Crypto Exchange StarterIndependent exchange guides

Phishing prevention

How to Spot a Fake Crypto Exchange Website

A fake exchange page may copy a real logo, layout, login form, or support message. Visual polish and HTTPS do not prove who operates a site, so verify the destination before entering credentials or sending money.

Reviewed and last updated: June 15, 2026

Written and reviewed byCrypto Exchange Starter Editorial TeamHow we review content

Verify how you reached the page

Unexpected emails, texts, social posts, direct messages, sponsored search results, and QR codes can direct users to impersonation pages. The FTC warns that phishing messages often invent suspicious logins, account holds, payment problems, refunds, or urgent verification requests to trigger a click.

Use a bookmark created from a previously verified domain or type the known address yourself. Check every character in the registered domain, not only the logo, page title, padlock, or first word of a long URL.

Treat urgent account stories as a warning

Stop when a page or caller says funds must immediately move to a safe wallet, a tax or fee must be prepaid in crypto, a withdrawal needs another deposit, or support needs remote device access. These demands do not become legitimate because the person knows your email or transaction details.

Independently open the official account and check notifications there. Contact support only through the provider's verified app or website, not through a number or link supplied in the suspicious message.

Never hand over authentication secrets

A fake login may collect a password and then request a one-time code in real time. A caller may ask you to read a code, approve a login prompt, scan a setup QR code, install remote-control software, or share a screen.

Do not provide passwords, authenticator codes, recovery codes, seed phrases, private keys, or card security codes. A wallet seed phrase is not an exchange support credential. Anyone who obtains it may control the wallet.

Respond after a suspicious interaction

If you only received the message, report and delete it. If you entered information, use a clean device and the verified services to change affected passwords, secure email, revoke sessions and API keys, review withdrawal settings, and contact official support.

If malware may have been installed, disconnect the affected device as appropriate, update security software, run a scan, and avoid using it for account recovery until it is trusted. Preserve URLs, messages, timestamps, transaction IDs, and case numbers for reports.

  • Do not send another payment
  • Secure email before resetting the exchange account
  • Revoke unknown sessions and API keys
  • Freeze activity if the official provider offers that control
  • Report impersonation to the provider and relevant authority
  • Ignore unsolicited recovery offers

Common questions

Frequently asked questions

Does HTTPS mean a crypto exchange website is genuine?

No. HTTPS protects the connection to a domain but does not prove the domain belongs to the exchange. Verify the complete registered domain and how you obtained it.

Will exchange support ask for my 2FA code or seed phrase?

Do not disclose either. A one-time code can authorize account access, and a seed phrase can control a wallet. Use only the provider's official support flow.

What should I do after logging into a fake exchange page?

From a clean device, secure email and the real exchange account, change exposed passwords, revoke sessions and API keys, inspect withdrawal settings and activity, and contact official support.

Primary references

Official sources checked

These official pages were reviewed on June 15, 2026. Exchange policies can change, so open the source before acting.

  1. FTCHow To Recognize and Avoid Phishing Scams
  2. FTCWhat To Know About Cryptocurrency and Scams
  3. NISTDigital Identity Guidelines: Authentication and Authenticator Management

Continue your research