Fake Wise Two-Factor Authentication Reset Scam
Fraudsters who hold a victim's Wise login credentials call or text claiming Wise's 2FA system needs to be re-verified, talking the victim into sharing the OTP that Wise just sent — completing the account takeover the attacker was blocked from finishing alone.
Part of: Fake Two-Factor Authentication Scams
Last reviewed: 7 June 2026
Wise requires a one-time code during login for any new device or unusual session, and it also uses OTP verification for sensitive account changes. When an attacker has already obtained a victim's Wise login credentials through phishing or a data breach, this OTP is the final obstacle between them and full account access. Social engineering to obtain that OTP is their standard solution.
The attack is timed with precision. The fraudster attempts a Wise login using the captured credentials, triggering a real OTP to the victim's phone. Simultaneously — often within 30 seconds — the victim receives a call or text claiming to be from Wise's security team, explaining that a new device is attempting to link to their account and that the victim must share the code they just received to 'block the unauthorised access'.
This timing is the most convincing element of the attack. The victim has just received a genuine Wise OTP that corresponds to a real login attempt, and a caller has a ready explanation for it. The instinct to protect the account by sharing the code is exactly the opposite of what is actually protective.
How this scam works on the Wise brand
Wise's OTP is for the account holder to enter on Wise's own platform — it is never to be shared verbally or in a reply text. Wise's own OTP messages explicitly state that the code should not be shared with anyone, and Wise's support documentation confirms that Wise agents do not ask for OTPs during support interactions.
The fake Wise agent often knows the victim's account balance and registered email — details sourced from prior phishing sessions or breach data — which adds credibility. They may describe the device attempting access (a fabricated city name or device type) and explain that reading the code back will 'reject the access attempt'. The opposite is true.
Some attackers use automated voice systems: the victim receives a robocall from a number spoofed to match Wise's support line, describing the unauthorised access in a professional recorded voice, and asking the victim to press 1 to read a code. These automated systems are designed to handle high call volumes during mass-phishing campaigns.
Common red flags
- An OTP arrives from Wise without you attempting a login
- A call or text claims to be from Wise security and asks you to share the code you just received
- The 'Wise agent' describes an 'unauthorised device' that coincides with the OTP's arrival
- You are told that sharing the code will 'block' the access attempt — it does the opposite
- An automated voice system calls from what appears to be a Wise number asking for your OTP
- The caller knows your Wise balance or email address — this does not confirm they are Wise staff
- Urgency: 'The attacker will complete the login in 60 seconds if you do not act'
How to protect yourself
- Never share a Wise OTP with anyone, for any reason
- If you receive an unexpected Wise OTP, change your Wise password immediately without sharing the code
- Contact Wise through in-app chat to report a potential credential compromise
- Enable an authenticator app for Wise 2FA where available for stronger OTP protection
- Ensure your Wise password is unique and not used on any other service
- Review your Wise login history for unrecognised sessions and revoke them
- Report unexpected OTPs to your national fraud reporting service even if no loss occurred
How to report it
- Report to Wise through in-app chat at wise.com/help
- Forward phishing details to [email protected]
- In the UK, report to Action Fraud at actionfraud.police.uk
- File a complaint with the FTC at reportfraud.ftc.gov (US)
- Report to the FBI's IC3 at ic3.gov if funds were lost
Frequently asked questions
Does Wise ever ask for an OTP to block a suspicious login?
No. Wise uses OTPs for you to authenticate yourself — they are not used as a mechanism to block other sessions. Sharing an OTP with a caller claiming to be Wise will complete a login, not prevent one.
Why does the attacker call at exactly the moment the OTP arrives?
The attacker triggered the OTP themselves by attempting a login with your credentials. They then immediately call you to provide a plausible story for the OTP's arrival. The simultaneous timing is designed to feel like corroboration, but it only confirms that the attacker is actively attempting access.
Can I change my Wise password without an OTP if I suspect compromise?
You can initiate a password reset from the Wise login page using your registered email. If you believe your email is also compromised, contact Wise through in-app chat (if you still have app access) or through the account-recovery process at wise.com/help.