I received an email from Exodus, asking me to provide my 12-word secret recovery phrase/password

If you have received an email from [email protected], [email protected], or any other @exodus.io email, asking you to provide your secret 12-word secret recovery phrase or password, you can be 100% certain that this is a phishing attempt and someone is trying to steal your cryptocurrency. Exodus does not send unsolicited emails requesting to verify accounts. Exodus is a self-custodial wallet that does not have accounts. Exodus has no control over your funds or your access to them. You are in full control.

In this article:

Lee este artículo en Español | Read this article in Spanish

What is a phishing email?

Exodus will never ask any of our customers to provide their password, private keys, or 12-word secret recovery phrase, no matter what the situation is. Any email that you receive asking for such information is meant to trick you into thinking that it is coming from us in order to steal your funds.

If you receive such an email, claiming to be from Exodus, please let us know by emailing us at [email protected]. We take scams and phishing attempts extremely seriously and deeply appreciate any community reporting on attempts to harm our customers.

Typically, these emails will have a link to another website, or they will ask you to reply to a different email from the one you see as a sender. Never do this! They might even ask you to send funds to a certain wallet as part of a "backup procedure" or because your wallet was "compromised." It is not true! Don't fall for it!

What should I do if I receive a phishing email?

If you receive a phishing email in your inbox, here are a few actions you can take:

  • Do not open it. In some cases, the act of opening the phishing email may cause you to compromise your security.
  • Do not send any funds. Transactions confirmed on the blockchain are irreversible, so if you send funds to a scammer, you wouldn’t be able to retrieve your funds.
  • Delete it immediately to prevent yourself from accidentally opening the message in the future.
  • Do not download any attachments accompanying the message. Attachments may contain malware such as viruses, worms or spyware.
  • Never click links that appear in the message. Links embedded within phishing messages direct you to fraudulent websites.
  • Do not reply to the sender. Ignore any requests the sender may solicit, and do not call phone numbers provided in the message.
  • Report it. Let us know if you have been sent a phishing email by writing to us at [email protected]
  • Send us the .eml or .txt file. This might help us put a stop to the scammers. Here is an article that can help: How do I export an email as an EML file?

How do I protect myself from phishing emails?

Here are a few things you can do to protect yourself from phishing emails:

  1. Turn up your spam filters, and use tools like Priority Inbox. Setting your spam filters a little stronger may, depending on your mail provider, make the difference between a message that fails its SPF check landing in spam versus your inbox. Similarly, if you can use services like Gmail's Priority Inbox or Apple's VIP, you essentially let the mail server figure out the important people for you. If an important person is spoofed, you'll still get it, though.
  2. Learn to read message headers and trace IP addresses. You can check out this article on how to check that for some of the biggest email providers. When a suspicious email comes in, you'll be able to open the headers, look at the IP address of the sender, and see if it matches up with previous emails from the same sender. You can even do a reverse lookup on the sender's IP to see where it is, which may or may not be informative, but if you get an email from Exodus and see it is originating from Russia, then you definitely know that it is a phishing attempt.
  3. Never click unfamiliar links or download unfamiliar attachments. This may seem like a no-brainer, but all it takes is seeing a message from a reputable company and downloading an attachment, which you might think is genuine software, but in reality, it has a keylogger hidden inside it, and your whole operating system gets compromised. Many of us think we're above being tricked that way, but it happens all the time. Pay attention to the messages you get, don't click links in emails (go to the website directly and log in to find what they want you to see), and don't download email attachments you're not explicitly expecting. Keep your computer's antivirus software up to date.
  4. And the most important thing to remember is to ensure that you do not share your private keys or 12-word secret recovery phrase with anyone in any situation. For any blockchain asset, your private keys or 12-word secret recovery phrase controls the ownership of the money stored in the wallet, so you don't want to share them with anyone!

Exodus is not affiliated with any third-party platforms, external links, or any other third-party resources mentioned in this article. As such, Exodus cannot guarantee the performance of third-party products or services, or that the steps shown and the information provided will always be accurate.