Would my real bank ever ask me to read back a code?

No. The FBI and FTC both state explicitly that legitimate companies never contact you to ask for a one-time passcode or verification code. The code is sent to confirm that YOU are the one trying to log in or make a change - not to verify your identity to someone who called you. Any caller asking for a code you just received is a scammer, regardless of what number they appear to call from.

I already read the code - what do I do now?

Act immediately. Go to the real account (bank, email, Amazon, etc.) and change your password now. Check for any transactions, password changes, or new devices added in the last hour. Call your bank's real fraud line if the account involves money. If you cannot get back in, contact the company's official customer support to report the account takeover.

How did the scammer know to call me right when I got the code?

They triggered the code themselves. The scammer already had your username and password (from a data breach or phishing attack) and tried to log in to your real account. The platform sent you a verification code to confirm the login - and then the scammer calls to trick you into reading it back. Your phone receiving the code is the signal that they are already at your login screen.

Which accounts are most at risk?

Any account protected by SMS-based two-factor authentication: bank accounts, email, Amazon, social media, crypto exchanges, and PayPal. Bank accounts and crypto wallets are the most targeted because the financial loss is immediate. Email accounts are also high-value because they can be used to reset passwords on every other account.

How do I protect myself going forward?

Use an authenticator app instead of SMS for two-factor authentication wherever possible. Authenticator apps generate codes that cannot be intercepted by a phone call. Also use a unique password for each account so that a breach of one does not give access to others. If you receive an unexpected verification code you did not request, someone already has your password - change it immediately without reading the code to anyone.

Phishing & impersonation Active · 2024–2026 Account takeover

Someone called asking for your security code. Don't read it.

ScamChecker.online · Last verified June 2026 · Active and growing · 4 min read

In a nutshell

A call or automated message claims your bank, Amazon, or Google detected suspicious activity on your account.
They ask you to "verify your identity" by reading back the security code you just received by text.
That code is the scammer's key to your account - they triggered the code themselves by attempting to log in.
No legitimate company ever calls you and asks for a code they just sent you. Ever.

Our verdict

This is a scam. A verification code you receive is for you to enter somewhere - not to read aloud to a caller. The moment someone asks for that code, the call is fraudulent regardless of what number it came from or what name it claimed. The FBI documented over 5,100 complaints and $262 million in losses from this pattern in the first months of 2025 alone.2

Does this sound familiar?

You get a call - or an automated message - saying your bank flagged unusual activity, your Amazon account is at risk, or someone is trying to access your email. They need to "verify it's really you" before they can help. A moment later, a text arrives with a verification code. The caller asks you to read it back to confirm your identity.

Below are reconstructed examples. (Illustrations, not real screenshots. Numbers and names are fictional.)

Incoming Call

May be spoofed - looks like your bank

🏦

First National Bank

+1 (555) 555-0100

📵

📞

Caller ID can be spoofed to show any number - including your bank's real fraud line. The displayed number proves nothing.

🏦

First National Bank

Your verification code is:

847 291

Do NOT share this code with anyone. We will never ask for it.

The code arrives from the real bank - because the scammer used your credentials to trigger a real login attempt. The warning in the text is genuine.

Automated System - Sample Transcript

"Thank you for calling First National Bank fraud prevention."

"To protect your account, we need to verify your identity."

"We've just sent a 6-digit code to your registered phone."

"Please enter or say your code now to confirm it's you."

The automated script sounds professional. Many versions use AI-generated voices. The request to "say your code" is where the scam completes.

The same script runs across dozens of platforms: banks, Amazon, Google, PayPal, crypto exchanges, social media. The pretext changes; the code request never does.

How it works

This attack is sometimes called an OTP bot scam or real-time phishing. Unlike SIM swap fraud - where the scammer intercepts your codes at the carrier level - this one works by talking you into handing the code over yourself. (Screens shown below are illustrations.)

They already have your password

Before the call, the scammer already has your username and password for the target account - obtained from a data breach, a phishing email, or a leaked database. Your credentials alone aren't enough to get in because your account has two-factor authentication enabled. The OTP - the one-time code sent to your phone - is the one remaining barrier. The entire scam exists to get past that single barrier.

