Changpeng Zhao (CZ), founder and former CEO of cryptocurrency exchange Binance, once again warned his followers about phishing attacks. In a message shared on social media, he emphasized that passwords should never be shared with customer service representatives under any circumstances. He also advised logging into sites by typing the URL into the address bar rather than clicking on links in emails. Highlighting that even a single leak can put an entire portfolio at risk, CZ described unique and strong passwords along with hardware-based two-factor authentication as “essential.”
First Line of Defense Against Online Phishing: Password Security
Password security remains the weakest link in phishing attacks. The fundamental rule underscored by CZ is “Real support representatives do not ask for passwords,” which is straightforward.
As is well known, scammers today fool cryptocurrency investors by employing panic-inducing scenarios such as “your account is locked” or “additional verification needed.” CZ suggested typing the URL manually or using a trusted bookmark to avoid such traps. Malicious browser extensions can even direct users to spoof domains. Therefore, sometimes the only shield protecting one’s cryptocurrency holdings is to verify the URL in the address bar multiple times.
CZ highlighted that using a single password across multiple platforms can make the rest of the chain vulnerable. Password managers come into play here by creating long, random, and unique combinations for each site. These software programs provide an additional alert function because they do not auto-fill passwords when they detect spoof domains. Once correctly set up, compromised character strings from a leaked database become useless for other accounts. Thus, the potential impact of malicious fake sites is considerably reduced.
Use Hardware-Based 2FA Verification Methods
Of course, strong passwords alone are not enough to ensure full protection. CZ recommended opting for hardware-based two-factor authentication as an additional layer of security. Keys like Yubikeys, which operate via USB or NFC, require physical confirmation upon login, thwarting most phishing campaigns. Some models even establish a direct cryptographic link between the device and the site from which the login request originated thanks to the FIDO2 protocol. Even if an attacker clones the actual domain name, the key detects domain mismatches and denies authorization.
As the surface for online attacks expands, SMS-based codes are increasingly inadequate. SIM swap attacks and copyable QR codes expose the risks of mobile verification. Hardware tokens, however, provide uninterrupted protection and can be carried around in pockets or on keychains. Moreover, most modern exchange and wallet applications recognize these devices in just a few steps, reducing the setup process to mere minutes.
CZ’s final call to “Stay SAFU!” translates into a comprehensive security prescription requiring the combination of password hygiene with hardware-based 2FA.
