Intro: Many "official security team notice" emails are circulating — formal format, complete sign-off, with ticket number and signature. The more formal they look, the easier it is to relax. Here's a breakdown of common impersonation points and verification principles — confirm channel and domain before clicking.
Background
Attackers copy official templates, logos, and typography, using similar domains to send "security upgrade / risk alert" emails with short links or attachments asking for login verification or patch download. Some emails pass DKIM/SPF, misleading users into thinking they're safe.
The email body often emphasises "immediate action" or "account will be restricted," with a professional-looking support signature and ticket ID — neither of which can be verified in the official system.
Impersonation-point breakdown
1) Domain & certificate: sender domain has extra/missing letters or uses free-email aliases; reply-to differs from displayed address; link domains differ from the official — the primary risk signal.
2) Attachments & short links: attachments are ZIP/HTML/PDF; short links hop multiple times. Official emails don't distribute firmware via attachment or collect keys.
3) Copy & format: "security upgrade," "abnormal login," "verify account" with countdown pressure; mixed timezones or languages are clues.
4) Signature & ticket: forged signatures/ticket numbers can't be verified at the official support entry — official tickets are queryable in the app/site.
5) Verification claim: emails claim "verified," but verification only covers the email channel, not content — still verify domain.
Common misconceptions
Q: DKIM/SPF passes — is it real?
A: Not necessarily — compromised mailboxes can also pass. Still verify domain and link.
Q: Can I open the PDF/ZIP attachment?
A: Don't — official doesn't use attachments to collect info or distribute patches.
Q: Is the support hotline in the email trustworthy?
A: Use numbers from the official site/app only.
Q: Is replying with a verification code safe?
A: Verification codes can be used to take over accounts — never email them.
Principles
1) On receipt of a security-type email, check domain first, then type the official URL or open Ledger Live for the advisory. Don't log in or enter keys/verification codes via email buttons or attachments.
2) Ticket verification only happens at the official support entry. Not queryable = high-risk. Save email headers and timestamps; report if needed.
3) Any email demanding patch download, disabling security software, or submitting the recovery phrase is phishing — delete and rotate related credentials.
Safety reminder: We will never ask for your recovery phrase, PIN, verification codes, or private keys. Anyone requesting them is attempting fraud — do not share and do not proceed.
