Scams and account safety around holding dollars: fake support, phishing sites and unlock-fee tricks

Turning your savings into dollars and parking them in some container is supposed to make your money steadier. Instead, plenty of people come unstuck at the very last step: talked into paying an “unlock fee” by a smooth script, or typing a password into a site that looks exactly like the real one. Who this is for: ordinary people about to open an offshore account, sign up for a multi-currency wallet, or buy their first stablecoin, who are worried about getting burned. Who it is not for: anyone hunting for the one platform that is “definitely safe”. Safety comes from habits, not from a name. By the end you will have a set of self-checks you can run again and again.

The conclusion first

Almost every scam around “holding dollars” ends up pointing at the same thing: getting you to send money out yourself, or to hand over control of your account. Spotting them takes very little technical knowledge. One plain rule covers most of it: a legitimate platform will never make you pay a fee before you can withdraw, and will never ask you for your password, codes, private key or seed phrase. Anything that breaks that rule, no matter how urgent or how official it sounds, deserves a full stop.

Below I unpack the most common playbooks one by one, then walk you through three checks you can do yourself: read the domain character by character, protect your device, and guard the handful of secrets that matter. If you have already been caught, there is an ordered set of steps at the end to limit the damage. This is not here to scare you, only to give you one more reflex before you act.

Burn this in: if anyone, for any reason, wants you to pay money first to “activate”, “unlock”, “upgrade”, or post a “tax deposit” before you can withdraw, it is almost always a scam. Legitimate banks, wallets and exchanges do not ask for money this way. The moment you see this signal, stop.

The common playbooks, one by one

The wrapping changes, but the skeletons are few. Learn the skeletons and you will recognise the trick even after the wording shifts.

1. The upfront “unlock fee” or deposit. This is the classic. You are told your account is frozen for “risk control”, an “anti-money-laundering review”, or “suspected anomalies”, and that you must pay a fee before you can unfreeze and withdraw. Pay once and a second and third charge tend to appear. The reality: when a legitimate platform freezes funds, it never asks you to pay to unfreeze, and certainly never asks you to transfer money privately to some personal account.

2. Impersonating platform support or staff. Someone contacts you first, claiming to be from an exchange or bank. They read back some of your details to seem credible, then guide you to “follow along”: screenshot a code, click a link, move your funds to a “safe account”. Remember that platform support does not call or message you out of the blue telling you to transfer money, and there is no such thing as a “safe account”.

3. Phishing look-alike sites. They build a page that is nearly identical to the real one, with a domain that differs by a letter or two (a look-alike character swap, an added hyphen, a different suffix), and push it to you through search ads, text links or private messages. The moment you type your username and password there, you have handed them straight over. How to read the domain character by character comes in the next section.

4. Push to private chat, remote control or “doing it for you”. They pull you off the public platform into a private chat tool, claim they will “walk you through it hand in hand”, and get you to install remote-control software or simply hand over your username and password for them to “operate on your behalf”. Once remote software is installed or your login is given away, your device and account are no longer under your control. This site never offers to register or operate on your behalf, and never pulls you into private chat.

5. Fake payees and money-mule traps. Someone promises to help you convert at a “low cost”, or to buy your dollars or stablecoins at a great price, and has you send money first to a stranger as the payee, promising to pay you back afterwards. The money goes out and that is the last you hear of it. Worse, this kind of flow can involve someone else's criminal proceeds, dragging you in without your knowing. A stranger, a private deal, and a price too good to be true: put those three together and it is almost certainly a trap.

Behind all five, the goal is either to make you send money yourself or to trick you into handing over control of your account. Hold on to those two essentials and you will recognise old wine in new bottles.

Check the official domain to beat phishing: read the address bar character by character

A phishing site's biggest weakness is always in the address bar. It can make the page look flawless, but the domain cannot lie, as long as you are willing to read it carefully.

Build one habit: before you enter any account, read the address bar from left to right, one character at a time, with your eyes locked on the main domain segment. Check for these common tricks one by one:

Look-alike character swaps: a lowercase l swapped for the digit 1, an o for a 0, or rn run together to look like an m. At a glance they match; only reading character by character exposes them.
An added or dropped letter, or a hyphen slipped in, to make the domain look “close enough”.
The real brand name used as a subdomain prefix, while the actual main domain is the unfamiliar one that follows.
The suffix swapped for an uncommon one: the body looks right, but the ending is wrong.
Do not enter through links in search ads, texts or private messages. Type it yourself, or use the one in your bookmarks that you checked long ago.

