Scammers rarely mug you head-on. They prefer to build a skin: an app that looks exactly like the official one, a website whose domain is off by a single letter, a "support agent" with the exchange's logo for an avatar. You think you're dealing with the real company; in truth you walked into someone's setup at step one.
The good news is that however convincing the skin, it doesn't survive a few simple checks. Each of the five below takes you about 30 seconds, and once you've done them you're on solid ground. You don't need to be technical — you just need one habit: verify first, act second.
- Support never contacts you first. Anyone who adds you, DMs you, or calls you as "support" is almost always fake.
- No support agent ever asks for a code, password, or seed phrase. The moment they do, hang up.
- Install apps only from the official entrance or app store — never click links people send, scan unfamiliar QR codes, or install off-platform packages.
- When checking a domain, look at the root domain — don't be fooled by prefixes and look-alike letters.
Check 1: Verify the official domain — and look at the right spot
The most common fake-site trick is to make the domain "look the same" as the real one. They'll add a prefix to the front, swap the letter l for the digit 1, spell binance as blnance or binnance, or use a completely different suffix. Internationalized "homograph" domains take it further, using letters from other alphabets that render identically. These slip past easily when you're in a hurry.
The key is to read the actual root domain — the part just to the left of the first single slash / in the address bar. For example, in binance.com/login the root domain is binance.com; but in binance.secure-login.com the real root domain is secure-login.com, and the binance in front is just a subdomain there to fool your eye.
app-binance.xxx.com; swapping letters, 1 for l or 0 for o; swapping the suffix, .com for .cc, .top, .vip, and the like. See any of these and don't type a single credential.
The steadiest approach isn't eyeballing it every time — it's bookmarking the official URL and only ever entering through the bookmark. Top search results are sometimes paid ad slots, not necessarily official, which we get into below.
Check 2: Look at the "developer" in the app store
Many people download an app by name and icon alone — which is exactly the gap counterfeit apps exploit: the name can be identical, the icon nearly indistinguishable. But one piece of information is hard to fake: the developer name.
In the Apple App Store or Google Play, open the app's detail page and scroll down to the "developer," "seller," or "provider" field. A legitimate exchange's app shows the corresponding company entity there — not some throwaway personal name or unfamiliar company. If the developer is a totally unrelated name with no traceable background, the app is most likely a problem. Don't install it.
Check 3: Realize support will never reach out to you "first"
Memorize this one for life: legitimate exchange support only appears when you initiate a question from the official app or site — it never turns around and contacts you.
So anyone who adds you on a messaging app, DMs you, calls you, or pulls you into a "VIP service group" as "support" — no matter how official the avatar's logo, how professional the tone — you can mentally tag as fake right away. Real support doesn't have your contact details, and has no reason to chase you down. The same rule holds at Coinbase, Kraken, or any reputable platform: they don't send you a private message. Impersonation of this kind is consistently among the top categories the FTC and FBI IC3 hear about, so it's a well-documented pattern, not a fringe one.
We searched "Binance download" in a search engine, and the top few results marked "Ad" weren't on Binance's official root domain — they were a handful of clone sites with added prefixes or swapped suffixes. Clicking through, the pages looked a lot like the real site, and an "online support" window popped up to start a conversation, steering us toward leaving a phone number "to help activate the account." That's the textbook fake-site-plus-fake-support combo: intercept traffic with an ad slot, then reel you in with proactive support. We left no information and closed the page.
Check 4: Anyone asking for a code or seed phrase — stop immediately
A fake support agent's endgame is almost always to get you to surrender some key. The usual suspects: login password, withdrawal password, SMS code, the rotating code from your authenticator app, and the wallet's seed phrase and private key.
Remember one iron rule: real support, the real official side, will never ask you for these. A verification code exists to prove "the action was initiated by you" — read it aloud to someone else and you've personally helped them complete a login or transfer. The seed phrase is the ultimate key to your assets: whoever holds it can move every coin away, with no recovery mechanism whatsoever.
Check 5: Install apps only from official entrances, never off-platform
The earlier checks guard against "the fake." This one guards against "being steered to the fake in the first place." Counterfeit apps rarely show up in the app store you open yourself; they're more often pushed at you through: download links in chat groups, QR codes from strangers, third-party "fast download" sites, and install prompts in SMS.
The packages these off-platform channels hand you can have malicious code baked in. The credentials you type get quietly uploaded; your clipboard may be monitored so that a copied receiving address is silently swapped for the scammer's — a trick we cover in our loss-prevention guide. So installing an app comes down to two paths only: through the download entrance on the exchange's official site, or by searching in your phone's own app store and confirming the developer before installing.
BN1606), then follow our first-purchase flow step by step. If you're weighing whether Binance is safe or might collapse, we break that down separately — for a beginner, fake-app and fake-support risk is actually worth defending against more than the platform itself. To judge whether an exchange is trustworthy, start with these 6 screening criteria.
The 5 checks, side by side
Next time any "official" reaches out, or you're about to download or log in, run this table once — 30 seconds and you have your answer:
| Self-check | What the real one looks like | What the fake looks like |
|---|---|---|
| Verify domain | Root domain matches exactly | Prefix added / letters swapped / suffix changed |
| Check developer | Correct company entity name | Unfamiliar / personal name / very few reviews |
| Support origin | You initiated the question | Adds you / DMs you / pulls you into a group |
| Asks for sensitive info | Never asks | Asks for code / password / seed phrase |
| Download source | Official entrance / app store | Group link / QR code / off-platform package |
Across these five, even one item landing in the right-hand column is enough to make you stop and re-verify. What a scam fears most is you spending these 30 seconds. If you want to judge more systematically whether a given message is a scam, run it through our scam checker question by question.
Frequently asked questions
Will exchange support add me or message me first?
Will support ask me for a verification code or seed phrase?
Where should I download an exchange app to be safe?
Get the entrance right, and scammers lose half their opening
Opening an account at a regulated, large-user-base exchange is the steadiest thing a beginner can do for themselves. Registration only happens at the official entrance — follow our beginner flow and stay calm.
Invite code: BN1606
Crypto prices are highly volatile and you can lose your entire principal. This site shares information only and is not investment advice.