Skip to main content
Image
Anatomy of an imposter scam banner

When you log into your bank or credit card account, you might get a text message or email with a verification code. You then enter it at the login screen to confirm it’s really you. That’s a form of two-factor authentication that adds a layer of security to your account — and keeps would-be scammers and hackers out.

Your account password and a verification code work together, like the lock on your doorknob and a deadbolt lock. If you unlock the doorknob but not the deadbolt, you can’t get in. Likewise, if you know the account password but not the verification code, you can’t get in.

The same goes for scammers trying to get into your account. To break into your account, scammers need both keys. That’s why they try to trick you into sharing your verification code.

Scammers pretend to be someone you can trust, and say they’ve discovered a problem with one of your accounts — or that someone’s using your identity. They may know some things about you and sound very convincing. They may even be very sympathetic to your problem: offering to help you set things right … and then asking for your verification code to get into your account.

If you give them the code, they can log into your account and transfer all the money out of your savings or investment accounts.

Never give your verification code to someone else. It’s only for you to log into your account. Anyone who asks you for your account verification code is a scammer.

If someone asks you for your verification code, don’t engage. Hang up. Block their number. Stop texting them. Then report them to the FTC at ReportFraud.ftc.gov.

If you’re worried there's a problem with your account, contact your bank, credit union, or investment advisor directly. Use a number you trust, like the one on your statement or in your app. Never use the number the caller gave you; it’ll take you to the scammer.

Image
Unexpected request for your bank account verification code? Could be a scam. Stop and verify.

Our “Anatomy of an Imposter Scam” blog series breaks down how to recognize, avoid, and report business and government imposter scams. Read more.

Search Terms

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Charlene Cole
March 07, 2024

Great advice. My accounts have been attacked by family member, possibly sold on the “black web” I have lost thousands of dollars that Cannot be recovered by me.

My stimulus check was stolen. To get the money back IRS, expects me to do a vast amount to get it back. I cannot physically do them.

Bibi05
March 08, 2024

Excellent info- we like receiving verification code by text (is very fast_)-
BUT FYI some companies like Panasonic send the code -called OTP for "one time pass"_ by EMAIL only'; it took 30 minutes to arrive and get it--their server is so slow--a real pain, We spent 2 h and tried 10 times to get it to register for their 12 months warranty-!!-

KMS
March 08, 2024

If your financial institution website supports it, another option is an authentication app or a physical token. It’s harder to be tricked into giving up those codes since the scammers can’t make it look like they sent it to you. Additionally, they help protect against SIM swapping.

Ray
March 08, 2024

This is not true. Some companies like Fidelity Investments have poor business practices. Just this week I was on the phone with Fidelity customer support to rollover funds over to a new brokerage firm and I was sent a OTP code that they asked for. I wasn't going to do it but in the text it specifically says "Don't give to anyone unless customer support asks for it", so I did and the transfer went through just fine. In my opinion this is a slippery slope since this business practice is not normal and getting people used to giving out the code to customer support (or anyone) is a bad idea. We need to get Fidelity to quit doing this, so that we NEVER have to give out the OTP code...

Joe
March 11, 2024

In reply to by Ray

Exactly! I just commented this same thing about T-Mobile customer service and then saw your comment. I suggested that the article specify that it's referring to incoming communications that weren't initiated by yourself at the same time

val
March 08, 2024

Verification codes change every time you log into your bank. The bank will call or text you with a new code every time you log in.

Eva
March 08, 2024

Gan verification codes be hacked? Suppose the hacker gets your log in details, then hang on to it then later on use man in the middle system to get your verification code, so when you think you're sending it to your bank for confirmation, they are able to intercept the info and gain access to your account. Personally, I am a bit doubtful of this method as there can be a way of intercepting....of course, nothing is totally safe, but I do not trust this method for my banking.

Nancy Wilkerson
March 11, 2024

I got a phone call from a email account I had no idea of how they were able to call me from a email address?
I didn't answer the call, I didn't recognize the name on the email address either..
Can you please send me the answer to my questions?
Thank you in advance.

Alvin Singh
March 08, 2024

Verification code to login to your account protect you from hackers and scammers. What l like about the Verification code is that it always different from the other codes and valid for a few short minutes

judith M Christensen
March 08, 2024

Thanks for educating people.
I was a victim or a scam that was about contacting Hewlett Packard to get tech support for my printer. Was transferred to scammers. Charged me for fake software. Contacted me my bank about card charges.
AI followed my wireless bank call. Criminals had a team using voice intercept & cut out bank
Connection. I had no clue. Man
called me next morning posing as BANK Fraud Investigator.
He got my account number & stole 16k from my money maker account!. My retirement is at risk now. Horrible!!

Joe
March 11, 2024

Why would T-Mobile customer service need to send me a code after I have already verified my account at the start of the call with the automated system? The same text messaged codes that state: "Your T-Mobile ID verification code is XXXXX. For your security never share your verification code. T-Mobile will never contact you to ask for your code."

This article should specify that it is referring to inbound communications that you didn't initiate yourself. (Although I still don't see why T-Mobile and many other customer service departments even use automated verification systems when they need you to go through and verify all the exact same information right afterwards

Susan
March 12, 2024

Minutes ago it happened to me. I received a call from cox communications, it actually said that on my phone screen. When I answered, he said that since I recently installed cox as my internet he was checking on how it was working for me. He was correct, 2 months ago I did set up cox service. How did he know that? I told him that it did not improve my tv speed and I planned to have it disconnected. He offered to increase my speed but to “ Erich who I was” he wanted me to give him the. Erick action code he just sent me. Fortunately, I did not but it was very convincing.

Timothy chung
March 19, 2024

I lost my identity number to submit my federal income tax! How will I ask for a new number

MD.Naimur Hasan
April 19, 2024

What is verification code

renee hutchins
April 22, 2024

What if they tell you that they've gotten money for you but you have to take some surveys first. But each one I have to give them my email. is that a scam.

Jordan Chaussee
May 03, 2024

This didn’t help me

Debra Gibbs
May 28, 2024

Actually I'm not quite sure. Anytime I get any notifications of Bitcoin I just swipe them away I don't Have any interest in it

Bob Jacobson
June 03, 2024

Too much irrelevant information, not enough about day to day online traffic and purposes. Which Is pretty bad. Especially on a Mac. Apple is bonkers.