Beware a scam that tricks people into giving a two-factor authentication code to a criminal so they can access your bank or other account. Criminals mostly impersonate banks but can try with other accounts, like Microsoft accounts.
Security codes via text message is one way to verify an account login but it’s not ideal because the SMS/text system isn’t entirely secure.
Scammers can and do trick people into telling them the latest security code which will work if used within a few minutes.
Scam in action
An Aussie cyber crime squad gives an example of how the scam works:
Scammer: Hi [uses first name], I’m X from Q bank, we’ve picked up some activity from your card ending in 1234 that looks suspicious. Have you just made a purchase at XYZ?
Victim: No that wasn’t me, I live in a different state.
Scammer: OK well, I’m going to need to cancel that card quickly to make sure those transactions don’t go through. Firstly I just need to confirm a few details. Can you please tell me your name, date of birth, bank account details and address?
Victim: *Gives information*
Scammer: OK great thanks, now you’re probably going to get a text message from us about that fraudulent activity.
[At this point the scammer tries to login and triggers a confirmation/security code to the victim’s smartphone]
Victim: Ah yes I’ve just had that message come through.
Scammer: Oh good — could you just repeat that code, then? Thanks.
Victim: *Repeats code*
The scammer is then able to complete the fraudulent purchases using this information.
Source: NSW Cyber Crime Squad commander Detective Superintendent Matt Craft as quoted on ABC News.
Protect yourself
A few ways to protect yourself.
- NEVER tell anyone a two-factor code whether it comes over SMS or an authentication app.No bank or other company needs to ask for a one-time authentication code over the phone.
- If someone does ask, hang up, especially if they made the call to you.
- Be suspicious of any incoming call from a bank or other entity.
- If you receive a message, asking you to call a number, check that number against another source like the credit/debit card or recent statement.
- Preferably, use an authentication app from Microsoft, Google or Authy (our recommendation) to get security codes.
- Not all companies offer app-based security (Grrrrr) but use it when available.
SMS/text message verification is a good alternative or backup for app-based authentication. Make sure the account has your current mobile/wireless phone number, just in case it’s needed.
Final reminder: Microsoft Support will NEVER call you. If you get a surprise call from “Microsoft Support” just hang up.