The whole trick here is to put a scary line in front of you at the moment you're least on guard: "Suspicious login on your account, verify immediately," "A withdrawal request was submitted — if this wasn't you, tap here to cancel." Your stomach drops, and your finger taps before your brain weighs in. It doesn't need to hack your account; it just needs you, in the panic, to hand the keys over yourself. By the end of this piece, you'll know why it works and the one rule that blocks nearly all of these messages.
- The sender number, sender email, and the text shown on a link can all be spoofed — looking at "who it's from" is meaningless.
- One hard rule is enough: don't click any link in a text or email; to check your account, type the official domain yourself or open the official app.
- Real platforms don't send a link by text or email pushing you to log in or verify your identity; anything that does, treat as phishing by default.
A few of the lines it loves to use
Log these as teaching examples, so that next time you get something similar, your first thought is "here we go again." They almost all keep the same beat: manufacture an emergency — "something's wrong with your account" — then force you to deal with it right now.
This is what phishing texts / emails typically look like
- "We detected an unusual login from a new location on your account. For your security, click the link to verify your identity immediately."
- "Your KYC verification is about to expire. Please re-verify within 24 hours or your account will be frozen."
- "You have a withdrawal request being processed. If this wasn't you, tap here to cancel it immediately."
- "System upgrade: your account needs to be reactivated. Complete verification via the link below to restore access."
See the common thread? They all say something's wrong with your account, all hand you a link, all rush you to act now. The "if this wasn't you, tap here to cancel" one is especially insidious: it casts you in the role of "victim," and the harder you scramble to "protect your money," the more obediently you walk into the trap.
What it's actually after
The text or email itself doesn't steal money. It's just a "guide," steering you to the next step where you hand over the keys. Two common destinations:
First, it steers you to a cloned fake site. The page the link opens looks identical to the real exchange; you type your username and password, and that info streams straight into the scammer's back end. Then the page prompts, "To complete verification, enter your SMS / authenticator code," you fill it in, and the code is relayed away in real time. The scammer uses the whole set to log into the real site and withdraw. The phishing text is just the hand that delivers you to the fake site's door — for how the fake site itself does the rest, see cloned phishing sites & fake exchanges.
Second, it tricks you into "contacting support." Some emails don't give a login link; they leave a "support phone number / support Telegram" with "click here if you have a problem." The moment you reach out, you're talking to fake support, who walks you step by step into a transfer or handing over a code. For how that thread ends, see fake support & "account unfreeze" scams.
How to spot it: four tells
However well it's done, if you calm down and run through these, the tells are hard to hide completely:
| Tell | How it usually shows up | How to read it |
|---|---|---|
| Sender is spoofable | The number / email looks official; a spoofed text may even fold itself into the official thread | No matter who it shows as the sender, never treat that as proof |
| The link domain is wrong | It displays the official site but actually jumps to a look-alike or extra-word fake domain | Displayed text ≠ real address; just don't click and you don't have to puzzle over it |
| Manufactured urgency and fear | "Within 24 hours," "account frozen if expired," "immediately," "cancel if not you" | The more it rushes you, the more you should stop — the urgency itself is the biggest alarm |
| Generic greeting | "Dear user," "Dear customer," never your specific identity | Mass phishing usually doesn't know who you are, so it can only bluff with a generic greeting |
Note: the above is a summary of common techniques, for teaching you to recognize them, not aimed at any specific platform. To check whether a domain is official, use our official domain checker.
One hard rule that blocks it at the root
Memorizing and judging those four tells one by one is honestly a bit tiring, and scammers keep polishing the details. The good news is you don't need to become an expert eye — hold one rule and this scam's "guiding" simply fails:
Don't click any link in a text or email
No matter who it shows as the sender or how urgent it sounds, don't click the link in the message. If you're genuinely worried about your account, type the official domain yourself to enter the site, or open the official app you installed earlier and use your saved bookmark, and look inside for any real notification. Enter from a clean door and you'll see the truth; however good the scammer's link looks, it can't touch you.
The beauty of this rule is that it doesn't care about the setting: no matter how the wording shifts, how cleverly the domain is disguised, or how much urgency is built up, as long as you stick to "never click links in messages — to check, I go in myself," it can't steer you to the fake site in the first place. Fix your way in (bookmark + official app) and you don't have to out-think the scammer every time.
- Once you've confirmed your exchange's official domain the first time, save it as a bookmark, and afterward only enter via the bookmark or the official app.
- When you get an "account anomaly / KYC expiring / withdrawal pending" message, don't click the link; go in yourself to verify.
- Any page asking you to enter your wallet seed phrase or private key is a scam, flat out — an exchange never asks for these.