How to read the address bar: what really decides whose site you reach is the main domain segment, the part right before the suffix and before the last “dot”. For an address shaped like account-subdomain.maindomain.suffix, make sure that middle “maindomain” segment is the one you know. However many fancy prefixes hang in front of it, they do not count. When you cannot read it for certain, close the tab and start over rather than settle.

A safe routine: the first time you confirm it is correct, save the official address to your browser bookmarks and only ever enter through the bookmark afterwards. When you need to reach an official page, you can also read this site's exit notice first, which explains how to check the domain and the referral relationship. This site shows no invite code.

Using a shared or public device: better not, but if you must, do it this way

If you can avoid logging into your account on a shared computer, an internet cafe, or someone else's phone, avoid it. You do not know whether a keylogger is running, and you do not know whether the browser has kept your logged-in state. But if there is genuinely no other way, shrink the exposure as much as you can:

Prefer your own phone and mobile data over an unknown public computer or public Wi-Fi.
If you must use a public device, open the browser's private/incognito mode and close the window completely when you are done.
Never tick “remember me” and never save the password to that device.
Log out before you leave, and clear this session's browsing history and cache.
Afterwards, change your password on your own device as soon as you can, and check the account for any unfamiliar login records.
Turn on the platform's two-factor authentication, so that a password alone is not enough to get in.

The core is one line: keep your secrets on a device you control, and always treat a public device as “unclean”.

Never hand over password, codes, private key or seed phrase

This is the one passage in the whole guide worth memorising. The following items are the keys to your account and your assets. No legitimate party will, or needs to, ask you for them:

Login password: a platform's own back end can do everything it needs to do, and never needs you to tell anyone your password.
SMS or app codes: a code is for you to use on the spot. Whoever asks you for it is trying to log into your account.
Private key: whoever holds the private key holds the assets. Handing it over is handing over the money itself.
Seed phrase (recovery words): it can restore your wallet on any device. Treat any page or person that asks you to type, photograph or upload your seed phrase as a scam.

Here is where I make this site's own line clear: DollarVault is an independent education site. It will never ask you for your password, codes, private key or seed phrase, and it collects no KYC documents. We do not register, operate or top up on your behalf, we will not pull you into private chat, and every outbound link points only to the exit notice, with the action completed by you on the official side. Anyone asking you for these things in this site's name is impersonating us.

When to stop immediately: the moment a conversation includes “send me the code”, “read me your private key / seed phrase”, “transfer some to a safe account first”, or “pay the fee and we will unfreeze you”, no matter how formal the title or how urgent the tone, stop, hang up or log out, and return to an official channel you have checked yourself before doing anything else.

What to do if you have been scammed: limit the damage in this order

If you have already been caught, do not panic and do not stall. Panic and delay only widen the loss. Work through it step by step in this order:

Stop all transfers and actions immediately. Do not believe that “one more payment will get the earlier money back”. That is the same script continuing, and it only pulls you in deeper.
Keep the evidence. Save the chat logs, transfer records, the other party's accounts, suspicious URLs and page screenshots. The sooner and more completely, the better. You will need them for reporting and for any appeal.
Contact the platform first. Through a channel you have checked yourself (the support entry inside the official site or official app, not a link the other party gave you), explain the situation and see whether they can freeze, stop or intercept the relevant transactions.
Report to your local police or anti-fraud authority. Bring the evidence you kept and follow the proper reporting route where you live. Channels differ by region, so go by what your local authorities publish.
Change the relevant passwords and turn on two-factor authentication right away. If you typed a password on a suspicious page, or logged in on a public device, change the password on your own device as soon as possible and check the account's login and device records.
Warn the people around you, so they are not scammed in turn. Scammers often strike again under the banner of “helping you recover your losses”. Anyone charging a fee to recover funds, or promising recovery, should still be treated as a scam.

Whether anything can be recovered depends on the case, and no one can promise you a result. But the sooner you stop, the fuller your evidence, and the faster you report, the better your chance of keeping the loss contained.

A red-flag checklist

Keep this checklist in your head. The instant any one of these shows up in a conversation or on a page, sound the alarm and stop to check:

You are asked to pay money first before you can withdraw, unfreeze, activate or upgrade an account.
Someone asks you for your password, codes, private key or seed phrase.
You are rushed with “right now, immediately, or it will be too late”, using urgency to push you past thinking.
You are told to move money to a “safe account” or to some stranger's payee account.
You are pulled off the public platform into a private chat tool and asked to install remote software or hand over your login.
The domain in the address bar does not exactly match the official one you know, off by a character or two.
A rate, return or “low-cost conversion” that is too good to be true, with the deal done privately.
Someone claiming to be platform support contacts you first and steers you to transfer money or take actions.

