Fake Bank Two-Factor Reset Social-Engineering Scam
Criminals call bank customers impersonating the fraud team and persuade them to disable or hand over two-factor authentication codes, enabling full account takeover.
Part of: Two-Factor Reset & Social Takeover Scams
Last reviewed: 8 June 2026
Banks send two-factor authentication codes to verify logins and high-value transactions. This layer of security is a major obstacle for scammers who have obtained online banking passwords through data breaches or credential stuffing. To overcome it, scammers call the account holder directly, posing as the bank's fraud or security team, and socially engineer them into sharing the OTP.
The call script is carefully designed to feel like a genuine outbound security check. The 'bank agent' references the account holder's name, partial account details, and a recent suspicious transaction (often fabricated). The urgency of preventing further fraud keeps the victim focused on cooperating rather than questioning the caller's legitimacy.
This technique — known as a real-time OTP relay — requires no technical hacking. It defeats one of the strongest consumer banking security features through a single phone conversation.
How this scam works on the Your Bank brand
The scammer calls with a number spoofed to match the victim's bank and says: 'We are calling from [Bank Name] Fraud Prevention. We have detected a suspicious login attempt on your account from a device we do not recognise. To secure your account, we need to verify your identity — we are about to send a one-time code to your registered phone. Please read it back to us to confirm you are the account holder.'
The scammer simultaneously triggers a real bank login using the victim's previously stolen password. The bank sends a genuine OTP. The victim reads it out. The scammer enters it, gaining full access to the account.
With the account open, the scammer may remove existing two-factor protection, change the registered phone number and email, add new payees, or initiate large transfers — all before the victim has ended the call.
Common red flags
- Your bank calls you proactively and asks you to read back an OTP code.
- The caller's number matches your bank but cannot confirm specific recent transactions accurately.
- An OTP arrives on your phone immediately after the caller mentions sending a verification code.
- The caller discourages you from hanging up and calling the bank back.
- The call creates extreme urgency — 'funds are being moved right now unless you act.'
- After reading the code, you are logged out of your banking app on other devices.
- The caller asks you to authorise a 'test transaction' to verify account security.
How to protect yourself
- Know that no legitimate bank will call you and ask you to read back an OTP code.
- Hang up and call your bank on the number printed on your card to verify whether the call was genuine.
- Never read a verification code to any inbound caller — codes are for your use only.
- Use an authenticator app for banking 2FA where available — it is not linked to your phone number.
- Enable account activity alerts so you see any new login attempt in real time.
How to report it
- Report to your bank's fraud team immediately using the number on your card.
- Report caller ID spoofing to the FCC at fcc.gov.
- File with the FTC at reportfraud.ftc.gov.
- File a complaint with the CFPB at consumerfinance.gov/complaint.
- File with ic3.gov if funds were taken.
Frequently asked questions
Does a real bank ever call and ask for an OTP?
No legitimate bank will call you and ask you to read back a one-time code sent to your phone. OTPs are a second factor for your use only — if someone is asking for yours, they are trying to authenticate themselves, not protect you.
How do I tell if a call is really from my bank?
Hang up and call the bank yourself using the number on your card or bank statement. A real fraud alert will be resolvable through that channel. The real bank will not object to you calling back.
Can I prevent OTP relay attacks with an authenticator app?
An authenticator app is harder to relay in real time than an SMS code because the code changes every 30 seconds and is generated on your device rather than sent by the bank. However, a determined scammer can still ask you to read an authenticator code — never do so to any inbound caller.