If you have been registered on the Binance Official Site for more than half a year, your inbox has likely accumulated dozens of emails claiming to be from "Binance"—some real, some fake. Binance Official APP push notifications and emails occasionally arrive simultaneously, providing an extra layer of verification. For iPhone users, refer to the iOS Installation Guide to set up the app and develop the habit of "checking the app before the email" to block the vast majority of phishing attempts.
A: The fastest three steps to distinguish email authenticity—Step 1: Check the anti-phishing code (must be your custom string); Step 2: Check the sender's full domain (must be @binance.com or @post.binance.com); Step 3: Hover over links to see their true destination. If it passes all three = Real; if it fails any one = Fake.
Step 1: The Anti-Phishing Code is the Bottom Line
A: All official Binance emails involving account operations will include your pre-set Anti-Phishing Code. Any email lacking this string is 100% a phishing attempt.
Anti-Phishing Code Location
The location varies slightly depending on the email type:
- Login Alerts: In the subject line or the first line of the body
- Withdrawal Confirmation: Above the "Confirm" button in the body
- Security Alarms: In the subject line
- Funds Received: At the top of the body
Example:
Subject: New Login from New York | Anti-phishing code: MyB1nance2026
Or:
Anti-phishing code: MyB1nance2026
Hi user@example.com,
We detected a new login from XX device...
Details About the Anti-Phishing Code
- If you have never set an anti-phishing code, any email containing "Anti-phishing code: XXX" cannot be judged solely on this (attackers might just fill in a random string)
- If you have set one, the code in the email must match yours exactly
- Marketing, event, and promotional emails usually do not carry an anti-phishing code (this is intentional by Binance, as they don't involve account operations)
- The code is case-sensitive—
Cat$BnB≠cat$bnb
Step 2: Sender's Full Domain
A: Official Binance email sender domains are limited to a few specific subdomains. Any variation is a forgery.
Real Sender List
| Purpose | Real Domain |
|---|---|
| Security Notifications | noreply@post.binance.com |
| Marketing Events | marketing@post.binance.com |
| Customer Support | support@binance.com |
| Verification Codes | verify@post.binance.com or noreply@directmail.binance.com |
| Legal/Compliance | compliance@binance.com |
Common Forged Domains
| Spoofing Method | Example | How to Identify |
|---|---|---|
| Character Replacement | binnance.com, blnance.com |
Extra 'n', or 'l' replaced by '1' |
| TLD Replacement | binance.cn, binance.io, binance.app |
Not .com |
| Adding Prefixes | binance-us.com, binance-login.com |
Hyphen added after the real domain |
| Adding Suffixes | binance.com.xx.cc |
Looks like a subpath but is actually a different domain |
| Regional Variants | binance-china.com |
Binance does not use this domain |
| Homograph Attacks | binаnce.com (using Cyrillic 'а') |
Visually almost identical |
How to View the Full Sender
Instructions vary by client:
- Gmail Web: Open the email, click the small triangle next to the sender's name to see the full address
- Outlook: Click on the sender's name
- Apple Mail: Long-press or click on sender details
- Mobile Apps: Check "Details" at the top after opening the email
Judging by the displayed "Sender Name" is meaningless—any email can set the display name to "Binance Official." The key is the actual email address.
Step 3: Link Hover Verification
A: Before clicking any link in an email, you must hover your mouse over it to check the real destination displayed in the bottom-left corner.
Characteristics of Real Links
- Domain:
binance.comor its subdomains likeaccounts.binance.com,www.binance.com - HTTPS: All real links use
https:// - Logical Paths: Familiar paths like
/en/login,/security, etc.
Characteristics of Fake Links
- Domain Header:
binance-secure.xyz,bnb-login.cc - Redirection Chains: Short links like
https://t.co/XXXXthat hide the true destination - Subdomain Disguise:
binance.com.fake-domain.io(the real domain is actuallyfake-domain.io) - Paths containing urgent words like
verify,reset, orurgent
How to Hover on Mobile
Mobile devices don't have mouse hovers. The action is to long-press the link for 2-3 seconds, which will pop up a preview menu showing the real URL. Never click an uncertain link directly.
Copy-Paste Check
If you're still unsure, copy the link and paste it into a notepad:
Display Text: https://www.binance.com/login
Real Link: https://binance-us-secure.xyz/login?redirect=binance.com
In a notepad, the full URL is clear, and the true identity of the phishing link is revealed.
Full Comparison: Real vs. Phishing Emails
| Point of Identification | Real Email | Phishing Email |
|---|---|---|
| Anti-Phishing Code | Displayed accurately | Missing / Wrong / Generic text |
| Sender Domain | @binance.com or subdomains |
@binance-xx.com or other forgeries |
| Link Hover | All point to binance.com | Redirects to unfamiliar/niche domains |
| Language Quality | Fluent | Often shows obvious signs of machine translation |
| Salutation | Your registered nickname | "Dear user" / "Dear customer" |
| Urgent Tone | None, objective statement | High, urging action within 24 hours |
| Attachments | Almost never included | Often includes .zip / .html / .pdf |
| Legal Footer | Complete | Missing or nonsensical |
| Unsubscribe Link | Real and functional | Also points to a phishing site |
Common Phishing Email Tactics
A: Phishing is essentially a social engineering attack, revolving around the themes of "Fear" and "Greed." Recognizing these patterns helps you stay calm.
