Don’t worry, you didn’t do anything wrong.
See, the problem is that “the blockchain” (Ethereum in particular) is essentially a huge Excel spreadsheet that anyone can write into.
When you move ETH, there are builtin checks that you need a valid signature from your private key, etc., all that jazz. When you interact with tokens? Ha ha, not so much.
Every token is a smart contract, that is, a piece of code that “runs” on the Ethereum virtual machine. If the token is well written, it has all the things like “IF the transaction is signed by the sender, AND the sender owns enough token, THEN subtract tokens from sender and move them to recipient”.
Trouble is, anyone can publish any contract. I can make my own, set its name to “USDT”, and say “yeah and address A will receive 25, address B will receive 100, address XYZ will receive … blah blah”, you get the gist.
The way Ethereum works, I can inject those completely-made-up-on-the-spot transactions into your history.
So what the scammers do is, they watch for any USDT transactions and generate the same ones, except they own the destination address.
What people do is browse through their history, copy-paste the last address and send more tokens to it.
That is called address poisoning.
What should be done is that Suite should implement basically a form of spam filter to throw out all fake tokens. But because all the tech is so new, and the problem is not completely understood, writing such filter is not easy.