Fake security alert from my exchange drained my account

A few weeks ago I almost gave up on crypto completely after falling for a very convincing fake security alert. I still feel stupid writing this, but maybe it will help someone spot the same trick earlier than I did.

I got an email that looked exactly like it came from my main exchange. Same logo, same footer, same color scheme. The subject line said that there had been an attempted login from a new device and that my withdrawals were temporarily locked for my protection. The timing was believable because I had actually logged in from a different location a few days before.

In the body of the email there was a big button that said “Secure my account now”. I clicked it without checking the sender address properly. The page that opened looked exactly like the normal login page. Same layout, same graphics. I typed in my email and password. Then it asked for my two factor code. I entered that as well.

Nothing seemed to happen. The page showed a spinning icon and then froze. I figured it was a glitch and decided to just open the normal exchange site manually. When I logged in there, my stomach dropped. Several withdrawal requests were already pending and one had already gone through while I was trying to refresh the fake page.

The attackers had used my credentials in real time as I entered them on their fake site. They immediately created API keys and started moving funds out. I contacted support at once and they managed to stop one withdrawal, but by the time all the checks were done I had lost a significant portion of my balance.

Later I looked more carefully at the email headers and saw the sender address was something like support@secure-[exchange name].com instead of the real domain. One extra word hidden in the middle, that was all it took. The link in the email went to a slightly different domain that I did not bother to inspect.

I always thought I was careful with phishing, but this one lined up with my recent activity so it slipped past my defenses. Now I never click links in emails from exchanges, even if they look urgent. I open a new tab, type the address manually and check the notification centre from inside my account instead.

If you ever get an urgent email saying your account is at risk, slow down for a moment. Check the sender domain character by character. Do not follow the link inside the email. And if you have not already, use hardware based two factor methods rather than SMS or app codes alone. I wish I had treated every message as guilty until proven innocent. It would have saved me a lot of money and stress.