High riskText Message Scams

Two-Factor Code Text Scam

In this scam a fraudster triggers a genuine two-factor or one-time code to your phone, then poses as support staff or a contact to pressure you into reading it back so they can take over your account.

Quick verdict

Risk level
High risk
Scam type
Verification code theft scam
Main red flag
Someone asking you to share a verification or one-time code that just arrived, no matter the reason they give.
What to do first
Do not share the code. A genuine company or contact will never need you to read a code back to them.

What this scam usually looks like

In this scam a fraudster triggers a genuine two-factor or one-time code to your phone, then poses as support staff or a contact to pressure you into reading it back so they can take over your account.

Example message pattern

Example pattern — not a real report
Example pattern: 'This is account security. We detected a login attempt and sent you a 6-digit code. Please read it back to us so we can secure your account.'

This is a fictional, anonymised example used to illustrate the pattern. It is not a verified real message, and any names are used only to show how the scam typically reads.

Red flags to watch for

  • A verification code arrives when you did not just try to log in yourself
  • Someone contacts you and asks you to read that code back to them
  • Pressure or urgency, such as a warning that your account is being hacked right now
  • A 'contact' messaging from an unusual number or account asking for a code to 'verify' something
  • The caller or message claims to be support but reached out to you first

What to do

  • Do not share the code with anyone, even if they sound official or familiar
  • Treat an unexpected code as a sign someone may have your password and change it
  • Turn on app-based or hardware two-factor authentication where possible
  • Contact the company directly using a number or app you trust, not one the caller gave

If you already clicked or replied

  • If you shared a code, change that account's password immediately from a trusted device
  • Sign out of all active sessions in the account's security settings
  • Check and remove any unfamiliar recovery emails, phone numbers, or linked devices
  • Warn anyone whose account was used to message you, as it may be compromised

What not to do

  • Do not read a code aloud or type it into a chat for anyone
  • Do not trust caller ID or a familiar name, as both can be faked
  • Do not assume an unexpected code is harmless and ignore it

Similar scams

High risk Marketplace

Google Voice Verification Code Scam

On a marketplace, a supposed buyer or seller asks you to share a verification code texted to your phone to 'prove you are real'. The code is actually used to set up a Google Voice number linked to you, which the scammer then uses for further fraud.
High risk Social Media

Hacked Friend Help Scam

A message arrives from a friend's account asking for money, a verification code, or to click a link. In reality the friend's account has been taken over, and the scammer is using your trust in them to reach you.
High risk Bank & Payment

Fake Bank Alert Text Scam

This scam sends a text claiming suspicious activity on your account, then steers you to a fake login page or a 'fraud agent' who pressures you to move money.

Frequently asked questions

Will a real company ever ask for my verification code?
Legitimate companies do not phone or message you to ask for a one-time code. The code is meant for you alone, so any request to share it is a strong warning sign.
Why did I get a code I did not request?
It often means someone has your password and is trying to log in. They then need your code to finish, which is why they may contact you pretending to be support.
A friend asked me for a code they 'accidentally' sent me, is that safe?
Be cautious. Their account may be hacked and used to harvest codes. Confirm through another channel before sharing anything, and usually you should not share it at all.
What should I do after refusing to share a code?
Change the password for the account the code was for, enable stronger two-factor protection, and review the account's recent activity and security settings.

Last reviewed: June 2026

Disclaimer: This page provides educational information only to help you recognise common scam patterns. It is not legal, financial, cybersecurity, or law enforcement advice, and it does not confirm whether any specific message, company, or person is genuine or fraudulent. When in doubt, contact the official organisation directly and report concerns to your local authorities.