Who scammers target most

Scammers have preferences. If you fall into one of the groups below, turn your guard up another notch:

Newcomers meeting dollars, stablecoins or offshore accounts for the first time. Unfamiliar with the steps, they let their guard down when “support helps you operate”, which is exactly what the playbook loves.

People in a hurry to spend or to convert. The more rushed you are, the easier it is for urgency scripts to push you along and skip the checks you should have made. The more pressing it feels, the more you should force yourself to pause for three minutes.

People in high-inflation regions anxious about their local currency. Promises like “fast value preservation” and “we buy dollars at a high price” are especially attractive to the anxious, and are the bait used most often.

People who routinely use public devices and love clicking links. Logging in at an internet cafe or on a shared computer, or casually opening links in texts and private messages, leaves the door open for phishing and malware.

Not in these groups? Do not relax either. Even the most seasoned person can slip in a moment of running hot or being distracted. Safety is not a one-time judgement; it is a fixed set of actions you run before every move.

Common mistakes

Mistake 1: a page that looks official is official. A page's appearance is the easiest thing to copy. The only thing that cannot lie is the address bar. Judge real from fake by the domain first, never by how good the page looks.

Mistake 2: they can read back my details, so they must be real support. Personal information may have leaked from somewhere else, and knowing a few facts does not make the identity genuine. Real support will not tell you to transfer money or ask for codes, and that test is more reliable than “they know my details”.

Mistake 3: paying a small fee to unfreeze and recover a large balance is worth it. That is exactly how the playbook is designed. Pay the first fee and a second and third follow, and not a cent of the principal comes back. Treat any “pay to unfreeze” as a scam.

Mistake 4: hire a “professional recovery service” after being scammed and you will get it back. Services that charge a fee to recover funds, or promise to get it all back, are mostly second scams. The right move is to go through the official platform and the proper reporting route where you live, not to pay another fee to a stranger.

FAQ

A legitimate platform can freeze funds for risk control, so will it make me pay to unfreeze?No. A freeze is the platform's risk-control measure, and lifting it goes through the platform's own appeal and review process. It never needs an extra payment from you, and certainly never a transfer to some personal account. The moment you see “pay to unfreeze”, you can basically call it a scam.

Someone claiming to be support contacted me first. How do I tell real from fake?The steadiest test is not “do they know my details” but “are they asking me to transfer money or read out a code”. Legitimate support does not contact you out of the blue to transfer money, does not ask for codes, and there is no such thing as a safe account. If you are unsure, hang up and start the contact yourself through the support entry in the official app or site.

I already typed my password on a suspicious site. What should I do now?Immediately change that account's password on your own device, and change any other accounts that used the same password. Turn on two-factor authentication, check the account's login and device records for anything unusual, and save the suspicious URLs and screenshots. The faster you act, the smaller the window for someone to log in.

Will this site ask me for my password or operate on my behalf?Never. DollarVault is an independent education site. It does not ask for your password, codes, private key or seed phrase, it collects no KYC documents, and it does not register, operate or top up on your behalf. Every outbound link points only to the exit notice, with the action completed by you on the official side. Anyone asking for this information in this site's name is running a scam.

Sources and updates

This guide is meant to spread awareness of common scams and account-safety habits around holding dollars and converting currency. It is not investment, tax or legal advice, and it does not target any specific platform. For each platform's security rules, support channels and appeal processes, go by what its own official pages (security center, help center, anti-fraud notices) show at the time. For reporting and help, go by the channels your local authorities publish, and consult a local professional or law-enforcement body where needed. This site does not draw a compliance conclusion for any country.
Update note: 2026-06-20. First publication. It covers five common playbooks, how to check the domain, notes on shared devices, the steps to limit damage, and a red-flag checklist.

Qiao Dai

I lived for a few years in a high-inflation region and watched the local currency slide by a large chunk in a single year. Over time I worked out, step by step, how to turn savings into dollar-anchored things: I opened an offshore dollar account, received payments through Wise, and made my share of mistakes buying my first stablecoin. I have seen fake support and phishing sites up close too. I write the wrong turns plainly here at DollarVault so the people who come after me pay less in tuition. About the author

If they want an “unlock fee” before you can withdraw, it is almost always a scamFake support, phishing sites and shared-device risk around holding dollars