What Is Phishing?
๐ 6 min read
Quick Answer
Phishing, tricking you into handing over passwords or keys via fake emails and websites, is the single most common way people get hacked, including crypto holders. The good news: most phishing has technical tells you can learn to spot in seconds. Knowing them turns the internet's most effective attack into one you can usually see coming.
๐ก The mental model
Phishing is a con artist in a fake uniform. The email or website is dressed up to look exactly like your bank, exchange or wallet, but it is a costume. Your defense is not better locks; it is learning to check the badge, the address, and the story before you ever hand anything over.
What phishing is
Phishing is a fraudulent message or website pretending to be a trusted source, your exchange, bank, a delivery service, even a friend, designed to trick you into revealing passwords, codes, or your seed phrase, or into clicking a malicious link. It relies on urgency and impersonation rather than breaking any technology.
Spoofed URLs and lookalike domains
The biggest tell is the web address. Attackers register lookalikes (binance-support.com, or "homograph" domains using foreign letters that look identical) and hide them behind nice-looking link text. Always check the real domain, hover before clicking, type known addresses yourself or use bookmarks, and be suspicious of any link in an unexpected message.
The padlock myth and other tells
A padlock (HTTPS) only means the connection is encrypted, not that the site is genuine, scam sites have padlocks too. Other red flags: urgent threats ("act now or lose access"), requests for codes or seed phrases (no legitimate service ever asks), poor grammar, slightly-off logos, and email "from" addresses that do not match the real domain.
How to protect yourself
Never enter passwords or seed phrases via a link in a message, navigate to sites yourself. Use a password manager (it refuses to autofill on fake domains, a great early warning). Enable app- or hardware-based two-factor authentication. Slow down when a message creates urgency, that pressure is the attack. When unsure, contact the company through its official site.
๐ Key takeaway
Phishing tricks you into giving up passwords, codes or seed phrases via fake emails and websites that impersonate trusted services. Spot it by checking the real domain (beware lookalikes), remembering that a padlock proves encryption not legitimacy, and treating urgency and requests for codes/seed phrases as red flags. Navigate to sites yourself, use a password manager, and enable strong 2FA.
Why this matters for you
Phishing is rampant across Asia, hitting banking, messaging-app and especially crypto users, where a single stolen seed phrase means irreversible loss. The technical tells here, lookalike domains, the padlock myth, never sharing codes, are practical, universal defenses that protect everyone from everyday account theft to life-changing crypto loss.
Frequently asked questions
How do I spot a phishing website?โผ
Check the exact domain in the address bar for lookalikes or odd characters; remember a padlock (HTTPS) only means encryption, not legitimacy. Be suspicious of urgency, requests for passwords/codes/seed phrases, and links in unexpected messages. Navigate to sites yourself rather than clicking.
Why is the padlock (HTTPS) not enough to trust a site?โผ
The padlock only means your connection to the site is encrypted, anyone, including scammers, can get one for free. A phishing site can show a padlock while still being fake. Always verify the actual domain name, not just the padlock.
What should I never do in response to a message?โผ
Never enter your password or seed phrase via a link in an email or text, and never share one-time codes or your recovery phrase with anyone, no legitimate service asks for them. If a message is urgent, that urgency is itself a warning sign; verify via the official site.
Keep learning
๐ Sources & further reading
Authoritative references and primary sources used in this guide.