How to secure my Bybit account against phishing and scams?

Enable Two-Factor Authentication (2FA)

1. Log in to your Bybit account and navigate to the Security Settings section.

2. Select Google Authenticator or SMS as your preferred 2FA method—Google Authenticator is strongly recommended due to its offline verification capability.

3. Scan the QR code using the authenticator app and enter the six-digit code to bind the device.

4. Store your backup recovery codes in a secure, offline location—never save them in cloud notes or email.

5. Disable SMS-based 2FA if possible, as SIM swapping attacks have compromised numerous cryptocurrency accounts.

Verify Official Domains and Communication Channels

1. Always type bybit.com manually into your browser—never click links from emails, social media DMs, or third-party ads.

2. Check for the padlock icon and ensure the URL reads exactly https://www.bybit.com with no typos, hyphens, or extra subdomains like “bybit-support.net” or “bybit-login.org”.

3. Bybit never initiates unsolicited contact via Telegram, WhatsApp, or phone calls asking for passwords, API keys, or seed phrases.

4. Confirm official social media accounts by checking verified badges and cross-referencing handles listed on the legitimate Bybit website footer.

5. Bookmark the official site and use that bookmark exclusively—avoid relying on search engine results which may surface malicious clones.

Protect Your API Keys and Withdrawal Settings

1. Generate API keys only through Bybit’s official API Management page—not via third-party bots or trading tools claiming “instant integration”.

2. Assign minimal permissions: avoid enabling “Withdraw” or “Margin Trading” unless absolutely necessary for your strategy.

3. Enable IP whitelisting so your API keys only function from trusted devices and network ranges.

4. Regularly audit active API keys and delete any unused or unrecognized ones—especially those created during promotional campaigns or giveaways.

5. Never share API keys—even with “Bybit support agents” who claim they need them to “verify your account”.

Recognize Phishing Red Flags in Emails and Messages

1. Urgent language such as “Your account will be suspended in 2 hours” or “Immediate action required to prevent fund loss” is a hallmark of scam attempts.

2. Generic greetings like “Dear User” instead of your registered name indicate mass-sent phishing templates.

3. Mismatched sender addresses—for example, an email appearing to come from “support@bybit.com” but actually originating from “support@bybit-security-update[.]xyz”.

4. Embedded buttons labeled “Confirm Identity” or “Verify Wallet” that redirect to non-Bybit domains upon hover or click.

5. Requests to download unknown files, install remote access software, or enter your 2FA code on external pages.

Frequently Asked Questions

Q: Can Bybit support staff ever ask me for my password or seed phrase?A: No. Bybit employees will never request your password, 2FA codes, API keys, or recovery phrases under any circumstances.

Q: What should I do if I accidentally entered my credentials on a fake Bybit site?A: Immediately log in to your real Bybit account, revoke all active sessions, regenerate API keys, reset 2FA, and contact Bybit Support via the official live chat within the verified app or website.

Q: Is it safe to use Bybit’s mobile app downloaded from third-party app stores?A: No. Only install the Bybit app from the official Apple App Store or Google Play Store—third-party APKs or IPA files often contain malware designed to intercept clipboard data and steal wallet addresses.

Q: Does Bybit offer email encryption or signed messages for critical notifications?A: Bybit does not currently provide PGP-signed emails or end-to-end encrypted alerts. All official security announcements are published exclusively on their verified blog and Twitter/X account @Bybit_Official.