I gave a scammer a one-time passcode (OTP) sent to my phone — what now?
Contact your bank or the relevant service immediately — the scammer may have just used that code to access or change your account. Change your password right away.
Last reviewed: 10 June 2026
Explanation
A one-time passcode (OTP) is the second factor of authentication that protects your account even when your password is known. When a scammer tricks you into reading that code aloud — often by impersonating your bank, phone carrier, or an online service — they are bypassing the strongest layer of your account security in real time.
The moment you realize what happened, call your bank or the relevant service's fraud line and explain that you shared an OTP with an unauthorized person. They can check whether the code was used to change your password, add a new phone number, transfer money, or access sensitive data. Act fast — OTP-based account takeovers typically take less than 60 seconds once the code is obtained.
Change your account password immediately from a trusted device. If the scammer has already changed your email or phone number associated with the account, you will need to use account recovery options and escalate to the company's trust and safety team. Collect any confirmation emails you received during the period — these may show what actions were taken.
Report the incident to the FTC and, if financial loss occurred, to the FBI's IC3. If your phone number itself was ported away (SIM swap), contact your carrier urgently. A SIM swap means your phone number now routes to the scammer's device, giving them all future OTPs and call-based authentication.
Common red flags
- Caller claims to be 'verifying your identity' and asks you to read back a code
- Text arrives for an action you did not initiate, followed by a call asking for it
- Someone urgently needs 'just the six-digit code' to 'protect' your account
- The number calling you matches your bank's caller ID exactly (spoofing)
- Caller instructs you to 'never share' the code but then asks for it anyway
What to do now
- Call your bank or service's fraud line immediately — explain you shared an OTP
- Change your account password from a trusted, clean device
- Check your account for unauthorized changes (new email, phone, payees, transfers)
- Contact your phone carrier if you suspect a SIM swap
- Enable app-based authenticator (not SMS) for higher-security 2FA going forward
- Report to the FTC at ReportFraud.ftc.gov
Frequently asked questions
Can a scammer do anything with just an OTP?
Yes — a scammer who already has your username and password only needs the OTP to complete a full account login or password reset. They can then lock you out and take over completely within seconds.
What is a SIM swap and how do I know if it happened to me?
A SIM swap is when a scammer convinces your carrier to transfer your phone number to their SIM card. Signs include suddenly losing cell service, calls and texts not arriving, or your carrier asking you to re-activate your SIM.