CoinFeedHow to Set Up Binance Anti-phishing Code to Actually Make It Work
Have you ever received an email that looked like it was from Binance, saying "Account abnormality, please log in immediately" or "Withdrawal submitted, please confirm," only to find out the link is fake when you click it? The anti-phishing code is a small mechanism specifically designed to kill this kind of phishing attack. Once enabled, all emails genuinely sent from Binance will display a custom string of your choice in a fixed location. Any email without this string is 100% fake, allowing you to spot a scam in 3 seconds. Set it up once, and you get lifetime protection; the whole process takes less than 2 minutes. If you aren't logged in yet, access your account through the Binance Official Site first; mobile users are advised to use the Binance Official App for more convenience. If iPhone users cannot find it in the App Store, refer to the iOS Installation Guide to switch to the US store and download it.
What Exactly Is an Anti-Phishing Code
The Anti-phishing Code is a string of 4-20 characters you set yourself. The Binance email system will automatically insert this string into a fixed spot (usually the header or footer) within the email content whenever it sends you an email. As long as you see this string in the email, it's genuine; otherwise, it's a phishing email.
The principle is simple: Scammers can forge the sender's address, the email layout, and even the Binance logo, but they do not know the anti-phishing code you set. Because this string only exists in your own Binance account database, a phisher cannot possibly know it.
Not all exchanges have this mechanism, but mainstream exchanges like Binance, OKX, and Coinbase support it, though the setup methods differ slightly. Binance's anti-phishing code works universally across the web and App; if you set it on your phone, it applies to web emails too.
Specific Steps to Enable the Anti-Phishing Code
The entire process is done in 2 minutes. It is highly recommended to do it right now.
Setting It Up on the Web
- Log in to the Binance official website, click the avatar in the top right corner to enter "Account".
- Select "Security" from the left menu.
- Find the "Anti-phishing Code" option, and click "Enable" or "Edit".
- Enter the current 6-digit code from your Google Authenticator.
- Enter the 6-digit email verification code.
- In the pop-up box, enter your desired anti-phishing code (4-20 characters, letters and numbers are both fine).
- Click "Submit" to complete.
Setting It Up on the APP
- Open the Binance APP, and tap "Profile" in the bottom right corner.
- Tap the avatar in the top left corner to enter your account.
- Select "Security".
- Find "Anti-phishing Code".
- Complete the 2FA and email double verification.
- Enter your custom string and submit.
Once successfully set up, the next email you receive from Binance will carry the characters you configured.
Three Golden Rules for Setting the Anti-Phishing Code
You shouldn't just input a random string. The following details determine whether the anti-phishing code can genuinely serve its purpose.
Rule 1: Do Not Use Information Related to Your Account/Password
Many people, for ease of memory, use their email prefix, phonetic name, or birthday. This is equivalent to exposing your own weakness. Hackers who obtain your email will guess common combinations. It is recommended to use a completely random string, ideally unlinked to any public information.
Rule 2: Minimum Length of 8 Characters, the Longer the Harder to Guess
Binance supports 4-20 characters, but 4 characters offer insufficient security; theoretically, it only takes 10,000 combinations to crack it. A mix of at least 12 letters and numbers is highly recommended, such as Tx7k9mPqR3nZ.
Rule 3: Do Not Reuse Passwords/PINs from Other Places
Although the anti-phishing code is not a password, if it gets leaked in a credential stuffing attack someday, hackers will attempt to use it to forge phishing emails. Set it independently and store it independently.
How to Confirm the Anti-Phishing Code Is Active
After setting it up, the simplest way to verify is to have the system send you a test email.
- Go to Binance "Account" → "Security".
- Find the "Email Verification" option, click "Edit" or "Verify".
- The system will send a verification email; open it to view.
- Your set anti-phishing code string should be present at the beginning or end of the email.
- If it is there, it's active; if not, you need to set it up again.
Another method is to perform a very minor operation (like enabling a 2FA option); Binance will send a notification email, which will also include the anti-phishing code.
