When you log into your bank or credit card account, you might get a text message or email with a verification code. You then enter it at the login screen to confirm it’s really you. That’s a form of two-factor authentication that adds a layer of security to your account — and keeps would-be scammers and hackers out.
Your account password and a verification code work together, like the lock on your doorknob and a deadbolt lock. If you unlock the doorknob but not the deadbolt, you can’t get in. Likewise, if you know the account password but not the verification code, you can’t get in.
The same goes for scammers trying to get into your account. To break into your account, scammers need both keys. That’s why they try to trick you into sharing your verification code.
Scammers pretend to be someone you can trust, and say they’ve discovered a problem with one of your accounts — or that someone’s using your identity. They may know some things about you and sound very convincing. They may even be very sympathetic to your problem: offering to help you set things right … and then asking for your verification code to get into your account.
If you give them the code, they can log into your account and transfer all the money out of your savings or investment accounts.
Never give your verification code to someone else. It’s only for you to log into your account. Anyone who asks you for your account verification code is a scammer.
If someone asks you for your verification code, don’t engage. Hang up. Block their number. Stop texting them. Then report them to the FTC at ReportFraud.ftc.gov.
If you’re worried there's a problem with your account, contact your bank, credit union, or investment advisor directly. Use a number you trust, like the one on your statement or in your app. Never use the number the caller gave you; it’ll take you to the scammer.
Our “Anatomy of an Imposter Scam” blog series breaks down how to recognize, avoid, and report business and government imposter scams. Read more.
- Never move your money to “protect it.” That’s a scam
- What’s a verification code and why would someone ask me for it?
- Will your bank or investment fund stop a transfer to a scammer? Probably not
- Sure ways to spot a scammer
- Did you get a call or text about a suspicious purchase on Amazon? It’s a scam
- New tech support scammers want your life savings
- Did someone send you to a Bitcoin ATM? It’s a scam
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
Great advice. My accounts have been attacked by family member, possibly sold on the “black web” I have lost thousands of dollars that Cannot be recovered by me.
My stimulus check was stolen. To get the money back IRS, expects me to do a vast amount to get it back. I cannot physically do them.
Excellent info- we like receiving verification code by text (is very fast_)-
BUT FYI some companies like Panasonic send the code -called OTP for "one time pass"_ by EMAIL only'; it took 30 minutes to arrive and get it--their server is so slow--a real pain, We spent 2 h and tried 10 times to get it to register for their 12 months warranty-!!-
If your financial institution website supports it, another option is an authentication app or a physical token. It’s harder to be tricked into giving up those codes since the scammers can’t make it look like they sent it to you. Additionally, they help protect against SIM swapping.
This is not true. Some companies like Fidelity Investments have poor business practices. Just this week I was on the phone with Fidelity customer support to rollover funds over to a new brokerage firm and I was sent a OTP code that they asked for. I wasn't going to do it but in the text it specifically says "Don't give to anyone unless customer support asks for it", so I did and the transfer went through just fine. In my opinion this is a slippery slope since this business practice is not normal and getting people used to giving out the code to customer support (or anyone) is a bad idea. We need to get Fidelity to quit doing this, so that we NEVER have to give out the OTP code...
In reply to This is not true. Some… by Ray
Exactly! I just commented this same thing about T-Mobile customer service and then saw your comment. I suggested that the article specify that it's referring to incoming communications that weren't initiated by yourself at the same time
Verification codes change every time you log into your bank. The bank will call or text you with a new code every time you log in.
Gan verification codes be hacked? Suppose the hacker gets your log in details, then hang on to it then later on use man in the middle system to get your verification code, so when you think you're sending it to your bank for confirmation, they are able to intercept the info and gain access to your account. Personally, I am a bit doubtful of this method as there can be a way of intercepting....of course, nothing is totally safe, but I do not trust this method for my banking.
I got a phone call from a email account I had no idea of how they were able to call me from a email address?
I didn't answer the call, I didn't recognize the name on the email address either..
Can you please send me the answer to my questions?
Thank you in advance.
Verification code to login to your account protect you from hackers and scammers. What l like about the Verification code is that it always different from the other codes and valid for a few short minutes
Thanks for educating people.
I was a victim or a scam that was about contacting Hewlett Packard to get tech support for my printer. Was transferred to scammers. Charged me for fake software. Contacted me my bank about card charges.
AI followed my wireless bank call. Criminals had a team using voice intercept & cut out bank
Connection. I had no clue. Man
called me next morning posing as BANK Fraud Investigator.
He got my account number & stole 16k from my money maker account!. My retirement is at risk now. Horrible!!
Why would T-Mobile customer service need to send me a code after I have already verified my account at the start of the call with the automated system? The same text messaged codes that state: "Your T-Mobile ID verification code is XXXXX. For your security never share your verification code. T-Mobile will never contact you to ask for your code."
This article should specify that it is referring to inbound communications that you didn't initiate yourself. (Although I still don't see why T-Mobile and many other customer service departments even use automated verification systems when they need you to go through and verify all the exact same information right afterwards
Minutes ago it happened to me. I received a call from cox communications, it actually said that on my phone screen. When I answered, he said that since I recently installed cox as my internet he was checking on how it was working for me. He was correct, 2 months ago I did set up cox service. How did he know that? I told him that it did not improve my tv speed and I planned to have it disconnected. He offered to increase my speed but to “ Erich who I was” he wanted me to give him the. Erick action code he just sent me. Fortunately, I did not but it was very convincing.
I lost my identity number to submit my federal income tax! How will I ask for a new number
What is verification code
What if they tell you that they've gotten money for you but you have to take some surveys first. But each one I have to give them my email. is that a scam.
This didn’t help me
Actually I'm not quite sure. Anytime I get any notifications of Bitcoin I just swipe them away I don't Have any interest in it
Too much irrelevant information, not enough about day to day online traffic and purposes. Which Is pretty bad. Especially on a Mac. Apple is bonkers.