SCAM LIBRARY · PHISHING & LINKS
The one-time-code (2FA) theft
A scammer tricks you into sharing a one-time code meant to protect your account, then uses it to lock you out and steal your access.
Documented by the FTC & FBI IC3 · reviewed 2026-07-11T18:14:57.874Z
How it works
You receive an urgent message (email, text, or call) appearing to come from a service you trust, claiming there's suspicious activity or a security problem with your account. They ask you to confirm your identity by sharing a code you receive on your phone or in your email—but that code is actually the key they need to break in.
What it can look like
You get a call saying your bank account has unusual login attempts and asking you to verify it's really you. They tell you to check your phone for a text with a 6-digit code and read it back to them so they can 'secure' your account. In reality, they just triggered that code themselves and are waiting for you to hand it over.
How it unfolds
Scams like this follow a pattern. Knowing the arc helps you notice where you are — and step away before the ask.
Red flags
- Urgent pressure to act immediately or your account will be locked
- A request to share a code or password over the phone, email, or text—legitimate companies never ask this
- The message comes out of the blue when you weren't expecting account trouble
- They claim to be calling or emailing 'for your security' but won't let you hang up and call the official number yourself
What to do
- Hang up or ignore the message. Use a phone number or website you know is real (from your own records or official materials) to contact the company directly and verify whether there's actually a problem.
- Never share one-time codes, passwords, or security answers with anyone, no matter how official they sound.
- Report the scam attempt at reportfraud.ftc.gov so authorities can track these schemes and protect others.
If it already happened
Acting quickly can limit the damage. You are not alone, and it is not your fault.
- Contact your bank, credit card company, or the institution whose account was accessed—use the phone number on the back of your card or your official statement, never a number from the suspicious message. Tell them what happened and ask them to freeze or monitor your account.
- Change your password for that account and any other accounts that share the same or similar password. Use a strong, unique password. If you use an authenticator app, review its settings to remove any unfamiliar devices.
- Monitor your accounts and credit reports regularly over the next weeks and months. Set up fraud alerts with the credit bureaus if available. Keep records of all communications, dates, and what was compromised.
- Report the incident at reportfraud.ftc.gov. Include details about how you were contacted, what information or codes you provided, and the date. This helps protect others and creates an official record.
Sources
Guidance on this page draws on public, authoritative consumer-protection resources (verified live 2026-07-10). Documented by the FTC & FBI IC3 · reviewed 2026-07-11T18:14:57.874Z.

