Beginner's Field Notes
English اردو ខ្មែរ አማርኛ 简体中文

How to Spot Fake Exchange Apps and Phishing Sites

He YuUpdated June 20, 2026About 9 min read
Two near-identical exchange login pages side by side, one real one fake, with a magnifier comparing the tiny difference in the domain
Real and fake pages often differ by a single letter, slow down one second to check, save one loss

Scammers target crypto beginners not because you know a lot, but precisely because you just started and can't tell real from fake. Fake official sites, fake support, fake airdrops, copycat apps, almost every newcomer runs into these. What they have in common: the more convincing they look, the more dangerous they are. This piece skips the lectures and gives you a checking method you can use right away, run any page that wants you to log in, enter a password, or connect a wallet through it, and you'll block the vast majority of scams.

01How scammers scam: four most common playbooks

Know your opponent first. Scams aimed at beginners never stray from these four types:

  • Fake official site (phishing site): a login page almost identical to the real exchange, with you lured there via search ads, links dropped in groups, or texts and emails. The moment you enter your username and password, the info goes to the scammer.
  • Copycat app: a fake app spread through non-official channels, with the icon and name closely imitated. Install it and, as you use it, your login info, even your assets, can vanish.
  • Fake support: they add you proactively, say your account is abnormal, needs verification, or has a suspicious transaction to handle, and steer you to a fake page or trick you into giving up your password, verification code, or seed phrase.
  • Fake airdrop / fake event: it claims free coins, high returns, limited time, luring you to connect your wallet and approve, or to enter your seed phrase, and in fact moves your assets away.

The core of all four is one thing: getting you to hand over the key or info yourself. Scammers fear most that you'll stop and check, so they all love creating urgency, "the deadline is right now," "act or your account gets frozen." See anything pushing you to act fast, and crank your guard to the max.

Tip

Burn one sentence into your mind: the genuine official never reaches out to you first, never rushes you, and never asks for your password, seed phrase, or verification code. This one line filters out more than 90% of scams. For the ones made especially convincing, you catch them with the domain check below.

02Check the domain: a phishing site's weak point

A phishing site can copy a page's looks to the pixel, but there's one thing it can't fake, the domain (that is, the web address). This is your most reliable point of judgment, so learn to read it.

To check the domain, look at these places:

  1. Read the main domain letter by letter. Scammers commonly use look-alike characters, swapping the letter o for the number 0, an i for an l, adding a hyphen in the middle, or one extra word. At a glance it looks the same; only a close look reveals it's off. Memorize the official domain and compare every time before entering the site.
  2. Don't rely on the "lock" icon alone. A lock (https) in the address bar only means the connection is encrypted, not that the site is real, phishing sites can have a lock too. The lock isn't safety; whether the domain is right is the key.
  3. Beware the ad slots at the top of search results. When you search an exchange's name, the top result is sometimes a paid ad, possibly bought by a scammer to host a fake site. Don't reflexively click the first one; lock onto the official domain you already know.
  4. The safest method: type the address yourself. Don't click any forwarded link, QR code, or address in a text; type the official site address into the bar yourself, letter by letter, or use a bookmark you previously verified by hand.

Binance has dedicated guidance on account security and recognizing phishing too, worth reading alongside: Binance Help Center. For a neutral primer on phishing attacks, Investopedia's phishing entry is worth a look.

A magnified browser address bar comparing the real domain against a fake one with one extra hyphen, character by character
The address bar is where the truth lives, looks can be copied, the domain can't
Don't fall for it

The most dangerous moment is when you've entered your username and password on a fake page and, out of habit, also filled in the two-factor code. That's like handing over the door key and the safe at once. So build the habit: any page asking you to log in, check the domain first, confirm it's correct, then enter anything. This step takes two seconds but blocks the entire phishing category.

03Download apps only from official channels

Fake apps are another disaster zone. Install the wrong app and you've invited the scammer into your phone. Download only from two sources:

  • Your phone's built-in official app store. Searching and installing from the system app store is relatively the safest; but don't let your guard down after downloading, glance at whether the developer name is legitimate and whether the reviews look off.
  • The download page on the official site. Type the official domain yourself (back to the check method in the last section), enter the download page within the official site, and download there. Binance has a dedicated download entry: the official Binance download page, go there only after confirming the official domain.

Conversely, doubt all these sources first:

  • installers or download links someone sends you in a group or private chat;
  • downloading by scanning a QR code of unknown origin;
  • "update packages" or "exclusive editions" attached in texts and emails;
  • download entries that manufacture scarcity, claiming "official limited supply" or "beta access."

