Fake Uber Two-Factor Authentication Code Theft
Scammers posing as Uber drivers or support agents ask riders to read aloud a one-time SMS code, using it to bypass Uber's two-factor authentication and take over the account.
Part of: Fake Two-Factor Authentication Scams
Last reviewed: 7 June 2026
Uber uses SMS-based one-time passcodes as a second authentication factor when a sign-in from a new device is detected. This security feature becomes a vulnerability when social engineering tricks the account holder into reading the code aloud to a fraudster.
The most prevalent version targets riders in transit: a driver calls the passenger's phone and claims to be having difficulty confirming the pickup address. During the conversation, the driver says 'Uber just sent a verification code to your phone to confirm the pickup — can you read it to me?' Sharing that code gives the attacker everything needed to complete a new-device sign-in and take over the account.
A text-based version sends a message appearing to come from Uber's short code, warning of a suspicious login, and asking the user to 'confirm' their identity by texting back the code from a second message that follows. Both messages are fabricated.
How this scam works on the Uber brand
Uber's two-factor code is triggered when a new device attempts to sign in to your account — not by driver pickups. A driver already matched to your trip can see the pickup point within the Uber app without needing any code from the passenger. Any request for a code during a trip context is a social engineering attempt.
The text-based variant exploits Uber's recognisable short code by spoofing the sender ID so the message appears in the same thread as previous genuine Uber notifications. The first message warns of a suspicious login; the second delivers the code that the message claims must be forwarded to 'verify' the account. In reality, both messages are fabricated, and the code the attacker wants already arrived in the victim's messages because the attacker initiated a login attempt.
Common red flags
- A driver asks you to share a code that just arrived by text — drivers have no operational reason for this
- A text from 'Uber' asks you to forward a code to a number or reply with it
- A 'support agent' calls and explains that a code is being sent to your phone and they need you to read it back
- The code arrives moments after someone contacts you claiming to be Uber support
How to protect yourself
- Never share a one-time SMS code with anyone who calls or texts you, regardless of their claimed identity
- If a code arrives unexpectedly, this means someone is trying to log into your account — change your password immediately
- Use a strong unique password for your Uber account so that a stolen code alone is not sufficient without the password
- Enable biometric authentication on the Uber app where available as an additional layer
How to report it
- Report the driver or the suspicious contact via the Uber app: Help > Trip Issues and Refunds
- Report account takeover attempts at help.uber.com
- Report to the FTC at reportfraud.ftc.gov
Frequently asked questions
Why would a driver need a code from me?
They would not. Drivers see your pickup location in the Uber app. No legitimate Uber process requires a passenger to share an SMS code with a driver. This request is always an account hijack attempt.
I shared the code and now I cannot log in. What do I do?
Contact Uber Support immediately at help.uber.com and select 'Account and Payment'. Explain that your account was taken over. Uber can lock the account and help you regain access. Also contact your bank if a payment card is linked to the account.