- Turn on authenticator 2FA and a withdrawal address whitelist, so even if your password leaks, there's another line of defense.
Why real platforms won't contact you this way
A lot of people hesitate: "What if this one really is from the official side and I miss something by not clicking?" You can set that worry down completely — real exchanges basically won't send a link by text or email pushing you to click in to log in, verify your identity, or handle an urgent anomaly.
The reason is simple: they know phishing is everywhere, and proactively sending users clickable login / verification links would only train them into the bad habit of "see a link, click it," which makes impersonation easier. So when there's genuinely something for you to handle, the real platform's approach is to have you go to the official site or app yourself and view and act on it in the in-platform notifications. In other words, treat any message that carries a link and rushes you to click in and log in or verify as phishing, and you'll almost never wrongly flag a real one — because real ones simply don't look like that.
The one-line rule
To judge this kind of message, ignore who it shows as the sender and how urgent it is; ask one thing: is it getting me to click a link and then log in or hand over a code? If yes, treat it as phishing, close the message, and go in yourself to verify.
Already clicked and entered something — do this now
If you've already clicked the link and even entered your username, password, or a code, don't beat yourself up — speed matters more than anything. Move in order:
Go to the real site yourself and change passwords
Enter your real account via your bookmark or by typing the official domain (confirm the domain is correct), and immediately change your login and funds passwords.
Kick out unknown devices, revoke API keys
In security settings, review logged-in devices and sessions, kick out every device you don't recognize, and revoke any suspicious API keys.
Check the withdrawal whitelist and 2FA
See whether an unfamiliar address was added to the withdrawal whitelist, or your 2FA was re-bound. If so, revoke and reset immediately.
Move assets, report to the platform
If needed, move assets to an address you fully control as soon as you can, and report the anomaly through the in-platform official support (not the "support" in the text).
Preserve evidence, consider reporting
Screenshot the text / email, the link domain, and your action history. In the US you can forward the phishing text to 7726 (SPAM) and report to the FBI's IC3 (ic3.gov) and FTC; in the UK, to Action Fraud. For the full loss-stopping, evidence, and reporting steps, see what to do after you've been scammed.
Another doorway on the same path: the fake app
Some phishing texts don't ask you to log into a webpage; they tell you to "download the new version of the app," and what installs is a cloned look-alike. For how to spot it, see cloned apps (fake OKX / fake Binance).
FAQ
The text shows the exchange's official number — can I trust it?
No. A text's sender number and an email's sender address can both be spoofed, and a spoofed text can even fold itself into the same thread as your past real messages from the company, looking seamless. A matching number or sender is no proof at all. Judge by what it asks you to do and where the link points, not by who it shows as the sender. In the US you can forward a suspicious text to 7726 (SPAM) to flag it to your carrier.
The link looks like the official address — surely it's safe to click?
The text shown in a message and the address a link actually goes to can be completely different — the screen says the official site, but tapping it lands you on a cloned fake one. The safest move is to not click any link in a message; to check your account, type the official domain yourself, or open the official app you installed earlier and use a saved bookmark. Never enter the site via a link in a message.
Will a real exchange send a link by text or email for me to log in and verify?
Basically not. Real platforms don't send a link by text or email pushing you to click in to log in, verify your identity, or handle an urgent anomaly. If there's genuinely something to handle, they have you go to the official site or app yourself and view the notification in-platform. So any message with a link that rushes you to click in and log in or verify should be treated as phishing by default, regardless of who it shows as the sender.
I already clicked the link and entered my username and password — what now?
Move fast. Go to the real official site or app yourself and change your login and funds passwords; in security settings revoke every unknown device and any suspicious API keys; check whether the withdrawal whitelist and 2FA were changed, and reset them if so; if needed, move assets to an address you fully control, and report through in-platform official support. If you also entered an SMS or authenticator code, act even faster — scammers usually try to log in and withdraw right after getting a code. In the US, report to IC3 (ic3.gov).
Don't let one text decide which door you walk into your exchange through
Phishing texts and emails land almost entirely because someone, in a panic, taps the link they're handed. The least stressful defense is to use a major, regulated exchange through its official sign-up route from the start, save the official domain as a bookmark, install the official app, and from then on — whatever message arrives — only ever enter through your own clean door. OKX is one mainstream exchange; you can reach it through the official route below, and its official domain is okx.com.
Read next
- Cloned phishing sites & fake exchanges — at the end of a phishing link is usually a fake site identical to the real one.
- Fake support & "account unfreeze" scams — some phishing emails skip the link and have you "contact support," where a scammer takes over.
- Cloned apps (fake OKX / fake Binance) — a "download the new app" text often installs a cloned look-alike.