Learn

Personal Resource Center
Back

Shhh! Don’t Tell Anyone That Access Code!

When a financial institution texts or emails you an access code with the note, "Do not share this code with anyone," they mean anyone — including them.

When a Vista, California woman received a call from someone claiming to be from her bank alerting her to fraud, she had no reason to doubt their identity.1 They knew her debit card number and recent transactions. So, when they told her to expect an access code text and then she got one, she felt secure sharing it. After putting the woman on hold, the caller drained nearly $50,000 from her accounts.

One-time access codes are meant to protect accounts from scams, but fraudsters are now using complex strategies to get their hands on them.

Here's what everyone should know about access codes and why you should never give a code you receive by text, call, or email to anyone.


What Are Access Codes?

Access codes are a key part of a security process called multi-factor authentication (MFA). Many people will recognize MFA from logging into their financial accounts:

  • When logging into an account with MFA, users are typically first asked for their username and password.
  • Then, they're often given a choice of receiving an access code by text, voice call, or email.

MFA can happen in other ways, including using biometric data like a fingerprint or getting a code from a third-party authenticator app. PCMag describes the components of MFA as "something you know (such as a password), something you have (such as a hardware token or cell phone), and something you are (such as your fingerprint)."2 Two-factor authentication, a common type of MFA, uses two of these three things.

Access codes, formally known as one-time passwords or OTPs, are automatically generated and sent directly to the user.3 No human, even from the organization that generated the code, should have access to it. No one should ever ask you for it. OTPs are time-sensitive, generally expiring after five to 10 minutes.

A password and an access code may seem like overkill, but passwords aren't that hard for hackers to get these days. One 2024 data leak alone included nearly 10 billion passwords — the largest-ever leak of its kind.4 And 85% of U.S. businesses have reported cyber breaches due to authentication weaknesses.5


How Access Code Scams Work

While many access code scams work similarly to the Vista victim's example, variations of the fraud exist. Another commonly reported scam happens when victims are duped into sharing a Google verification code when attempting to buy something on Facebook Marketplace.6 This code can help scammers access personal information or hijack the victim's phone number. But both the Google and bank examples follow a shared pattern:

  • Step One: Information gathering. Fraudsters typically know information about their victim before contacting them. This might only be a name, location, and phone number collected on social media, or it might involve purchasing or accessing leaked passwords and other personally identifiable information on the Dark Web.
  • Step Two: Pretexting. Getting a victim to share an access code requires establishing trust. Pretexting is the act of developing a fake story to sell the scammer as someone trustworthy.7 Pretexting is common in cybercrimes like phishing, romance and student loan relief scams.
  • Step Three: The ask. The scammer uses their newfound trust to ask the victim for an authentication code that the scammer has prompted by using the data gathered in Step One to begin accessing the victim's account.
  • Step Four: Gaining access. Once the criminal can access the victim's account, they can steal money and information.
Never give an access code to anyone. No legitimate organization will ever ask you for it. If anyone asks you for an access code, they're a scammer.

Other types of access code fraud exist. In an "authentication-in-the-middle" attack (a type of phishing and man-in-the-middle scam), the criminal lures a victim to a fake website that looks like their own financial institution and tracks the victim's keystrokes — including their access code, which the criminal immediately uses on the real site.8

SIM card swapping is another access code-related fraud. In this crime, scammers gain remote access to someone's phone, disable it, transfer its data activity to their own device and receive the access code themselves.


How to Protect Yourself Against Access Code Scams

Good news. There is one failsafe way to protect yourself from common types of access code scams:

  • Never give an access code to anyone. Anyone. No legitimate organization will ever ask you for this information. Take the Federal Trade Commission's word for it: "Anyone who asks you for your account verification code is a scammer."9

Most access code scams rely on vishing, which is when fraudsters extract information from a victim over the phone. These vishing tips can help stave off many types of fraud:

  • If a caller claims to be from a trusted institution, hang up if they ask for any personal information. Find a verified phone number and call them back.
  • If any caller asks for information with a sense of urgency, do not comply.
  • Never give out any information, even to confirm your identity, to someone who called you.

As noted above, however, criminals can target access codes in other ways. Here are some of the ways consumers can protect their sensitive personal information from scammers:

  • Know the signs of a phishing email: When receiving an email from your bank, look for red flags, like a suspicious email address, attachments, or hyperlinks that, when hovered above, reveal a URL other than your bank's.
  • Avoid being targeted by SIM swapping: Avoid sharing your phone number online; set up a PIN number for your phone's account with your carrier; use MFA options other than text.

Account access codes are for you and you alone. Never share one, and if someone asks for one, report the incident to the institution they claim to be from.

If you believe you've already been a victim of access code fraud, don't feel ashamed: Criminals are experts at what they do, and you are not at fault. Read our article, What to Do if You Are a Victim of Fraud, to learn what steps to take next.

Important disclosure information

This content is general in nature and does not constitute legal, tax, accounting, financial or investment advice. You are encouraged to consult with competent legal, tax, accounting, financial or investment professionals based on your specific circumstances. We do not make any warranties as to accuracy or completeness of this information, do not endorse any third-party companies, products, or services described here, and take no liability for your use of this information.

  1. David Gotfredson, "Vista couple conned out of $49K in Chase Bank fraud scam," CBS 8, published, February 22, 2024, accessed December 18, 2024. Back
  2. Eric Griffith, "How to Set Up Multi-Factor Authentication and Safeguard Your Online Accounts," PCMag, published December 5, 2024, accessed December 18, 2024. Back
  3. Kathleen Richards, "one-time password," TechTarget, published December 2023, accessed December 18, 2024. Back
  4. Vilius Petkauskas, "RockYou2024: 10 billion passwords leaked in the largest compilation of all time," cybernews, published July 04, 2024, accessed December 18, 2024. Back
  5. Alexandra Borgeaud, "Were any of the cyber breaches that your organization experienced related to credential misuse or authentication vulnerabilities?" published December 10, 2024, accessed December 18, 2024. Back
  6. Dallas Payeton, "Be aware of verification scam on Facebook Marketplace," Local 3 News, published June 20, 2023, accessed December 18, 2024. Back
  7. Jim Holdsworth, Matthew Kosinski, "What is pretexting?" IBM, published September 6, 2024 , accessed December 18, 2024. Back
  8. Pieter Arntz, "Scammers can easily phish your multi-factor authentication codes. Here’s how to avoid it," Malwarebytes, published May 16, 2024, accessed December 18, 2024. Back
  9. Alvaro Puig, "What’s a verification code and why would someone ask me for it?" Federal Trade Commission, published March 7, 2024, accessed December 18, 2024. Back