Bank OTP Bypass Scam
Criminals who have obtained a victim's banking login credentials call posing as the bank's fraud department and, citing a 'security check', trick the victim into reading back the one-time passcode the bank just sent — completing an account takeover or fraudulent transfer in real time.
Part of: Fake Two-Factor Authentication Scams
Last reviewed: 7 June 2026
Banks send OTPs as a second layer of protection when a new login, large transfer, or sensitive account change is attempted. Scammers who have previously obtained a victim's username and password — through phishing, data breaches, or credential stuffing — are blocked by this second factor. Their solution is social engineering: call the victim at exactly the right moment and create a reason for them to hand over the code.
The call arrives at precisely the moment the OTP is sent because the attacker triggered the banking action themselves. The victim, surprised by both the call and the concurrent OTP, is in a state of alarm and confusion. The caller provides a professional explanation for both — 'we detected an attempted login on your account and have sent you a code to confirm it was not you' — that frames sharing the code as the protective action.
This attack is sometimes called a real-time phishing attack because it requires the attacker to be active simultaneously with the victim. It is one of the more operationally sophisticated scam patterns, and its effectiveness reflects the broader limitation of SMS-based OTP systems, which can be defeated by social engineering even when the underlying technology is functioning correctly.
How this scam works on the Your Bank brand
Your bank's real OTP authentication process is designed for you, the account holder, to enter the code on the bank's own login page or app — not to share it with anyone. When your bank sends an OTP, the SMS or app notification typically includes a warning: 'Do not share this code with anyone, including bank staff'. This warning is precise and deliberate.
The fake bank agent creates a narrative that makes sharing the code feel necessary: 'We need to verify this is you before we can block the suspicious transaction.' This sounds logical — but the real bank can block a transaction based on your verbal confirmation on a call they have set up, or by flagging the transaction on their own systems, without needing you to provide the OTP.
Some variants include a more elaborate pretext: the 'bank agent' says they are sending a confirmation code that will display on the suspect attacker's device, and that reading it back to the agent will 'cancel the fraudulent session'. In fact, the code is your legitimate login OTP and reading it to the agent is what completes the attacker's fraudulent login.
Common red flags
- A call from your bank coinciding exactly with an OTP arriving on your phone
- The caller asks you to read back the OTP 'to confirm your identity' or 'to block the attack'
- Your bank's OTP message includes a 'Do not share' warning that you are being asked to ignore
- The 'agent' triggered a bank action you did not initiate — the OTP is the giveaway
- Urgency: 'The fraudulent session will lock your account in 30 seconds'
- The call comes from a number spoofed to show your bank's genuine helpline
- After you share the code, the caller says the issue is resolved and hangs up quickly
How to protect yourself
- Never share an OTP with anyone, including a caller claiming to be from your bank
- The OTP is for you to enter on your bank's platform — not to read aloud to any caller
- Hang up and call your bank directly using the number on the back of your card
- If you receive an unexpected OTP, it means someone is attempting a transaction — do not share the code
- Switch to an authenticator app for bank 2FA where your bank supports it, which is harder to intercept socially
- Register for your bank's real-time transaction alerts so unusual activity is immediately visible
- Report unexpected OTPs to your bank's fraud team, even if you did not share the code
How to report it
- Call your bank's fraud line using the number on the back of your card
- Forward the suspicious call details to your bank's fraud team by email (address on the bank's website)
- Report to the FTC at reportfraud.ftc.gov
- Report the spoofed number to the FCC at consumercomplaints.fcc.gov
- File a complaint with the CFPB at consumerfinance.gov/complaint if your bank does not act
Frequently asked questions
Is SMS-based OTP less secure than an authenticator app?
SMS OTPs can be compromised through social engineering (as described here) and, more technically, through SIM swapping. Authenticator apps generate codes locally on your device and do not involve a phone number, making them more resilient against these attacks.
Can a bank agent ever legitimately ask for an OTP?
No. Bank OTPs are authentication tokens for account holders to use on the bank's own platform. A bank agent who calls you does not need your OTP to verify your identity — the bank's own systems authenticate calls through other means.
If I shared my OTP, has my account been taken over?
Possibly. The attacker may have used the OTP to complete a login or transaction. Call your bank immediately using the number on your card, ask them to freeze the account and review recent activity, and change your online banking credentials as soon as possible.