What’s standing between your crypto and what a scammer actually looks like – CNBC TV18
As SIM-swap fraud and advanced phishing attacks rise in 2026, Binance urges users to enable key security features like passkeys, authenticator apps, and withdrawal whitelists to prevent account takeovers.You set a password. Maybe you turned on SMS verification. That was three years ago. Since then, attacks have evolved. SIM-swap fraud is now routine. Phishing messages now appear in the same SMS thread as your Binance verification codes. Impersonation scams can run for days before the ask even comes. The security features on your Binance account have kept pace with these changes. The question is whether you've turned them on. Most of the tools covered here take less than a minute to enable. They address two categories of threat: scams, where someone talks you into approving a transfer, and account takeovers, where an attacker gains access without your consent. Here's what to set up and why.
Start with your second factor. Make sure it's the right one.
SIM-swap attacks are among the most common account takeover methods in 2026, with SMS-based 2FA being particularly vulnerable. If an attacker tricks your telecom provider into transferring your phone number to a new SIM, they receive all your SMS verification codes. In India, where number porting is routine, the effort needed to execute such an attack is lower than many users realize.
The fix is straightforward: switch to an authenticator app. Binance supports its own Authenticator app as well as Google Authenticator. Both generate time-based codes on your device that can't be intercepted via a SIM swap. To set this up, go to your profile, open Account Info, tap Security, then enable the Authenticator App. You'll scan a QR code and enter a verification code, and you're done.
For an extra layer of security, consider enabling passkeys. They use cryptographic verification that's linked to your device and biometrics, so there's no code to intercept, no password to phish, and no SMS to spoof. Binance recommends passkeys as the preferred 2FA method in 2026, and you can set them up in under a minute right from the Security screen.
Set your Anti-Phishing Code. It takes 30 seconds and changes how you read every Binance message.
Phishing emails and fraudulent SMS messages are becoming harder to identify, especially since attackers can now insert fake messages into the same thread as legitimate Binance messages. This method, called smishing (a mix of SMS and phishing), works because your phone often groups messages from what seems like the same sender. For example, a fake alert about suspicious activity may appear right below a genuine verification code, and both messages look just as official, making it easy to be misled.
The Anti-Phishing Code is a simple countermeasure. In your security settings, create a 6- to 8-character code. From that point on, every genuine email and SMS from Binance will display it. If a message doesn't include it, or includes the wrong one, you know it's not from Binance. To set it up in the app: Profile, Account Info, Security, Anti-Phishing Code, Create. Enter your code, verify with 2FA, and it's active. On the website: Profile, Account, Security, scroll to Advanced Security, then click Enable next to Anti-Phishing Code.
Choose something you'll recognise instantly, but that isn't easy to guess. Update it periodically, just as you would a password.
Enable the Withdrawal Whitelist. It's the most underused feature in the entire security stack.
If an attacker bypasses your 2FA and gains access to your account, a withdrawal whitelist acts as a barrier to prevent funds from leaving. When enabled, your account can only withdraw to addresses you've authorised beforehand. Adding a new address to the whitelist initiates a suspension period before it becomes active, ensuring that even if your account is compromised, it can't be drained instantly to an unknown wallet.
This also neutralises a specific type of on-chain attack called address poisoning, where attackers seed your transaction history with lookalike addresses, hoping you'll copy the wrong one. If you're only withdrawing to whitelisted addresses, that trap is irrelevant.
Binance further has its own safeguards. If you try to send funds to an address linked to scam activity, a warning may appear before confirmation, and in risky cases, withdrawals could be temporarily halted until the activity is verified. Pay close attention to these alerts. If you see one, stop, verify the address again, and think about whether someone may have pressured you into making the transfer.
To enable the whitelist: log in to the website, hover over your profile icon, click Settings, scroll to the Withdrawal section, and click Enable next to Withdrawal Whitelist. Verify with your passkey or 2FA. To add addresses, go to Address Management in the same section, click Add, label each address clearly, select the coin and network, check "Add Address to Whitelist," and save.
Check your devices. It takes 30 seconds a month and most users never do it.
Binance lets you review every device and session currently logged into your account. If you see something you don't recognise, whether it's an unfamiliar device, an unexpected location, or a session you didn't initiate, that's the clearest early sign that something has gone wrong.
Go to Security Settings, then Device Management, then Activity Log. Review the log. Remove anything unfamiliar. Change your password immediately if anything looks off. Make this a monthly habit. It costs nothing when everything is fine and can catch a serious problem before it becomes irreversible.
Use a dedicated email and a password you haven't used anywhere else.
Your email and password pose a security risk comparable to the threats mentioned earlier, even though neither directly involves Binance's infrastructure. The email you used to register is likely stored on multiple other platforms, including some you may have forgotten signing up for. When any of these services are compromised, your login details can be exposed. Using the same email and password for your exchange account means an attacker doesn't need to bypass Binance's security; they can simply enter through a vulnerability elsewhere.
Create an email address solely for your exchange account, paired with a strong, unique password stored in a password manager. This adds a layer of separation, creating a meaningful difference.
Use Binance Verify before trusting any contact claiming to represent the platform.
Impersonation scams typically follow a predictable pattern. An attacker contacts someone through social media, messaging apps, or email, pretending to be from Binance. They initially offer assistance with rebates, account upgrades, or verification. The conversation remains friendly for a while. Gradually, they direct the target to download a file, share screenshots of their account, scan a QR code, record a face video for "identity verification," or enable remote access. Each step provides the attacker with a way into the account. By the time the request feels suspicious, a relationship has been established, leading many users to comply.
Three signals tend to show up: the identity looks official but can't be verified through Binance's official channels; the interaction involves downloading compressed files or clicking unfamiliar links; and the attacker waits for a deposit before making their real move.
It's important to clarify that Binance employees will never reach out via unofficial channels to send files or compressed packages, request you to click on unfamiliar links for rebates or upgrades, ask for screenshots of your assets or security settings, require you to scan QR codes to "verify" or "activate" anything, share a recovery phrase, or ask you to send funds to another address. If you encounter such a conversation, stop immediately and verify its authenticity.
Binance Verify is a free tool that requires no account and allows you to verify if a URL, email, phone number, Telegram handle, or social media account is legitimately connected to Binance. You can find it at www.binance.com/en/verify. Always check this resource before responding to any unsolicited messages. If the information does not match, consider the contact untrusted and discontinue any communication.
What to do if you've already been compromised.
If you think your account has been accessed without permission or you've interacted with a scammer, follow these steps: stop all contact with the suspect. Do not follow further instructions, click on new links, or share screenshots of the scammer. Log in to Binance directly via the app or website, then check your balance, recent transactions, and withdrawal history. Immediately change your password and reset your 2FA. Review your device and session access, removing any unfamiliar devices or sessions. Run a malware scan on all devices that might have been compromised. Contact Binance Support through official channels and report the incident using the Case Report Form, which is available through Binance Support under Self Service.
If you're in India, you can also report the incident to law enforcement through cybercrime.gov.in, which handles online financial fraud complaints.
The ten-minute checklist.
The full list, start to finish, in the time it takes to set up a food delivery order (or) Everything above can be set up in a single sitting. Enable 2FA using the authenticator app, set up a passkey, and create your Anti-Phishing Code. Turn on the Withdrawal Whitelist and review your active devices. Use a unique password linked to a dedicated email. Bookmark Binance Verify for quick access. Familiarise yourself with the reporting procedures in case of issues. Completing these eight steps takes about ten minutes and significantly enhances your account security.
Key Insights
- This topic is currently trending
- Experts are closely monitoring developments
- It may impact future decisions
