Beware of on-chain phishing scam!

So here's the story. I had been regularly transferring BUSD on the BSC network, from my Metamask wallet to a CEX. I did that a few times and they were successful.

So it happened that one time, I wanted to transfer some more BUSD. I decided that instead of logging in to the CEX website to copy the recipient address, I could save some effort by just firing up Metamask on my PC browser, view the account in the BSC explorer, find the previous transaction, and copy the recipient address from there.

So that's what I did. In BSC explorer, under BEP-20 Token Txns, I saw what looked like my previous transaction like so:

Phishing transaction

So I clicked on the address under the "To" column, then copied that address, put it into Metamask and sent my BUSD.

After waiting for quite some time, the token still had not arrived in my CEX account (I was using my phone to check).

After some investigation, I realised that I was the victim of a phishing attack! I looked down further below the above transaction and found the following:

My actual transaction

Turns out that this was the actual earlier transaction of me sending the earlier BUSD to the CEX. As you can see, the attacker had managed to create a fake transaction that looks as if I sent some tokens to an address that was similar to the real one. In reality, no such tokens were being transferred. The thing is, this transaction was submitted by the attacker but they somehow managed to make it look like I was the one who sent the tokens.

So the lesson learned is, in future, I'll always make sure to get the receiving address directly from the CEX instead of getting it from a past transaction in the blockchain explorer. Turns out the explorer can be misleading.