The bottom line is: don't give out your OTPs. Most of the time, the texts and emails with these codes will even tell you not to give them out.
One-time passcodes (OTPs) are a crucial security feature in our digital age as an extra layer of protection for online transactions and account logins. But scammers are often trying to hijack these codes so they can steal sensitive info, money or both.
Here are some examples of current scams involving OTPs, and how you can avoid them
Here, cybercriminals send fake emails or text messages appearing to be from legitimate sources, such as credit unions or banks, online retailers or social media platforms. These messages often contain urgent requests to verify your account or resolve an issue, prompting you to enter your OTP on a fraudulent website. It was the attacker who initiated the request from the legitimate source behind the scenes, in order to gain access to your account - which you've just given them when you enter the OTP on their fake website.
In this scam, fraudsters call victims and pretend to be from a reputable organization, like Oregonians CU. They may claim there is suspicious activity on your account and let you know they'll take care of it, after they verify your account. They'll ask you to verify confidential information, which may include your online banking login credentials. In the background, they'll attempt to log in, knowing this will send you an OTP - so they will tell you they're sending you an OTP to verify it's really you. Once you give them the OTP, they can log into your accounts online and start transferring money out.
In this method, attackers intercept communications between you and a legitimate service provider. When you request an OTP, the attacker captures it and uses it to gain access to your account.
Avoid falling victim to a one-time password scam by watching out for these red flags:
Staying safe from OTP scams requires vigilance and adopting best practices for online security. Here are some steps you can take:
If you think you’ve been scammed or shared your OTP, take quick action.
First, change the passwords on all affected accounts and those that have similar login credentials. Next, inform the host organization of the account that it’s been compromised. They can help secure your account and guide you on additional steps. Monitor your accounts in the ensuing weeks and months, looking out for any unauthorized activity. Finally, file a report with your local consumer protection agency, the FTC and the Internet Crime Complaint Center.
You may also want to consider identity theft protection at this time if sensitive information was compromised.
Stay safe!