OTP Interception
The theft or real-time capture of a one-time password sent to a victim by SMS or authenticator app, used by fraudsters to bypass two-factor authentication.
Also known as: OTP theft, one-time password theft, 2FA bypass
Last reviewed: 1 June 2026
One-time password (OTP) interception is a technique used by fraudsters to defeat two-factor authentication by obtaining the temporary code before or as soon as it reaches the intended recipient. Because OTPs expire within seconds to minutes, interception must happen in near real time.
The most common interception method is social engineering: an OTP bot calls the victim seconds after a login attempt and, posing as a bank or tech company, convinces the victim to read the code aloud 'to confirm their identity'. SIM swapping is another major vector, redirecting SMS messages to a SIM controlled by the fraudster. Malware on the victim's device can intercept codes as they arrive via SMS or authenticator apps. Adversary-in-the-middle phishing proxies capture OTPs as users type them on a fake site and replay them to the real site in real time.
Banks and service providers are increasingly moving away from SMS-based OTPs toward app-based push authentication and FIDO2 hardware keys that are inherently resistant to interception. Users should never share OTP codes verbally or via chat, even if the requester sounds authoritative, and should use authenticator apps rather than SMS where possible.
Examples
- A fraudster initiates a login to a victim's online banking, then calls the victim claiming to be the bank's security team; the victim reads out the OTP that just arrived by SMS, allowing the fraudster to complete the login.