How to Check for the Anti-Phishing Code After Receiving an Email
Not all emails place it in the exact same spot; the location of the anti-phishing code varies slightly by email type.
- Login Alert Emails: At the top of the email as "【Anti-phishing Code: XXXXX】".
- Withdrawal Confirmation Emails: Above the main text body.
- Security Change Notifications: At the signature section at the bottom.
- Promotional/Campaign Emails: Near the copyright information in the footer.
Make it a habit to look for the anti-phishing code first whenever you read an email. If it's missing, delete the email immediately and do not click any links.
What Attacks Can the Anti-Phishing Code Prevent
The anti-phishing code isn't a silver bullet; it specifically targets email forgery, but it cannot prevent all forms of phishing.
| Attack Type | Can It Prevent? | Reason |
|---|---|---|
| Phishing emails forging the Binance sender address | Yes | The attacker doesn't know the code |
| Phishing emails with a fake Binance logo | Yes | Same as above |
| Forged Binance login pages | No | This is website phishing; requires 2FA/hardware keys |
| SIM Swap | No | Relies on SMS, unrelated to email |
| Customer Support imposter calls | No | Phone scam, anti-phishing code is not involved |
| Man-in-the-Middle Attacks | No | Requires HTTPS + certificate validation |
Therefore, the anti-phishing code is just one link in depth defense. It needs to be paired with strong passwords, 2FA, and withdrawal whitelists.
Three Common Mistakes During Setup
Based on backend feedback, these are the pitfalls beginners easily fall into.
- Setting it as a birthday/last 6 digits of phone number/name — Easily guessed.
- Using all lowercase letters or all numbers — The character space is too small.
- Not checking if it works after setup — It might not have saved due to failed verification, and you wouldn't notice.
The correct approach is to immediately trigger a test email to verify after setting it up.
Can the Anti-Phishing Code Be Changed?
Yes, anytime. Go to the security settings, click "Edit" next to the anti-phishing code, and complete the 2FA and email verification to overwrite the old code. Recommendations:
- Change it every 3-6 months.
- Change it immediately if you suspect a leak.
- Trigger a test email right after changing to confirm the new code is active.
There is no limit on the number of changes, and it doesn't affect other account functions.
FAQ
Is the anti-phishing code a password?
No. It is not login credentials and cannot be used to log in or reset your account. It's just a "watermark" for email authentication. Leaking it won't lead to account theft, but it will allow an attacker to forge a much more convincing phishing email.
Why didn't I see the anti-phishing code in my email?
Possible reasons: ① You haven't enabled the feature yet; ② The email was sent before you set the code; ③ It's hidden by your email client's HTML rendering (switch to raw text mode to check); ④ The email is a phishing email and never had it to begin with.
Does it matter if my anti-phishing code is leaked?
It's not an emergency, but it needs to be changed. The leak itself won't compromise your account, but an attacker can use it to craft "authentic-looking" phishing emails. Change it immediately upon discovering anything suspicious.
Are the anti-phishing codes on the mobile APP and desktop the same?
Yes, they are the same. It's an account-level setting, independent of platforms, and will be attached to all emails.
Do I need 2FA to set up the anti-phishing code?
Yes. Binance requires you to verify your current 2FA (Google Authenticator) and email verification code before you can set or modify it. This prevents someone from secretly setting or changing your anti-phishing code while at your computer.
Why can't the anti-phishing code display Chinese characters?
Binance currently only supports English letters and numbers, not Chinese, Japanese, or special symbols. If you input unsupported characters, the system will prompt you to reset it.
Conclusion
The anti-phishing code is a "zero-cost, high-return" setting for Binance account security. Spending 2 minutes to set it up allows you to instantly determine the authenticity of every email you receive in the future. Remember a few rules: do not use personal information, make it at least 12 characters long, test it immediately after setting it up, and rotate it periodically. Once you have the anti-phishing code set up, don't forget to stack it with a strong password, Google Authenticator, and a withdrawal whitelist. With these four tools in place, your account security level will surpass 90% of users. Now, open the security settings in the Binance App and take 2 minutes to get this done.