Is a text from my bank with a one-time passcode always safe to use?
Only if you initiated the action it authorises. One-time passcodes you did not trigger indicate someone else is trying to access your account.
Last reviewed: 1 June 2026
Explanation
One-time passcodes (OTPs) sent by your bank provide a second layer of security — but only when you are the one who requested them. Scammers use real-time phishing and social engineering to steal OTPs while they are valid. In one common scenario, the fraudster has already obtained your card or account details and calls you impersonating bank fraud prevention. They claim to need you to read out the code to 'verify' or 'cancel' a transaction. Reading the code to them gives them exactly what they need to complete a transaction they are already authorising on a different screen. Your bank will never ask you to read back or confirm a code sent to you.
Common red flags
- OTP arrives when you are not logging in or making a payment
- Caller or SMS asks you to share the code you just received
- Urgency — code about to expire, account under threat
- Multiple OTPs in quick succession
What to do now
- Never share an OTP with anyone, including callers claiming to be your bank
- If an OTP arrives unexpectedly, log in directly and check for unauthorised activity
- Change your online banking password if you suspect compromise
- Contact your bank immediately using the number on the back of your card
Frequently asked questions
Can scammers trigger an OTP without knowing my password?
If they have your card number, or have tricked your bank's phone system using your personal details, they may be able to initiate steps that generate an OTP — the code is the last piece they need.