Fear-Based Tactics
- "Your account has an abnormal login; please click to verify immediately to avoid freezing."
- "You have initiated a withdrawal of 5 BTC, executing in 10 minutes. If this wasn't you, click to cancel."
- "Due to new regulations, please re-complete KYC within 48 hours, or your account will be permanently closed."
- "Detected a leak of your API key, please reset immediately."
- "Your 2FA has been reset, please confirm if this was your action."
Greed-Based Tactics
- "Congratulations! You have been selected for a BNB airdrop. Click to claim 1000 USDT."
- "Binance Launchpool spot, limited to 24 hours. Sign up now."
- "Your account received a VIP upgrade compensation. Click to claim."
- "Launchpad early subscription channel is open for you. Click to enter."
Authority-Based Tactics
- "The Binance Legal Department notifies you to cooperate with an AML investigation."
- "The Binance Compliance Department requires you to provide proof of funds."
- "Our CEO invites you to a private session."
Regardless of the tactic, stay calm, verify first, act later. No real issue will ruin your account just because you handled it 30 minutes later.
The Most Secure Method: Reverse Channel Verification
A: The most fool-proof approach is to "never click anything in the email and manually open the official Binance website yourself." This habit is more reliable than any identification skill.
Reverse Channel Steps
- Receive an email; regardless of its authenticity, close it.
- Open your browser and manually type
binance.comor use a bookmark you previously saved. - Log into your account.
- Go to the "Notification Center" / "In-mail" / "Security Center."
- See if there is a corresponding real notification.
If the internal Binance message contains the same content = Real; if not = Fake, delete the email immediately.
Advantages of This Approach
- No need to distinguish anti-phishing codes, domains, or links (it doesn't matter if any of these are bypassed).
- You won't be tricked into giving login credentials to a phishing site.
- Even if the email is real, entering Binance through your own path is safer than clicking a link in an email.
- Once the habit is formed, you never have to wonder "is this email real?" again.
Attachment Traps
A: Official Binance emails almost never include attachments. Be highly vigilant of any "Binance email" containing .zip, .exe, .html, or .pdf attachments.
Common Attachment Disguises
Binance_Security_Update.exe— A direct TrojanAccount_Verification.html— Opens a local phishing pageReceipt.pdf.exe— Double extension deceptionKYC_Form.zip— Contains a malicious document after extractionTax_Statement.docm— A Word document containing macros
Real Scenarios for Attachments
- Support might attach a PDF legal document when replying to a ticket—but they will explain this in the ticket first, not just send it via email.
- Some bills or monthly statements might be attached as PDFs—usually without sensitive action requests.
- There are almost no other scenarios.
If you receive an email that shouldn't have an attachment but does, delete it immediately.
FAQ
Q: What should I do after identifying a phishing email?
A: Four things: (1) Do not click any links, do not reply, and do not open attachments; (2) Mark it as "Spam" or "Phishing" in your inbox to help train filters; (3) Forward it to the official Binance anti-phishing email report@binance.com, including the full email headers (not a screenshot, the original email); (4) Delete the email.
Q: Can a fake email come from a Binance support address I already know?
A: Yes. Attackers can spoof a leaked support email address as the displayed sender, but the actual sending server isn't Binance's. Check the Received-SPF, Authentication-Results fields in the email header—real emails will pass these checks (SPF=pass, DKIM=pass, DMARC=pass), while fake ones often fail.
Q: How do I view full email headers on a mobile app? A: It's difficult on the iPhone Mail app; it's recommended to forward suspicious emails to a PC client to check. In the Gmail mobile app, tap the three dots in the top right → "View original" to see the full header. In the Outlook mobile app, tap the small arrow next to the subject to expand.
Q: Will Binance contact me via SMS or phone? A: Yes, but only for: (1) Verification code SMS (requested by you); (2) Support calling you back after you submit a ticket (rare, mostly for VIPs). Binance will never proactively send SMS links for you to click, nor will they proactively call to ask for passwords or verification codes. Any "support" reaching out proactively is a scammer.
Q: Is it safer to use a dedicated "crypto email"?
A: Yes. It is recommended to register a separate, independent email for Binance and other exchanges (e.g., mybnb.crypto@gmail.com), and not mix it with your work or personal email. Do not use this email to register for any other websites or disclose it on social media. This way, if you receive an email claiming to be from Binance in this dedicated inbox, it's more likely to be real.
Q: Binance never asked me to set an anti-phishing code. Does this feature really exist? A: Yes, but you need to enable it manually. Binance does not force the anti-phishing code by default (except where required by local regulations), so you must go to "Security" → "Anti-Phishing Code" to set it up. Once enabled, all official emails will include it; if not enabled, its absence is normal—in this state, you must rely on the "Sender Domain + Link Hover" double verification.
Q: Can I "play" with the scammers after identifying a phishing email? A: Not recommended. Any interaction with the attacker marks your email as "active," leading to more phishing attempts in the future. The best approach is "cold treatment": Report + Delete + Do not respond. Your energy is better spent securing your own account.