Fake Cash App OTP Takeover Scam
Criminals who possess a victim's linked phone number or email address attempt a Cash App login, which triggers a real sign-in code, then contact the victim under a pretext to get them to read out that code — instantly unlocking full account access.
Part of: Fake Two-Factor Authentication Scams
Last reviewed: 7 June 2026
Cash App uses a one-time sign-in code sent to the user's registered phone number or email address as its primary authentication mechanism. Because there is no separate password to steal, attackers focus entirely on obtaining this sign-in code. The attack is elegant in its simplicity: trigger the code, then invent a reason for the victim to share it.
The pretext varies widely. Some attackers call claiming to be Cash App support investigating suspicious activity. Others pose as a marketplace buyer who 'accidentally' initiated a payment to the wrong $Cashtag and need the victim to enter a code to authorise a refund. Some send a text saying 'Your Cash App account has been compromised — reply with the code we just sent to lock it.' All of these are pretexts to harvest the sign-in code.
Because Cash App's sign-in code is short-lived and arrives at exactly the moment the attacker attempts a login, the victim experiences a convincing illusion of a real event. The code's arrival seems to confirm the caller's story — when in fact it confirms that the attacker is actively trying to access the account.
How this scam works on the Cash App brand
The real Cash App sign-in code is a one-time code sent to your phone or email when someone attempts to sign in to your Cash App account. Cash App's own code message includes a clear warning: 'Never share this code with anyone.' This warning reflects the company's awareness that OTP-interception is a primary attack vector.
Cash App will never call you and ask you to read a sign-in code aloud. There is no legitimate process — refund processing, account locking, verification, or any other function — that requires you to share your sign-in code with another person. The code exists only for you to enter on the Cash App login screen.
When the sign-in code is shared, the attacker gains immediate access to the account. They can change the linked email address or phone number to lock out the real owner, transfer the available balance, and link a different bank account for withdrawals.
Common red flags
- A call, text, or DM asking you to share a Cash App sign-in code you just received
- Someone claiming a refund or reversal requires you to enter or share a verification code
- A 'Cash App agent' who triggered the login code intentionally as part of a 'security check'
- Any message asking you to 'reply with the code to lock your account'
- The sign-in code arrived without you attempting to log in — someone else has your phone number or email
- Pressure to share the code quickly before it expires
- A marketplace seller or buyer who needs you to share a code before completing a transaction
How to protect yourself
- Never share your Cash App sign-in code with anyone for any reason
- If you receive an unexpected sign-in code, it means someone is attempting to access your account — do not share it
- Change the email address or phone number linked to your Cash App through the app if you believe it was exposed
- Enable the Security Lock in Cash App (Profile > Privacy & Security) so every payment requires authentication
- Be especially cautious of marketplace transactions where the other party asks for codes
- Contact Cash App support through the app immediately if an unexpected code arrives
- Review your linked accounts and active sessions regularly
How to report it
- Report through Cash App: Profile > Support > Report a Scam
- Forward suspicious texts to 7726 (SPAM) in the US and UK
- File a complaint with the FTC at reportfraud.ftc.gov
- Report to the FBI's IC3 at ic3.gov if the account was accessed or funds stolen
- Contact your phone carrier if you suspect SIM-swap activity contributed to the attack
Frequently asked questions
Why does Cash App use a sign-in code instead of a password?
Cash App's sign-in code system avoids the risk of password reuse across sites. Instead of a static password, you receive a fresh code each time you log in. The system's weakness is that if someone can persuade you to share the code, they gain the same access you would.
What should I do if I already shared my Cash App sign-in code?
Act immediately: open Cash App and check whether a new session was opened. Change your linked email address and phone number, enable the Security Lock, and contact Cash App support to report the compromise. Check your balance and dispute any unauthorised transactions.
Can a marketplace refund genuinely require me to share a code?
No. There is no Cash App mechanism that processes refunds by having you share a sign-in code. Refunds within Cash App are handled by the sender initiating a payment back to you. Any request for a code in a marketplace context is a scam.