One-Time Passcode (OTP) Scams

OTP scams involve scammers tricking seniors into sharing one-time passcodes used in two-factor authentication (2FA) for bank accounts or other secure transactions. The scammer pretends to be from a trusted company and asks the victim to read back a passcode sent to their phone or email. In reality, the scammer is using that code to access the victim’s accounts.

You receive an unexpected text from your bank with a one-time passcode. Moments later, you get a call from someone claiming to be a bank representative. The “rep” explains there’s suspicious activity on your account and asks you to read back the passcode to stop the fraud. Trusting them, you comply, not knowing you’ve just handed over access to your account.

• Unexpected Passcodes: If you receive a one-time passcode (OTP) text or email without having initiated any transactions or login attempts, this could indicate that someone is trying to access your account.
• Requests for Passcodes: Legitimate companies will never ask for an OTP via phone, text, or email. If someone calls or messages you asking for a passcode, even if they claim to be from your bank or another trusted institution, it’s likely a scam.
• Sense of Urgency: Scammers often try to rush you, claiming there’s suspicious activity on your account or that your account will be frozen unless you provide the OTP immediately. This is a common tactic to prevent you from verifying the request.
• Caller Claims to be from Security or Fraud Departments: Scammers will often pose as a fraud or security department representative, telling you they need the OTP to "stop fraudulent activity." A legitimate fraud department would never ask for this information, as they would not need it to secure your account.
• Multiple Passcode Requests: If you keep receiving OTPs without making any requests, it could mean someone is trying to access your accounts. Never share these codes, and contact your bank or service provider immediately to report suspicious activity.

Additional Warning: OTP scams are especially dangerous because they can bypass 2FA security measures. If you receive an unsolicited code, report any suspicious activity immediately to your service provider. Enable two-factor authentication (2FA) but always keep your passcodes private. If you receive any requests for your passcode without having initiated it, call your bank or service provider directly using official contact numbers.