All You Need to Know about One-Time Password Scams

The bottom line is: don't give out your OTPs. Most of the time, the texts and emails with these codes will even tell you not to give them out. 

One-time passcodes (OTPs) are a crucial security feature in our digital age as an extra layer of protection for online transactions and account logins. But scammers are often trying to hijack these codes so they can steal sensitive info, money or both. 

Here are some examples of current scams involving OTPs, and how you can avoid them

• Phishing scams

• Here, cybercriminals send fake emails or text messages appearing to be from legitimate sources, such as credit unions or banks, online retailers or social media platforms. These messages often contain urgent requests to verify your account or resolve an issue, prompting you to enter your OTP on a fraudulent website. It was the attacker who initiated the request from the legitimate source behind the scenes, in order to gain access to your account - which you've just given them when you enter the OTP on their fake website.

• ---

• Vishing (voice phishing) scams

  • In this scam, fraudsters call victims and pretend to be from a reputable organization, like Oregonians CU. They may claim there is suspicious activity on your account and let you know they'll take care of it, after they verify your account. They'll ask you to verify confidential information, which may include your online banking login credentials. In the background, they'll attempt to log in, knowing this will send you an OTP - so they will tell you they're sending you an OTP to verify it's really you. Once you give them the OTP, they can log into your accounts online and start transferring money out. 

  • ---

• Man-in-the-middle attacks

  • In this method, attackers intercept communications between you and a legitimate service provider. When you request an OTP, the attacker captures it and uses it to gain access to your account.

Red flags

Avoid falling victim to a one-time password scam by watching out for these red flags: 

1. Urgency and threats. Scammers often create a false sense of urgency, claiming that immediate action is required to prevent something bad from happening, like an account suspension or fraud. 
2. Unusual sender information. Check the sender’s email address or phone number carefully. Scammers often use addresses or numbers that are slightly altered versions of legitimate ones.
3. Suspicious links. Hover over links in emails or messages to see and verify the actual URL before clicking.
4. Generic greetings and language. Scammers often use generic greetings like “Dear Customer” in their mass emails, which also tend to have spelling or grammatical errors. 

YOU are the best defense against fraud.

Staying safe from OTP scams requires vigilance and adopting best practices for online security. Here are some steps you can take:

1. Never share an OTP.
2. If you get a request for your OTP, verify legitimacy by directly contacting the organization.
3. Never give out your PINs and passwords for your accounts.
4. Use multi-factor authentication whenever possible.
5. Be wary of links in unsolicited emails or text messages.
6. Install security software. 

What to do if you fall for a scam.

If you think you’ve been scammed or shared your OTP, take quick action.

First, change the passwords on all affected accounts and those that have similar login credentials. Next, inform the host organization of the account that it’s been compromised. They can help secure your account and guide you on additional steps. Monitor your accounts in the ensuing weeks and months, looking out for any unauthorized activity. Finally, file a report with your local consumer protection agency, the FTC and the Internet Crime Complaint Center.

You may also want to consider identity theft protection at this time if sensitive information was compromised. 

Stay safe!