The Binance Anti-Phishing Code is a 4-8 character alphanumeric combination that you set yourself. Once set, every genuine email sent to you by Binance will include this string in a prominent location, and no phishing email can forge it—because the attacker simply doesn't know what you have set. Log in to the Binance official website, go to the "Account Security" page, find "Anti-Phishing Code", click "Enable", enter a string only you know (for example, "BTC2026"), and verify it once with 2FA. The entire setup process takes less than 30 seconds. According to Binance's 2024 security report, the platform intercepts over 2.8 million phishing emails mimicking Binance every month. Their main tactic is inducing users to click links like "Remote Login Confirmation", "Account Freeze Appeal", or "Airdrop Claim" to enter forged login pages and steal passwords and 2FA. After setting up the Anti-Phishing Code, any "Binance email" you receive without this code can be immediately judged as a phishing email and ignored. It is recommended to simultaneously check the Binance official APP for system notifications for cross-verification. If it's your first time downloading, please refer to the iOS installation tutorial to ensure it is the official version. This article will detail the principles, setup steps, and 7 practical tips for identifying phishing emails using the Anti-Phishing Code.
How the Anti-Phishing Code Works
The design idea of the Anti-Phishing Code is very clever: it is a secret that "you know, Binance knows, and the attacker does not know". Binance's server saves this string in your account security configuration and automatically embeds it into a fixed position in the email body every time an email is sent.
When attackers forge a Binance email, although they can copy the email's LOGO, layout, and sender name, and even forge the sender address to make the email look like it comes from "[email protected]", they cannot know what your personal Anti-Phishing Code is. A "Binance email" without this code is definitely fake.
This mechanism was first introduced by Binance in 2018 and has since been adopted by mainstream exchanges like OKX, Bybit, and Gate, becoming the de facto standard in the cryptocurrency industry. Official Binance data shows that the successful phishing rate for users who enabled the Anti-Phishing Code dropped by more than 85%.
Why Must You Set an Anti-Phishing Code?
The danger of phishing emails far exceeds imagination. In March 2024, a user received an email saying "Binance reminds you of a remote login to your account". Clicking the "Not me" button redirected them to a forged Binance login page. After entering the account password and 2FA, it redirected back to the real Binance. The user thought it was a false alarm and didn't care. The attacker logged into the real Binance in real-time within the 30-second validity period of the 2FA entered by the user and withdrew all 5.2 BTC from the account.
The core of this type of attack lies in the "time difference": the phishing page forwards your entered password and 2FA to the attacker in real-time, and the attacker completes the login and withdrawal within the 30-second validity period. The Anti-Phishing Code allows you to see through the scam before clicking the email link, cutting off the attack path from the source.
Binance's emails cover a variety of scenarios: login reminders, withdrawal confirmations, API creation notifications, security setting changes, marketing campaigns, account anomaly warnings, etc. After setting up the Anti-Phishing Code, all these emails will come with the code, while phishing emails will not. The difficulty of identification is reduced from "need to carefully identify the link domain" to "see if that string of characters is there".
How to Set Up the Anti-Phishing Code? (Detailed Steps)
Step 1: Log in and enter the security page. Visit the Binance official website using a browser, log in, click on the avatar in the upper right corner, and select "Account Security". You will see the "Account Security" category in the middle of the page, which includes options like password, 2FA, Anti-Phishing Code, etc.
Step 2: Enable the Anti-Phishing Code. Find the "Anti-Phishing Code" item. The right side shows "Not Set" and an "Enable" button. Click "Enable". The system will pop up an input box.
Step 3: Choose a memorable but hard-to-guess string. The Anti-Phishing Code requires 4-8 characters and can only contain letters and numbers (no special symbols). A good Anti-Phishing Code should meet three conditions: easy for you to remember, hard for others to guess, and unrelated to your other passwords.
Recommended practice: Use an abbreviation of a phrase only you know plus numbers, such as "MyCat2019", "BTC2Moon", "SafeBN88", etc. Not recommended: Your English name, birthday, the last four digits of your phone number, and other easily guessed information.
Step 4: 2FA Verification. After entering the Anti-Phishing Code, the system will ask you to enter the 6-digit dynamic code of Google Authenticator (if you have enabled 2FA) and the SMS verification code. It takes effect immediately upon successful verification.
