Skip to content

SCAM LIBRARY · PHISHING & LINKS

The one-time-code (2FA) theft

A scammer tricks you into sharing a one-time code meant to protect your account, then uses it to lock you out and steal your access.

Documented by the FTC & FBI IC3 · reviewed 2026-07-11T18:14:57.874Z

How it works

You receive an urgent message (email, text, or call) appearing to come from a service you trust, claiming there's suspicious activity or a security problem with your account. They ask you to confirm your identity by sharing a code you receive on your phone or in your email—but that code is actually the key they need to break in.

What it can look like

You get a call saying your bank account has unusual login attempts and asking you to verify it's really you. They tell you to check your phone for a text with a 6-digit code and read it back to them so they can 'secure' your account. In reality, they just triggered that code themselves and are waiting for you to hand it over.

How it unfolds

Scams like this follow a pattern. Knowing the arc helps you notice where you are — and step away before the ask.

You receive a message (email, text, or call) that looks like it's from a company you use—your bank, email provider, or online account. It says there's a security problem or unusual activity and asks you to verify your identity right away.
You're directed to click a link or call a number. The page or voice prompt looks official. You enter your username and password, or answer security questions. It feels routine and safe because the branding matches the real company.
Next, you're asked to enter a one-time code—the 6-digit or 8-digit number that just arrived on your phone via text or authenticator app. The message says it's the final step to protect your account. The urgency feels real.
You provide the code. Moments later, you notice charges on your account, or someone has logged into your email or bank from a different location. The scammer used your code to lock you out and take control. This is the moment to stop and alert your financial institution immediately.

Red flags

  • Urgent pressure to act immediately or your account will be locked
  • A request to share a code or password over the phone, email, or text—legitimate companies never ask this
  • The message comes out of the blue when you weren't expecting account trouble
  • They claim to be calling or emailing 'for your security' but won't let you hang up and call the official number yourself

What to do

  • Hang up or ignore the message. Use a phone number or website you know is real (from your own records or official materials) to contact the company directly and verify whether there's actually a problem.
  • Never share one-time codes, passwords, or security answers with anyone, no matter how official they sound.
  • Report the scam attempt at reportfraud.ftc.gov so authorities can track these schemes and protect others.

If it already happened

Acting quickly can limit the damage. You are not alone, and it is not your fault.

  • Contact your bank, credit card company, or the institution whose account was accessed—use the phone number on the back of your card or your official statement, never a number from the suspicious message. Tell them what happened and ask them to freeze or monitor your account.
  • Change your password for that account and any other accounts that share the same or similar password. Use a strong, unique password. If you use an authenticator app, review its settings to remove any unfamiliar devices.
  • Monitor your accounts and credit reports regularly over the next weeks and months. Set up fraud alerts with the credit bureaus if available. Keep records of all communications, dates, and what was compromised.
  • Report the incident at reportfraud.ftc.gov. Include details about how you were contacted, what information or codes you provided, and the date. This helps protect others and creates an official record.

Sources

Guidance on this page draws on public, authoritative consumer-protection resources (verified live 2026-07-10). Documented by the FTC & FBI IC3 · reviewed 2026-07-11T18:14:57.874Z.

Spotted this or lost money? Report it at reportfraud.ftc.gov. This is general educational information, not legal or financial advice — and ScamVet never asks for your identity or account details.