Fake Bank OTP Request Text Script
A text or accompanying call claims there's suspicious activity on your account and asks you to reply with, or read back, a one-time code your bank just sent — but that code is actually being used in real time by the scammer to authorize a transaction, log into your account, or add a new payee. The lever is presenting the code request as a security step to protect you, when it's actually the mechanism that hands over control. The single most important thing is to never share a one-time code with anyone, including someone claiming to be your bank, since your bank never needs you to read one back.
Last reviewed: 1 June 2026
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
[Bank]: Suspicious login detected. Reply with your one-time code to cancel: [code will arrive by text].
We've sent you a 6-digit code to confirm it's you. Please reply with the code to stop the transaction.
Hi, this is [bank] fraud team. A [amount] payment is pending. Read me the code just sent to block it.
Your code is for verification only — sharing it will not give anyone access to your account.
What the scammer wants
To obtain the OTP that your real bank sent — which the scammer is simultaneously using to authorise a transaction, log in to your account, or add a new payee. The code hands them full control of that action.
Red flags in the message
- Anyone asking you to share a code your bank just sent you
- Reassurance that 'the code is just to verify you, not to give access'
- Urgency — share the code in the next 60 seconds
- Incoming call or text immediately after a code arrives
- Caller ID matches your bank (easily spoofed)
- No way to call back and verify through the bank's published number
A safe response
Never share a one-time code with anyone who asks for it, even if they say they are from your bank. Your bank will never ask you to read back a code it sent. Hang up and call your bank on its official number.
What not to send
- One-time codes or PINs
- Passwords or memorable phrases
- Card details
What to do if you already replied
- Call your bank immediately on the official number — a transaction may have been authorised
- Change your online banking password and PIN
- Check your account for new payees, pending payments, or setting changes
- Report the incident to your bank's fraud team
- Consider placing a short-term freeze on your account while you investigate
Evidence to preserve
- Screenshot the full message or call details
- Note the sender number, email, or profile
- Save any links (without clicking) and payment details
- Record dates and times
Frequently asked questions
The text came from the same sender ID/thread as my bank's real messages — how?
Sender IDs can be spoofed and inserted into the same message thread as your bank's genuine texts on many phones, so this doesn't confirm authenticity. The content of the message asking you to share a code is the real warning sign, regardless of where it appears.
I already read the code out to them — what should I do immediately?
Contact your bank right away using the number on your card or its official app to report the code as compromised, freeze the account if possible, and check for unauthorised transactions or newly added payees.
How did they already know my name and that I bank there?
This information can come from data breaches, phishing, or simply widescale guessing based on which bank is common in your area — it doesn't require them to have hacked your account already. That's exactly why they still need the code from you to actually get in.
Is it ever okay to share an OTP if someone claims to be from my bank?
No, never — a genuine bank employee will never ask you to read back or forward a one-time code, since the code exists specifically to prove actions are being taken by you, not them. Any request for it is a scam, full stop.