Recovery guide

What To Do If You Shared a One-Time Code

Sharing an SMS or authenticator code can give fraudsters access to your account. Act immediately to secure it.

Last reviewed: 1 June 2026

First 10 minutes

Go directly to the account the code was for and check for unauthorised changes or activity
Change the account password immediately from a trusted device
If the code was for banking, call your bank using the official number straight away
Check whether the account has new linked devices, forwarding rules, or contact details
Sign out all other active sessions in account security settings

First 24 hours

Enable two-factor authentication if it is not already set up — or switch to an authenticator app if you were using SMS
Check linked accounts for signs of access using this account
Review recent transactions if financial accounts were involved
Report to the service provider if your account was accessed
Report to your national fraud service if money was moved or identity data was accessed

Contact your bank or payment provider

If the code related to a banking transaction, call your bank immediately
Ask them to review any transfers or changes made around that time
Ask about temporary account monitoring or enhanced verification

Evidence to preserve

Note what service the code was for and what was said to you to get you to share it
Screenshot any messages asking for the code
Record the time the code was shared and the time you noticed any account activity
Save any security alerts sent by the provider

Secure your accounts and devices

Change your account password and update your recovery email and phone if they were changed
Remove any unrecognised devices from your account
Upgrade from SMS codes to an authenticator app where possible
Review all connected or linked apps for anything you did not authorise
Enable security alerts so you are notified of future logins

Report it

Report to your national fraud/cybercrime service
Report to the platform, bank, or provider involved
Keep any reference numbers you're given

One-time codes are the last line of defence for many accounts. Scammers use social engineering to convince people to share them — posing as bank fraud teams, delivery companies, or tech support. Once the code is shared, they use it to log in, approve transactions, or change account details.

The speed of your response matters most. Check the account immediately for changes: new linked devices, altered contact details, forwarding rules, or recent transactions you do not recognise.

A genuine bank, service provider, or support team will never ask you to read back a code they sent you. That request is always a sign of fraud.

Frequently asked questions

Someone from 'my bank' asked for the code they just sent me — is that normal?

No. This is a classic authorised push payment or account takeover technique. Genuine banks never ask you to read back a code they sent you. Hang up and call your bank using the number on your card.

I shared the code but nothing looks wrong yet — what should I do?

Change your password and check the account thoroughly for changes to linked email, phone, or devices. Some account takeovers are used for future access rather than immediate action.

Can I stop the fraudster if I realised immediately after sharing?

Act as fast as possible: change the password, check for account changes, and call your bank if it was a banking code. Speed can prevent or limit the damage.

Why do scammers want one-time codes?

One-time codes are what turns a stolen password into account access. With both the password and the code, a fraudster can log in and potentially change your account details or approve transactions.

Sources

First 10 minutes

Go directly to the account the code was for and check for unauthorised changes or activity

Change the account password immediately from a trusted device

If the code was for banking, call your bank using the official number straight away

Check whether the account has new linked devices, forwarding rules, or contact details

Sign out all other active sessions in account security settings

First 24 hours

Enable two-factor authentication if it is not already set up — or switch to an authenticator app if you were using SMS

Check linked accounts for signs of access using this account

Review recent transactions if financial accounts were involved

Report to the service provider if your account was accessed

Report to your national fraud service if money was moved or identity data was accessed

Secure your accounts and devices

Change your account password and update your recovery email and phone if they were changed

Remove any unrecognised devices from your account

Upgrade from SMS codes to an authenticator app where possible

Review all connected or linked apps for anything you did not authorise

Enable security alerts so you are notified of future logins

Frequently asked questions

Someone from 'my bank' asked for the code they just sent me — is that normal?

No. This is a classic authorised push payment or account takeover technique. Genuine banks never ask you to read back a code they sent you. Hang up and call your bank using the number on your card.

I shared the code but nothing looks wrong yet — what should I do?

Change your password and check the account thoroughly for changes to linked email, phone, or devices. Some account takeovers are used for future access rather than immediate action.

Can I stop the fraudster if I realised immediately after sharing?

Act as fast as possible: change the password, check for account changes, and call your bank if it was a banking code. Speed can prevent or limit the damage.

Why do scammers want one-time codes?

One-time codes are what turns a stolen password into account access. With both the password and the code, a fraudster can log in and potentially change your account details or approve transactions.