Skip to content
BTC ETH SOL XRP ADA LINK
Your Crypto Guide Australia · Est. 2026

Security

CoinSpot Scam Text: How to Spot and Report Fake SMS (2026)

Fake CoinSpot texts reach Australians who have never held an account. What the 2026 scam SMS look like, how to verify a real message and how to report one.

By

YCG Research Desk

Published

12 June 2026

Fact-checked & updated

12 June 2026

A CoinSpot scam text is a fake SMS impersonating the exchange — usually a bogus withdrawal alert, an unsolicited code or a “suspicious activity” warning with a number to call or a link to tap. CoinSpot says it never contacts customers this way. Don’t respond: check your account directly, forward the text to 7726 and report it to Scamwatch.

These messages reach Australians indiscriminately, including people who have never opened a crypto account. This guide covers what the current texts look like, why you received one, how to verify a genuine CoinSpot message, and what CoinSpot’s actual security record shows.

What CoinSpot scam texts look like in 2026

Consumer-alert trackers and CoinSpot’s own support pages describe three templates doing the rounds in the first half of 2026:

The fake withdrawal alert. A message claims a withdrawal you never made is underway — wording recorded in early 2026 ran along the lines of “A withdrawal of 0.5 BTC was initiated. If this was not you, call [number].” The number connects to a scammer posing as CoinSpot support, who “helps” you secure the account by extracting your login details or directing you to move funds to a “safe” wallet they control.

The unsolicited code. You receive what looks like a genuine verification or withdrawal code — one May 2026 example read “CoinSpot: Your withdrawal code is 809777. Please do not share this code with anyone…” — followed minutes later by a call from “CoinSpot security” asking you to read the code out. Anyone asking you to share a code over the phone is attempting to take over an account.

The account-compromise warning. A text claims suspicious activity or an imminent lockout and links to a lookalike login page. Reported fakes use domains mimicking the real one (in the style of coinspot-security.com) or shortened bit.ly links that hide the destination.

The National Anti-Scam Centre notes that some campaigns copy the SMS sender ID of the organisation they impersonate, so a fake can land in the same message thread as genuine texts. That loophole is closing: under the ACMA’s SMS Sender ID Register, organisations had until 30 June 2026 to register their branded sender IDs, and from 1 July 2026 messages using unregistered alphanumeric IDs are flagged or filtered. Scammers are already shifting to plain mobile and international numbers instead — an Australian exchange texting you from an overseas number is a red flag in itself.

Why you got a CoinSpot text without having an account

Scam texts are sent by volume, not by precision. Operators blast the same template at lists of mobile numbers assembled from data breaches, leaked marketing databases and simple number-generation software. CoinSpot is impersonated for the same reason the big four banks, Australia Post and myGov are: it is one of Australia’s most widely used exchanges, operating since 2013, so any random list of Australian numbers contains some genuine customers.

Receiving one of these texts does not mean CoinSpot leaked your details, and it does not mean someone opened an account in your name. It means your mobile number is on a spam list — which, after the major Australian breaches of recent years, describes most of the country.

The scale is significant. The National Anti-Scam Centre reported that Scamwatch received more than 16,700 phishing reports in the first quarter of 2025 with $11.1 million in reported losses — up over 200% year on year — and that around three quarters of the account-compromise reports involved cryptocurrency accounts.

How to verify a real CoinSpot communication

CoinSpot’s support documentation is explicit about what it will never do. It will never:

  • send an SMS telling you to call a phone number, or to act urgently on a “security issue”
  • ask for your password, two-factor code or other sensitive information over the phone or by email
  • direct you to click a link in a text to “verify” or “unlock” your account

The only genuine login page is www.coinspot.com.au — typed into your browser yourself, never reached through a link in a message. Official support runs through the 24/7 live chat on that website and support@coinspot.com.au. If a message claims something is happening on your account, ignore the message entirely and log in directly through the app or the typed address: any real alert, pending withdrawal or notification will be visible inside your account. If nothing is there, the text was a fake.

The same verification habit applies to every platform, not just CoinSpot — our guide to crypto scams in Australia covers the wider patterns, from fake exchanges to recovery scams.

What to do when a scam text arrives

  1. Don’t click, call or reply. Replying — even “STOP” — confirms your number is active. Don’t tap links or ring any number in the message.
  2. Check your account the safe way. If you hold a CoinSpot account, open the app or type coinspot.com.au directly and review your activity. No account? There is nothing to check — the text was a blind shot.
  3. Forward the SMS to 7726. Telstra, Optus and TPG all accept scam texts at this free number. Forward the actual message rather than a screenshot, so carrier filters can read the text and block the campaign.
  4. Report it to Scamwatch. A report at scamwatch.gov.au feeds the National Anti-Scam Centre’s disruption work even if you lost nothing.
  5. Block and delete. Then block the sender so the thread can’t be reused against you.
  6. Harden the account you do have. Use a unique password and app-based two-factor authentication on any exchange account. If you hold meaningful long-term amounts, many holders move them off-exchange entirely — see our comparison of hardware wallets available in Australia.
  7. If you clicked or shared anything, act immediately. Change your password on the real site, contact CoinSpot’s live chat to secure the account, call your bank if payment details were involved, report to ReportCyber, and contact IDCARE (1800 595 160) if identity documents were exposed.

