source.

Genuine Header Summary

SPF:    PASS with IP xxx.xxx.xxx.xxx
DKIM:   'PASS' with domain binance.com
DMARC:  'PASS'

Common indicators of phishing:

SPF: SOFTFAIL or FAIL
DKIM: No signature or the signature domain is not binance.com
DMARC: FAIL

If any of these fields FAIL, the email is likely forged.

Common Phishing Scenarios

Phishing emails often create a sense of urgency to force you into clicking a link or providing sensitive data.

Scenario 1: "Suspicious Login Detected"

"We detected an unusual login to your Binance account from Russia / Moscow. If this was not you, click the link below to reset your password immediately." [Reset Password Now]

The Truth: Binance does send login alerts, but they only provide the time and IP address. They will never ask you to click a link to reset your password. You must go to binance.com yourself to change any security settings.

Scenario 2: "KYC Information Expired"

"Your KYC documentation is about to expire. To avoid account freezing, please re-submit your documents within 24 hours via the link below." [Update KYC]

The Truth: Binance KYC does not "expire." If supplementary info is required, it will be requested via an in-app prompt or a notification on the official website, not through a suspicious email link.

Scenario 3: "You've Won 0.5 BTC"

"Congratulations! As a winner of the Binance New User Reward, you have received 0.5 BTC (approx. 30,000 USDT). Claim it within 24 hours." [Claim Reward]

The Truth: Binance does not run "random BTC giveaway" campaigns via email. All official promotions are listed on the binance.com announcement page with clear rules.

Scenario 4: "Withdrawal Confirmation Required"

"You applied to withdraw 1.5 BTC to address bc1qxxxx at 14:32 on 2026/04/26. If this was not you, click here to cancel." [Cancel Withdrawal]

The Truth: While withdrawal confirmation emails do exist, the link will always lead to the binance.com domain and will not ask you to re-enter your password. If the link leads elsewhere or asks for your password and 2FA, it is a phishing site.

What to Do After Receiving a Suspicious Email

Do not click any links. Open binance.com directly to check your account, and report the email to reportphishing@binance.com.

Recommended Actions

Do not click any links in the email.
Do not reply to the email.
Open your browser and manually type binance.com in the address bar.
Log in and check "Security -> Account Activity / Withdrawal History" for any actual suspicious behavior.
If you find real unauthorized activity: Change your password -> Reset 2FA -> Check API keys -> Contact Support.
If there is no suspicious activity, report the email:
- Forward it to reportphishing@binance.com.
- Mark it as "Phishing" in your email client.
- Delete the email.

For more background on this site, see About BabiaHub. For risk disclosures, see our Disclaimer.

FAQ

Q: The email is from no-reply@binance.com, but it asks me to click a link to log in. Is it safe? A: No. A correct sender address doesn't guarantee the content is safe. Binance will never ask you to click a link to log in. Always manually enter binance.com in your browser. Even if the sender address looks correct, the email could be spoofed (check SPF/DKIM) or modified by an attacker.

Q: I haven't set an anti-phishing code, and I received an email without one. Does that mean it's fake? A: Not necessarily. If you haven't set a code, genuine emails won't have one either. However, you should set one immediately so you can use it as a verification standard for all future emails.

Q: Can I open attachments like PDFs or DOCs in a Binance email? A: No. Official Binance emails never contain attachments. All information is written directly in the email body. Any "Binance email" with an attachment is a phishing attempt likely containing malware or keyloggers.

Q: I can't see the full URL on my phone. How do I verify it? A: Long-press the link to see a preview of the actual URL. If your mail app doesn't support this, forward the email to your computer to check, or simply ignore the email and log in directly via the official website or app.

Q: Will I get a reply after reporting to reportphishing@binance.com? A: Generally, no. However, the Binance security team processes every report. Recurring phishing templates are added to detection rules, and the associated domains are reported to browser and DNS providers for blocking.