One-Time Passcode (OTP) Interception
A technique scammers use to steal the temporary login code sent to your phone before you can use it yourself, often via social engineering or SS7 network exploitation.
Also known as: OTP theft, SMS code theft, OTP bot attack
Last reviewed: 10 June 2026
One-time passcodes sent by SMS or voice call are intercepted in several ways. In a real-time phishing attack, the victim types their OTP into a fake site controlled by the attacker, who instantly enters it on the genuine site. Automated 'OTP bots' phone victims and use voice scripts designed to trick them into reading the code aloud. On the mobile network level, flaws in the SS7 signalling protocol can allow well-resourced attackers to redirect SMS messages without the victim's knowledge.
OTP interception is particularly damaging because users believe they are protected by two-factor authentication. Financial fraud, account takeover, and identity theft frequently follow successful interception. Scam call-centre operations have been documented offering OTP bot services as a subscription product.
Consumers should never read or confirm a code to anyone who calls them, regardless of how official they sound. Banks and tech companies never ask for codes in this way. Switching to an authenticator app or passkey removes the SMS interception vector entirely.