How scammers steal one-time codes and how to stop them

You may not know the term, but you use them all the time. One-time passcodes, or OTPs, are temporary codes sent by text or email to verify your identity. They’re designed to keep your account safe, but scammers have found ways to get around them.

Here are two common OTP scams and a few ways to protect yourself.

Scam 1: They trick you into giving them your one-time passcode.

It’s simple but it works. The scammer calls or texts, posing as someone from a business with an “urgent message.” There’s suspicious activity on your account, and you must verify a transaction right now before all your money is gone. Conveniently, they’ve just sent a one-time passcode, and could you please read it back to them? Don’t do it! They’re not protecting your account—they’re trying to break into it. Your OTP is the only thing standing in the way.

What you can do to protect yourself

• Don’t share one-time passcodes with anyone—ever.
  No legitimate business needs it, so they will never ask for it.

• Be wary of urgent messages.
  Don’t trust unsolicited calls, texts, or emails, especially ones that ask for personal details or put pressure on you to act fast.

Scam 2: They hijack your phone’s SIM card.

SIM hijacking (or SIM swapping) is an advanced scam that doesn’t need your participation at all. Instead, scammers use stolen information to pose as you. They contact your mobile carrier and claim that your phone is lost or damaged then convince the rep to transfer your number to a new SIM card, one that they control.

One day, your phone loses service. Meanwhile, your calls and texts—including one-time passcodes—are being sent to the scammers. If they already have your login details from a data breach or phishing scam, they can bypass your two-factor authentication and access your accounts.

What you can do to protect yourself

• Switch to an authentication app.
  Apps like Google Authenticator or Authy don’t need your phone number to unlock your account.

• Add a PIN or password to your mobile account.
  Contact your carrier and ask them to set up a code that future callers must provide before making changes.

• Know the one exception—when you call us.
  If you call customer service at 888-248-6423 with a question about your account, we may ask you to verify who you are using a one-time passcode.

What to do if your phone loses service

• Contact your mobile carrier immediately. 
  Ask them to suspend or lock your account and reverse the SIM swap.

• Change your passwords. 
  Especially for your bank, credit cards, email, social media, and cloud storage.

• Update your recovery settings.
  Remove the hijacked phone number as a backup method.

• Switch from text to app-based two-factor ID.
  Then check for unusual activity or security changes.

• Let us know.
  We’ll monitor your account for suspicious activity.

• Freeze your credit and place a fraud alert with Equifax, Experian, or TransUnion.
  This will help prevent criminals from opening new accounts in your name.

• Report it.
  File a report with the local police and at identitytheft.gov.

One-time passcodes are a valuable security tool—but only if you stay informed, stay alert, and don’t let scammers catch you off guard. We’ll keep you updated about the latest ways criminals try to access your information. Let’s fight this fight together.