CoinSpot’s actual security record

A common reaction to these texts is to wonder whether CoinSpot itself has a security problem. The factual record: in November 2023, CoinSpot suffered a hot-wallet incident in which about 1,262 ETH — roughly US$2.4 million at the time — was drained, attributed by blockchain analysts to a probable private-key compromise. The company absorbed the loss, no customer losses were reported, and the platform continued operating while engaging external cybersecurity specialists.

Since then, CoinSpot has maintained ISO 27001 certification (an audited information-security standard), supports app-based two-factor authentication and offers account-level controls such as withdrawal restrictions. None of that is a guarantee — no custodial platform can offer one — but the 2023 incident is unrelated to scam texts, which attack the customer rather than the exchange. The strongest security system cannot help if credentials are handed to a fake login page.

Is CoinSpot itself legitimate?

Yes, as a matter of public record: CoinSpot is a Melbourne-headquartered exchange operating since December 2013, registered with AUSTRAC as a digital currency exchange, listing 500+ assets, and running long-standing SMSF accounts for self-managed super funds. One important nuance — AUSTRAC registration is an anti-money-laundering and counter-terrorism-financing compliance obligation, not a licence to provide financial services and not a government endorsement of the platform.

The scam texts are sent by criminals trading on the brand’s recognition, exactly as they do with banks and government agencies. If the experience has you looking harder at costs and features, our breakdown of CoinSpot’s fees and pricing structure covers what the platform actually charges, and our comparison of Australian crypto exchanges sets it alongside AUSTRAC-registered alternatives so you can weigh them on the facts.

And if you are new to all of this and the text was your first contact with crypto, start with the beginner guides in our learn hub before any platform — legitimate or otherwise — gets your details.

The short version

Real CoinSpot messages never ask you to call, click or share a code. Fake ones always do. Verify inside the app or at the typed address, forward the text to 7726, report it to Scamwatch, and treat any urgency in an SMS as the surest sign it isn’t genuine.

Common questions

Frequently asked questions

Why am I getting CoinSpot texts when I've never had an account?

Scammers send the same template to millions of mobile numbers harvested from data breaches, leaked marketing lists and number-generation software, knowing a fraction of recipients will be CoinSpot customers. Receiving one does not mean CoinSpot holds or leaked your data — the same lists power fake bank, toll and myGov texts. If you have no account, there is nothing to compromise: delete the message, forward it to 7726 and report it to Scamwatch.

Does CoinSpot send text messages with links or phone numbers?

CoinSpot's support documentation states it will never send an SMS telling you to call a phone number, never message you that there are urgent security issues with your account, and never asks for your password or two-factor codes by phone or email. Treat any text that asks you to tap a link, call a number or read out a code as fraudulent, and check your account only by typing coinspot.com.au yourself or opening the official app.

What should I do if I clicked the link in a CoinSpot scam text?

If you only opened the page, close it without entering anything. If you entered a password, change it immediately on the real site, enable app-based two-factor authentication and contact CoinSpot via the live chat on its website to secure the account. If you shared banking details or sent money, call your bank straight away, report the incident to Scamwatch and ReportCyber, and contact IDCARE on 1800 595 160 for identity-recovery support.

How do I report a CoinSpot scam text in Australia?

Forward the message to 7726, the spam-reporting service supported by Telstra, Optus and TPG — forward the actual text, not a screenshot, so carrier filters can read it. Then lodge a report with Scamwatch at scamwatch.gov.au, which feeds the National Anti-Scam Centre's disruption work. If money or personal information was lost, also report to ReportCyber and tell your bank. Reporting is free and helps carriers block the campaign for others.

Is CoinSpot a legitimate company?

CoinSpot is a real Australian business: a Melbourne-based exchange operating since December 2013, registered with AUSTRAC as a digital currency exchange and ISO 27001 certified. AUSTRAC registration is an anti-money-laundering compliance obligation, not a licence or government endorsement of the platform. The scam texts are sent by criminals impersonating the brand, not by CoinSpot — a pattern that targets every major Australian bank and exchange.

Has CoinSpot ever been hacked?

In November 2023 CoinSpot suffered a hot-wallet incident in which about 1,262 ETH (roughly US$2.4 million) was drained, attributed by blockchain analysts to a probable private-key compromise. The company absorbed the loss, no customer losses were reported, and it continued operating. That event is unrelated to scam texts, which target individuals rather than the exchange's own systems — no exchange's security can stop you handing credentials to a fake site.

Sources & further reading