Your credentials are already in criminal databases from past breaches

Email: [email protected] ✓ found

Password: ••••••••• ✓ matched

2FA code: ??? - need to call you

💡 Check haveibeenpwned.com to see if your email appears in known breaches.

They trigger the code - then call you

The scammer attempts to log in to your account using your stolen credentials. The platform sends you a real verification code. Immediately - sometimes within seconds - you receive the call. The timing is not a coincidence. You receiving the code is what triggered the call. The script is designed to create urgency before you have time to think: "suspicious activity detected, we need your code to stop it."

📦

Amazon Security

Sign-in attempt detected. Your one-time code:

392 817

Never share this. Amazon will not ask for it.

⚠ If you receive an unexpected code, someone already has your password. Change it immediately.

You read the code - they enter it instantly

The moment you read the code aloud, the scammer - or their automated bot - enters it into the login screen. The platform sees a valid code entered within the allowed time window and grants access. The scammer is now inside your account while you're still on the phone. The whole exchange can take under two minutes. OTP bot operations have been documented running thousands of attacks simultaneously across multiple countries, with each session taking less time than a typical phone call.3

What happens in real time

You: "The code is 3-9-2-8-1-7"

Scammer enters: 392817 → Login approved ✓

You are still on the call hearing "Thank you, your account is now secure."

Meanwhile: password changed, email updated, funds moved.

The takeover completes while you're still hearing "you're all protected now."

The account is gone

Inside your account, the scammer acts immediately: transfers funds, drains a crypto wallet, resets the password so you're locked out, or uses the account as a springboard to compromise others. Email account takeovers are especially damaging because they allow the attacker to reset every other password linked to that address. The FBI's 2025 advisory notes that financial institution impersonation is the dominant entry point, with losses averaging in the tens of thousands per victim.2

Account Access - Immediate Actions Taken

💸Wire transfer initiated to external account

🔐Password and recovery email changed

📧Email used to reset linked bank account

🚫Your access revoked - locked out

Everything happens before you realise the call was fake.

Remember

No legitimate company ever calls you to ask for a code they just sent.

An unexpected code arriving means someone already has your password - change it now.

Caller ID can be spoofed - a number that looks like your bank is not proof it is your bank.

Hang up and call the company directly using the number on their official website or your card.

Red flags to catch it early

None of these alone is proof. Several together means hang up immediately.

A code arrives right before or as you get a call

This is the clearest signal. The scammer triggered the code by attempting to log in. The call and the code arriving together is not a coincidence - it is the mechanism.

They ask you to "say" or "enter" the code to verify yourself

Verification codes are for you to enter on a website or app - not to recite to a caller. Any request to read a code aloud is the scam, regardless of what else was said on the call.

Urgency about "stopping" a transaction in progress

"We need the code right now to block the transfer." This is pressure to prevent you from pausing or hanging up to verify the call independently. Real fraud teams do not have a countdown.

"This transaction will complete in 90 seconds if we can't verify you."

Caller ID shows your bank's real number

Phone number spoofing is trivial and cheap. A call displaying your bank's genuine fraud line number is not proof the call is from your bank. When in doubt, hang up and call back on the number on the back of your card.

Automated voice system asking for the code

Many attacks use fully automated bots - no human ever speaks. The bot places the call, delivers the script, and captures whatever code you say or keypress. The professional sound of an automated system is not evidence of legitimacy.

The code text message warns not to share it

Most legitimate platforms include a line in their code messages saying "never share this code" or "we will never ask for this." If a caller is asking for exactly the thing the text told you not to share, the text itself is telling you the caller is a scammer.

Already read the code to someone?

Need the steps by payment method? See what to do if you've been scammed.

If you're in this situation right now

Act in the next five minutes

Speed matters more here than in most scams. The account takeover is in progress or already complete.

Go to the account right now and change your password Open the real platform (not a link from any message) and change your password immediately. If you can still get in, do it before the scammer locks you out. Use a strong, unique password you haven't used elsewhere.

