Verified by GonePhishing.com • Phone Scams

One-Time Passcode Phone Scam

Scammers often call pretending to verify your identity, protect your account, or reverse fraud. Their real goal is to get your one-time passcode so they can break into your account while you are still on the phone.

Start Phone Scam Training Browse Phone Articles
Verified by GonePhishing.com
Verification code theft
Account takeover risk
Quick takeaway
Never read a one-time passcode to an incoming caller. That code may be the final step a scammer needs to get into your account.

Verified by GonePhishing.com: This article explains one of the most dangerous phone scam tactics because it targets two-factor authentication and account recovery systems directly.

What is a one-time passcode scam?

A one-time passcode scam happens when a criminal tries to log into your account and then calls you pretending to be from a trusted company. The scammer asks you to read back the code that was just texted or emailed to you.

The story may sound harmless. The caller may say they are verifying your identity, canceling suspicious activity, securing your account, or completing a support request. But the code is often the last piece they need to complete an account takeover.

How the scam works

  1. The scammer starts a login or password reset on your account.
  2. You receive a real one-time code from the legitimate service.
  3. The scammer calls pretending to be support, security, or fraud prevention.
  4. You read them the code.
  5. The scammer uses that code to enter your account.

Why this trick is so effective

  • The code is real: The message truly comes from the real company, which lowers suspicion.
  • The caller sounds helpful: They often act like they are protecting you.
  • People are rushed: The scammer creates urgency so you do not stop and think.
  • Many people do not realize what the code is for: They assume it is part of normal verification.

Common cover stories scammers use

  • “We detected fraud and need to verify your identity.”
  • “We are canceling a suspicious transaction.”
  • “Your account was locked and we’re helping restore access.”
  • “A support ticket was opened and we need to confirm it was you.”
  • “Read back the code so we can secure your profile.”

The golden rule

If you did not start the login, password reset, or verification process yourself, do not share the code with anyone. Even if the caller sounds legitimate, even if the text looks real, and even if the request seems urgent.

How to protect yourself

  1. Never read a code to an incoming caller.
  2. Hang up and verify independently.
  3. Check your account directly through the official app or website.
  4. Change your password immediately if you shared the code.
  5. Review recent login activity and security settings.

What to do if you already shared the code

Act quickly. Change the password on the affected account, log out of other sessions if possible, update recovery settings, and enable stronger security options. If the account is tied to banking, email, or payroll, secure those connected services too.

Practice phone scam defense

Practice Phone Scam Defense Use Scam Lookup

FAQ

What is a one-time passcode used for?

It is commonly used as a second step in login, verification, password reset, or account recovery.

If the text came from the real company, doesn’t that mean the call is real too?

No. The code may be legitimate, but the caller may be the person who triggered it fraudulently.

Should I ever read a verification code to someone who called me?

No. The safest rule is to never read a one-time code to an incoming caller.