Two-factor authentication was created to protect your online accounts against cyber criminals. In this article, I’ll share with you a new scam that uses 2FA codes to gain access to your financial accounts.
What you’ll learn:
- What is 2FA or MFA
- How this scam works
- Two tools to avoid becoming a victim
LISTEN TO THE PODCAST EPISODE
What is Two-Factor Authentication (2FA)?
Logging in to an online account with a username and password is a one-step process on one site, or one-factor. Having to enter a code that is emailed or texted to you utilizes another factor. This is another step that typically involves using an outside party, such as allowing access to your email account or a smartphone to receive a code or text message. This is know as Two-Factor-Authentication or 2FA. The more layers, or barrier, or factors it takes to access an online account, the harder it is for cyber criminals to access. They would have to break through each layer of authentication in order to gain access to your account.
How This Scam Works
You receive a call from your bank telling you they suspect fraud in your account. They’ll ask you to confirm a recent transaction(s). You’ll then confirm the transaction(s) are not yours. The bank rep will go ahead and say they need to confirm you are the owner of the account by sending you a one-time code, most often by text but could also be by email. You are also instructed to give them the code after you receive it. You comply. The banker confirms the fraudulent transaction(s) were removed and your account is safe. You hang up the call breathing a sigh of relief.
In reality, here’s what happened.
The call was from a scammer pretending to be your bank. They used CallerID spoofing to change the display to reflect your bank’s name and phone number. Step one to manipulating you.
The caller, typically working with a partner, tells you they suspect fraud while the partner goes to your bank’s website and begins to type in your username (most often your email address) and your password. The password was most likely obtained through a data breach of either the bank or another website where you used the same password.Â
Because you have 2FA activated on your account, the scammers need to get the code. This is when the pretend bank rep says that they need to validate your identity by sending you a one-time code that you need to verbally provide to them. You comply, giving them the last piece of the puzzle to gain full access to your financial account online. I bet you are no longer breathing a sigh of relief…
But don’t worry, I have two tools you can use to protect yourself from this scam.
How to Avoid Being a Victim
- Validate or Eliminate (my favorite tool and it should be yours too!)
Before taking any action, first validate the caller. If you can’t validate it, eliminate it. To validate, you hang up the call or ask if you can call them back. If they become aggressive, hang up immediately. Then call your bank at the number provided on their website or on your bank statement. Tell them about the call you received and ask them if they called you about suspicious transactions.
- Never, NEVER, give out information, including security codes, to unsolicited calls. These are calls you didn’t initiate or you weren’t expecting. The same applies to text messages and emails. Actually, you should NEVER send sensitive information by email or text because they are unsecure forms of communication. We’ll cover this in a future episode of Privacy Mentor Podcast.
Cyber criminals are evil. They use tools to protect us, against us. Don’t let them manipulate you. Use Validate or Eliminate to determine if an email, text, phone call, or letter is legitimate or a scam. If you can’t VALIDATE IT, ELIMINATE IT! Your privacy depends on it.
Like this article? Want more great tips? Join the Privacy-Mentor email list. No spam, just useful tips, tricks, and tools to help you protect your privacy from identity theft, fraud, and cyber threats. If you value your privacy, click here to join.Â