Real Two-Factor Prompt vs OTP Bot and Push Bombing
How to recognise a genuine authentication request from a fraudulent OTP-harvesting bot or push-notification bombing attack attempting to break into your account.
Last reviewed: 1 June 2026
Two-factor authentication significantly improves account security, but attackers now use automated bots that call or text you in real time to trick you into reading out a code, or flood your authenticator app with approval requests hoping you tap 'Allow' to stop the noise.
Side-by-side comparison
| Real two-factor prompt | OTP bot / push bombing | |
|---|---|---|
| What triggered the request | You just logged in or initiated a transaction yourself | You received a code or push with no action on your part |
| Who is asking for the code | The website or app you are using — no phone call or message asks you to read it aloud | An automated voice call or SMS asks you to press a digit or read back a code |
| Volume of push notifications | One approval request per login attempt | Repeated push requests in quick succession — sometimes dozens — hoping you approve one |
| Urgency language | Neutral confirmation message; no threat if you ignore it | 'Your account will be locked unless you approve now'; caller claims to be from the platform |
| Caller ID | Legitimate services do not call you to approve a push or read a code | Spoofed caller ID showing the real company name to build false trust |
| What happens if you deny | Your session is blocked; you can try again legitimately | Calls or pushes resume; caller may become more aggressive |
Common red flags
- You receive an OTP or push notification without having attempted to log in
- An automated voice call asks you to press a key or read back a verification code
- Multiple push-approval requests arrive within seconds
- Caller claims to be from the platform's security team and asks you to approve the notification to 'stop the attacker'
- Message contains urgency language about account suspension
Verification steps
- Deny all unexpected push requests and do not share OTP codes with anyone calling you
- Log in directly to the service's website (type the URL manually) to check for real account alerts
- Change your password and review recent login activity if you receive unexpected codes
- Switch from SMS OTP to an authenticator app where possible, as app-based codes cannot be intercepted by voice bots
What not to do
- Do not approve a push notification you did not trigger yourself
- Do not read an OTP aloud to any caller, even if caller ID shows your bank or service provider
- Do not approve 'just one' push request to stop the notifications — that is exactly what the attacker wants
A safe response
Deny the request, do not engage with any caller, and go directly to the service website to change your password and review active sessions. Enable number matching or phishing-resistant FIDO2 authentication where the service offers it.
Frequently asked questions
Is SMS two-factor still worth using?
SMS OTP is much better than no second factor, but it is vulnerable to SIM-swapping and OTP bots. Where possible, prefer an authenticator app or a hardware security key.
Why would a push-bombing attacker claim to be from my bank's security team?
The social-engineering script is designed to make you think approving the push will stop an attack already in progress. In reality you are handing the attacker the access they need.