Remember: a legitimate app doesn't need back doors. Anything that bypasses the official store and site, handed to you by someone, is suspect by default.

04How to see through fake support and fake airdrops

These two rely on social engineering, attacking not your tech but your emotions.

Fake support's typical script: they add you proactively, claim to be official support / the security team, say your account had an abnormal login, has a suspicious transaction, and needs immediate verification or it'll be frozen. Then they step by step steer you to log in on a fake page, or directly ask for your password, verification code, or seed phrase, and some even tell you to "move your funds to a safe account."

To see through it, just remember: official support is something you go to, never something that comes to you. The official won't message you, won't ask for your password, seed phrase, or verification code, and certainly won't have you transfer money. The moment the other side trips any of these, judge them a scammer, no hesitation. To verify your account, go to the help center or live support from the official site yourself, and don't follow any link they give you.

Fake airdrop's typical script: it tells you there are free coins to claim, high returns, limited time, lures you to connect your wallet and "approve," or to enter your seed phrase to "verify identity" for the reward. The result is the approval gets abused, or the seed phrase leaks, and the assets are swept clean.

The safety principle for airdrops: no event should ask you to hand over your seed phrase; before connecting your wallet and approving, see clearly what permissions you're granting; when unsure, don't join. Missing a suspicious airdrop costs zero, getting greedy over a suspicious one can cost everything. For why a seed phrase must never be handed over, see what are a seed phrase and a private key.

Note

Scammers are expert at exploiting two emotions, greed and fear: high returns to hook your greed, account freezing to scare you. The moment you find yourself being rushed, frightened, or tempted by a pie in the sky to act fast, that itself is the strongest warning sign. Stop, take a breath, and verify yourself through official channels, slow is what's safe.

05The last line of defense before you get hit

Even if you miss everything above, a few baseline habits can catch you:

  1. Never leak your seed phrase. Any scenario asking you to enter the seed phrase is a scam, no exceptions.
  2. Turn on two-factor authentication (2FA). Add 2FA to your exchange account and even if your password leaks, it's hard for someone to log in directly. For how to set it up, see the security setup to do after opening an account.
  3. Re-check before any large action. For "execute and it's hard to reverse" actions like transfers, withdrawals, and approvals, recheck the address, domain, and recipient once more before executing.
  4. When unsure, stop. All scams fear you stopping. The slightest sense that something is off, stop first, check first, then act.

To give yourself a systematic scam-prevention checkup, run through our scam self-check tool, going point by point through common scam signals, and you'll know where you stand. With security, fear no hassle, only the urge to take shortcuts.

FAQFAQ

How do I confirm the exchange app I downloaded is real?

Get the app from only two sources: one, your phone's built-in official app store; two, the download page on the official site, reached after you manually type the official domain. After downloading, don't rush to log in, first check the developer name and whether the installer source is legitimate; any installer someone sends you via a link, a QR code, or chat should be doubted first. The safest approach is to type the official site address yourself, letter by letter, and never click a forwarded link.

Support added me proactively saying my account has an issue. Is it real?

A legitimate exchange's support won't message you out of the blue, won't add you on social platforms, and certainly won't ask for your password, seed phrase, or verification code, or have you transfer money to verify. Anyone who reaches out first, creates a sense of urgency (claiming your account is frozen and needs immediate action), and ends up asking for money, a password, or a code is almost certainly a scammer. If it happens, stop, go to the help center or live support from the official site yourself to verify, and don't follow any link they give you.

Can I join an airdrop that promises high returns?

Be highly wary of airdrops promising high returns, zero risk, or a limited-time claim. The common playbook is to lure you into connecting your wallet and approving, or entering your seed phrase to claim a reward, with the result that your assets get moved away. The truly safe principle is: no event needs you to hand over your seed phrase, and before approving a wallet, see clearly what you're approving. When unsure, don't join, the cost of missing a suspicious event is zero, the cost of getting hit could be everything.

H
He Yu (Lao He) · Biqibu Editorial
I felt my own way into crypto years ago and tripped over identity verification, frozen cards, and sending to the wrong chain. These notes are what I wish someone had told me back then. "He Yu" is a pen name; see the about page.

Read next

The 8 pitfalls beginners hit most

The traps newcomers commonly fall into, listed in one place

The security setup to do after opening an account

2FA, anti-phishing code, putting a few locks on your account

What are a seed phrase and a private key

Why it must never be handed to anyone
Risk warning: Content is for educational reference only and is not investment advice. Crypto prices are highly volatile and you may lose your entire principal. Whether to take part, and how much to commit, is a decision to make based on your own risk tolerance, and always according to the current rules shown on each exchange's official pages.