Test it immediately after setting it up: Trigger an email notification on Binance (for example, change your login password). The top of the received email body will display "Anti-Phishing Code: XXXXXX". This is the string you just set.
Comparison between Real and Fake Binance Emails
The table below lists 7 key differences between real Binance emails and phishing emails to help you build muscle memory for instant identification.
| Comparison Item | Real Binance Email | Phishing Email |
|---|---|---|
| Anti-Phishing Code | The code you set is in a prominent place | Missing or incorrect |
| Sender Address | Official domains like [email protected] | Forged similar domains, like binance-support.com |
| Link Domain | Only points to binance.com and its official subdomains | Points to third-party domains or short links |
| Email Language | Consistent with your Binance language settings | Mostly English or machine-translated |
| Salutation | Uses the name or email prefix you registered with | Uses generic terms like "Dear User" |
| Urgency | Informational statements, not forcing immediate action | Threatens "Account will be frozen if not handled in 24 hours" |
| Attachments | Never includes attachments | Often includes pdf or zip attachments (viruses) |
Standard Handling Process for Suspicious Emails
Step 1: Do not click any links, do not download any attachments, and do not reply. All links and attachments in phishing emails could be traps.
Step 2: Check the Anti-Phishing Code. Real emails have it, fake emails do not. This rule alone can filter out 95% of phishing emails.
Step 3: Directly log in to the Binance APP or manually enter the official website address to verify. If the email says "There is a remote login" or "Someone is withdrawing coins", directly checking the "Login History" and "Withdrawal Records" in the APP can confirm the authenticity without clicking the link in the email.
Step 4: Report the phishing email. Forward the email as an attachment to [email protected]. Binance will assist in shutting down the phishing domain. In 2024, Binance took down over 12,000 phishing domains. Your report can protect other users.
Step 5: If you have already clicked the link and entered information, immediately log in to the real Binance to change your password, reset 2FA, check withdrawal records, and at the same time transfer all assets to the spot account and turn on the withdrawal cooling-off period.
Advanced Usage of Anti-Phishing Code
Usage 1: Differentiate multiple accounts. If you have multiple Binance accounts (e.g., personal account and corporate account), set a different Anti-Phishing Code for each account, such as "PERSONAL01", "COMPANY01". When an email arrives, you will know which account it is for.
Usage 2: Regular replacement. It is recommended to change the Anti-Phishing Code every 6-12 months. If you suspect your email might have been accessed by hackers, change it immediately. The replacement process is exactly the same as the initial setup.
Usage 3: Cooperate with email filter rules. Set up rules in Gmail or Outlook: emails containing "Anti-Phishing Code: XXXXXX" in the body automatically get a "Real Binance" tag, otherwise, they get a "Suspected Phishing" tag, clear at a glance.
Usage 4: Share with trusted family. Tell your trusted family member your Anti-Phishing Code. If you receive a suspicious email and are unsure of its authenticity, you can cross-confirm. Note: The Anti-Phishing Code is not a password. Leaking it to family will not cause the account to be stolen, but do not tell strangers.
Frequently Asked Questions
Q: Will the Anti-Phishing Code appear in all Binance emails? A: Yes. It includes all types of emails, such as login reminders, withdrawal notifications, marketing campaigns, monthly statements, API warnings, etc., which will be displayed in a fixed position at the top or bottom of the email.
Q: How long does it take to take effect after setting? A: It takes effect immediately. The first email sent to you after the setup is completed will include it.
Q: Can the Anti-Phishing Code prevent SMS phishing? A: No. The Anti-Phishing Code is only used for emails. You must rely on other identification methods to prevent SMS phishing; for example, official Binance SMS messages will not contain any links. "Binance SMS" with links are all fake.
Q: What if I forget the Anti-Phishing Code I set? A: Log in to the Binance account security page to view the current Anti-Phishing Code directly, or you can modify it at any time.
Q: Will the Anti-Phishing Code be seen by Binance employees? A: Yes. Binance customer service can see your Anti-Phishing Code when inquiring about a ticket. This is allowed by design, so do not set the Anti-Phishing Code to your password for other services.
Setting up the Anti-Phishing Code takes only 30 seconds and is one of the security measures with the highest return on investment. If you haven't enabled it yet, it is recommended to set it up right now. Cooperating with 2FA, withdrawal whitelist, and login alerts builds a complete account security system, allowing you to sleep peacefully in the crypto world.