Can my bank ever ask me to share my one-time passcode (OTP) over the phone?
No. Banks and financial services never ask you to read back an OTP they sent you. If someone calls asking for your OTP, they are attempting to access your account.
Last reviewed: 10 June 2026
Explanation
One-time passcodes are a second layer of security specifically designed to ensure only you — the account holder physically holding the registered device — can authorise a transaction. The entire security model breaks down if the code is shared. Banks know this, which is why their messages and apps typically contain explicit warnings such as 'Never share this code with anyone, including bank staff.'
The attack works like this: a fraudster has obtained your account credentials through phishing or a data breach. They initiate a login or transaction on your account, which triggers your bank to send you a genuine OTP. They then call you — often already knowing your name and partial account details to seem credible — and request the code under the pretext of verifying your identity or reversing a fraudulent transaction.
Once you read out the OTP, the fraudster completes the login or transaction within the seconds the code is valid. They may then change your password, set up new payees, or drain your account before you realise what happened.
No legitimate bank representative, customer service agent, or fraud department employee will ever ask for your OTP. If you receive such a call, hang up and change your passwords immediately. Contact your bank through the official app or the number on your card.
Common red flags
- Caller says they need your OTP to 'verify your identity' or 'reverse a fraud'
- A text from your bank arrives moments after or during the call
- Caller knows your name, last four card digits, and account balance
- Creates urgency by claiming your account is being drained right now
- Asks you to stay on the line while you check the message
- Caller ID appears to show your bank's genuine number
What to do now
- Hang up without reading the OTP to anyone
- Change your online banking password immediately
- Check your account for any unauthorised transactions
- Call your bank on the number on the back of your card
- Ask the bank to review recent login attempts and flag suspicious activity
- Report the call to your national fraud authority
Frequently asked questions
What if the text message says the OTP is for my own verification?
The bank sends the OTP to verify that the person requesting access has possession of your registered device. The message is addressed to you — but the fraudster triggered it. Never share it.
I shared my OTP and an unauthorised transaction went through — what do I do?
Call your bank immediately using the number on your card and report it as fraud. Ask them to freeze the account and reverse the transaction if possible. Document the call details for your fraud claim.