Two-Factor Reset & Social Takeover Scams

Two-factor reset and social takeover scams are targeted attacks that specifically work to neutralise two-factor authentication — the strongest routine protection most users have on their accounts. Rather than bypassing 2FA through technical means, these attacks use social engineering to trick victims into disabling it, sharing the codes it generates, or into approving a device that the attacker controls as a new trusted device.

These scams typically begin with the attacker already holding the victim's password — obtained through a data breach, credential-stuffing attack, or phishing. They cannot proceed past the 2FA prompt without the victim's assistance. The social engineering component is designed to create circumstances in which the victim willingly provides that assistance.

Approaches vary widely: the attacker may impersonate platform support and claim a technical issue requires the 2FA to be temporarily disabled; they may send a fake 'security alert' instructing the victim to approve a new device to prevent an attack that is itself fabricated; they may impersonate a trusted person and ask the victim to share a code they just received; or they may run a SIM swap to reroute the victim's SMS-based 2FA to a device they control.

This category of attack is responsible for some of the most significant individual account compromises because it defeats the layer of security people rely on most. Understanding the specific manipulation patterns used is essential for defending against them.

In the impersonated support variant, the victim receives a message purporting to be from the platform's security team, warning of suspicious activity on their account. The message instructs the victim to complete a verification step by providing the code sent to their device or by disabling 2FA temporarily through a link. Any code shared immediately allows the attacker to complete login.

In the 'verify your device' variant, the victim is told they need to approve a new device as part of a security process. A legitimate-seeming approval request appears on their device — actually generated by the attacker attempting login — and the victim approves it believing this to be a security step rather than the breach itself.

In the SMS-interception variant, the attacker contacts the victim's mobile carrier, impersonates the victim, and requests a SIM swap — transferring the victim's phone number to a SIM the attacker controls. SMS-based 2FA codes then go to the attacker rather than the victim.

In the recovery-code request variant, a trusted friend, family member, or colleague asks the victim to share their backup recovery codes, claiming to need them to help with something. The attacker has compromised the other person's account and is using it to make the request appear trustworthy.

Two-factor authentication is widely understood as the gold standard of account security for consumer accounts. This understanding creates a specific cognitive vulnerability: people are conditioned to respond to 2FA prompts as a normal part of a legitimate process. When a scammer frames a 2FA code request within an apparently legitimate security context, the action of sharing the code feels like compliance with a safety step rather than a security failure.

The impersonation of platform security teams is particularly effective because the premise — that the platform has detected something and needs your help to fix it — aligns with how people understand security systems to work. A request that comes with the right framing exploits established trust in the platform rather than asking for trust in the scammer.

SIM swaps succeed because they exploit a human process — mobile carrier customer service — rather than a technical one. Carrier staff are trained to be helpful, and without strong verification requirements, a confident and well-prepared attacker can successfully transfer a number.

This is [Platform] Security. We detected unusual access. To secure your account, please share the code we just sent to your device.

We need to verify your account to prevent it being locked. Enter the 6-digit code from your authenticator app at [fake link].

To approve this new trusted device and complete your security update, tap Approve on the notification that just appeared.

Your backup codes need to be refreshed. Disable your current 2FA and set it up again at [fake link] to receive new codes.

Hey, it's me — I need your recovery codes urgently. I can explain everything later, can you screenshot them and send now?

No platform will ever ask you to share a 2FA code, your authenticator app output, or your backup recovery codes with a support agent, whether by message, email, phone, or DM. These codes exist solely for you to enter during your own login process.

If you receive a device approval notification when you are not actively logging in, do not approve it. Log in to your account independently and check your security settings for the pending device request, then deny it from within your account.

Switch from SMS-based 2FA to an authenticator app for your most sensitive accounts. Authenticator apps generate codes locally and are unaffected by SIM swaps or number porting attacks.

If you suddenly lose mobile network signal — particularly if other people in your area still have signal — contact your carrier immediately to check whether your number has been transferred without your authorisation.