That text claiming your Coinbase account is locked or your withdrawal is pending? It might be a scammer fishing for your credentials. Coinbase text scams have exploded over the past two years, costing victims millions in drained crypto wallets. Here's how these scams work, what red flags to watch for, and exactly what to do if you click the link.

How the Coinbase Text Scam Actually Works

Scammers send a text that looks like it came straight from Coinbase, often complete with the company logo, a short urgent message, and a clickable link. The message typically claims your account has suspicious activity, your withdrawal is pending verification, or that you need to confirm a login from a new device. The goal? Panic you into tapping before you think.

Once you click, you're taken to a fake Coinbase login page that mirrors the real site pixel-for-pixel. Any username and password you enter goes directly to the attacker. In many cases, the cloned page also asks for your two-factor authentication code in real time, which is the second key needed to break into your account.

The truly dangerous variants don't stop at login theft. Some fake pages request your wallet seed phrase, government ID documents, or even ask you to "verify" by sending a small crypto payment to a whitelisted address. Once that transaction confirms on the blockchain, the funds are gone for good.

The Most Common Scam Messages

  • Suspicious login alert: "Coinbase: New login detected from [city]. If this wasn't you, click here to secure your account."
  • Withdrawal hold: "Your withdrawal of X BTC is pending. Verify your identity within 24 hours to release funds."
  • Account closure warning: "Action required: your Coinbase account will be suspended unless you verify immediately."
  • Bonus or reward claim: "You've received 0.5 BTC. Claim now before the offer expires."

Red Flags That Scream "Scam"

Real Coinbase security alerts include specific transaction details, partial account information, and never ask you to click a link to "verify" anything. They guide you to log in directly through the official app or website. Texts pressuring you to tap a link to avoid losing money are almost always fake.

Other telltale signs include weird sender numbers, generic greetings like "Dear user" instead of your name, urgent countdown timers, and links that don't begin with coinbase.com. Some scammers even spoof the sender ID so the message lands in the same thread as legitimate Coinbase alerts, which makes detection trickier on first glance.

Rule of thumb: If a text creates urgency and asks you to click, log in, or send crypto — it's a scam. Always navigate to Coinbase directly through your browser or app.

What to Do If You Already Clicked

First, don't panic — but move fast. The longer you wait, the more time an attacker has to drain your account or transfer funds. Disconnect your wallet from any site you authorized, change your Coinbase password immediately, and revoke all API keys and third-party app access.

Next, contact Coinbase support directly through the official help center. Never use any phone number, email address, or live chat link provided in the scam text. Report the message to your carrier by forwarding it to 7726 (SPAM in the US), and file a report with the FTC, IC3, or your local consumer protection agency.

If you sent crypto or shared your seed phrase, the situation is more serious. Funds on the blockchain can't be reversed, but reporting quickly increases the chances of exchanges freezing the receiving address. Monitor your other accounts too — scammers often reuse stolen credentials across email, banking, and other crypto platforms.

Damage Control Checklist

  • Change your Coinbase password from a different, uncompromised device.
  • Revoke all third-party app access and delete any API keys you didn't create.
  • Move remaining funds to a fresh wallet that the scam site never touched.
  • Document everything — screenshots, sender numbers, and timestamps help investigators.

How to Protect Yourself Going Forward

Enable hardware-based two-factor authentication such as a YubiKey, or use the Coinbase app's built-in authenticator instead of SMS codes. SIM-swap attacks are a major reason scammers love targeting phone numbers in the first place, so removing SMS as a verification method closes a huge hole.

Bookmark the real Coinbase URL and never trust a link delivered in a text message, even if it looks perfect. Consider using a dedicated email address for crypto exchanges, one you don't use for shopping, social media, or newsletters, and turn on withdrawal allowlisting so only addresses you've pre-approved can receive your funds.

Finally, slow down. Scammers rely on fear and urgency to short-circuit your judgment. Take a breath, open the Coinbase app manually, and check whether the alert is real. In almost every reported case, it isn't.

Key Takeaways

  • Coinbase will never ask you to click a link in a text to verify your account or release a withdrawal.
  • Fake login pages steal credentials and 2FA codes in real time, often within seconds of submission.
  • If you clicked, act immediately: change passwords, revoke access, and contact official Coinbase support only.
  • Use hardware 2FA, withdrawal allowlists, and a dedicated email to harden your account against future attacks.