The One-Time Code: The Last Lock They Try to Take From You
The one-time verification code that arrives by SMS is the last barrier between an attacker and your account or your money. Code fraud is any method whose goal is to get you to read out or forward that code.
How it starts
Usually the code arrives without you asking for it, or exactly while a call or a message is asking for it. Someone, presenting himself as a representative of the bank, of a company, or even as a buyer or a seller, explains that a code will reach you and that it is needed in order to continue.
How it works
The attacker started some action on your account, for example a login attempt or a transfer, and the system sent you an approval code. Now he needs that code. He will invent a story: the code was sent to you by mistake, the code is needed to cancel a charge, the code confirms that you are the owner. The moment you read him the code, he completes the action he started, and to the system it looks like an action you approved.
What the scammer wants
The attacker wants the one-time code, and only that, because everything else is already in his hands. The code is the key that activates the theft. He does not want you to think about it, so he will rush you and try to keep you on the line until you hand it over.
Common phrases
- We just sent you a code, read it to me
- The code was sent to you by mistake, send it back to me
- We need the code to verify that you are the owner
- The code is needed to cancel the charge
- Stay on the line until the code arrives
Red flags
- A verification code that arrives without you starting any action
- Someone asks you to read out or forward a code, for any reason at all
- The call pressures you to read the code quickly
- An explanation that the code was sent by mistake and must be returned
- A request to stay on the line until the code arrives
What to do now
- Do not read out or forward the code to anyone, not even to someone who sounds official
- Hang up. No real service will ask you to read out a verification code on the phone
- Read the message with the code all the way through; it usually explains which action the code approves
- If you got a code you did not ask for, someone may be trying to get into your account. Change the password immediately
- If you already gave a code, contact the relevant service immediately to stop the action and secure the account
Example scenario
Yossi gets a call from someone presenting himself as a service representative. During the call, a text with a six digit code arrives on Yossi's phone. The representative says: we have just sent you a verification code, read it to me so we can continue. Yossi reads it out. What he does not know is that this code approved a login to his account. The call ends politely, and only afterward does Yossi realize that someone logged in to his account at exactly that moment.
Prevention tips
- Treat a one-time code like a password: it is completely private and is given to no one
- Always read the content of the message. The code comes with an explanation of what it approves
- Turn on two-step verification on important services, so that a code alone is not enough for an attacker
- Remember: a real organization sends you a code for you to enter on a screen, not for you to read out to a person
- If you are not sure, hang up and call the service on its official number
Full description
Many services, from the bank to apps, send a one-time code to approve an action: logging in, transferring money, changing details. The code is sent to you precisely so that only you can approve. That is what makes it a target. In many scams, the attacker has already obtained the rest of the details, and only one piece is left that he cannot get on his own: the code the system sent to your phone. All he needs is for you to hand it over, so he will invent a convincing reason to ask.