Check for any actions taken in the last few minutes Look at recent transactions, password changes, new devices added, and email or phone updates. On a bank account, check for pending transfers. On email, check forwarding rules and connected apps.

If you're already locked out, call the company's real number immediately Find the real number on the company's official website - not from a search result or the message that triggered this. Explain that your account was taken over. Most platforms have account recovery processes for this.

Change passwords on any account that uses the same email or password If the compromised account is your email, assume every account that sends password resets to that email is also at risk. Change them all, starting with your bank and financial accounts.

Report it Even if you recovered the account quickly. Reports help track these operations and may help others.

Ignore anyone who offers to recover your account for a fee After an account takeover, victims are sometimes targeted by a follow-up money recovery scam. Official support channels are free. Anyone charging to "get your account back" is running a second fraud.

Where to report it

For the full country guide - agencies, phone numbers, and what happens after you report - see how to report a scam by country.

Start here

FTC - ReportFraud.ftc.gov

Federal Trade Commission. Covers imposter scams, account takeover, and one-time passcode fraud. Your report feeds investigator databases.

reportfraud.ftc.gov

If you lost money or a bank account was accessed

FBI - IC3.gov

Internet Crime Complaint Center. The FBI issued a specific 2025 advisory on account takeover via financial institution impersonation - reports here contribute to that investigation stream.

ic3.gov

If your email or personal accounts were compromised

IdentityTheft.gov

FTC tool that creates a personalised recovery plan if your identity or financial accounts were accessed.

identitytheft.gov

Start here

Action Fraud

UK national fraud reporting. Online or phone: 0300 123 2040.

actionfraud.police.uk

If an account was compromised

NCSC - National Cyber Security Centre

ncsc.gov.uk

Contact your bank's fraud team immediately if money moved. UK banks have strong reimbursement rules for authorised push payment fraud.

Start here

Scamwatch (ACCC)

scamwatch.gov.au/report-a-scam

If an account was compromised

Australian Cyber Security Centre

cyber.gov.au/report-and-recover/report

Start here

Europol - Report Cybercrime

Links to national reporting services for every EU member state.

europol.europa.eu/report-a-crime

If you lost money

Policia SR - trestne oznamenie

File a criminal complaint at any police station, electronically via slovensko.sk (needs eID), or call 158.

slovensko.sk

If an account or device was compromised

SK-CERT (NBU)

sk-cert.sk

Canada

Canadian Anti-Fraud Centre

antifraudcentre-centreantifraude.ca

Anywhere - especially if a US company was impersonated

FBI IC3 (accepts international reports)

ic3.gov

How big is this problem?

The verification code attack is not new, but automated OTP bots have made it vastly more scalable. Operations that once required a human caller for every victim now run entirely on software, cycling through thousands of targets simultaneously.

$262M+

Losses reported to IC3 from account takeover via financial institution impersonation in just the first months of 20252

5,100+

Complaints received by IC3 from this specific pattern in 2025 - a number that represents a small fraction of actual incidents2

$3B

Total FTC-reported losses to imposter scams in 2025 - the broader category that includes OTP and verification code fraud1

28,000

Attacks linked to one documented OTP bot operation (JokerOTP) across 13 countries before it was shut down by European authorities3

The verification code attack sits in a family of account takeover methods that also includes SIM swap fraud - where the attacker intercepts your codes at the carrier level without ever speaking to you - and account verification phishing, where a fake login link collects your credentials directly. The OTP bot variant is mechanically distinct from both: your phone stays on your network, no link is involved, and the code you receive is real. The only human error in the chain is reading the code aloud.

Switching from SMS-based two-factor authentication to an authenticator app eliminates the attack surface entirely - codes generated by apps cannot be extracted over the phone because the scammer cannot trigger a phone call that intercepts them. CISA specifically recommends authenticator apps over SMS for this reason.4

Frequently asked questions

Would my real bank ever ask me to read back a code?: No. The FBI and FTC both state explicitly that legitimate companies never contact you to ask for a one-time passcode or verification code. The code is sent to confirm that YOU are the one trying to log in or make a change - not to verify your identity to someone who called you. Any caller asking for a code you just received is a scammer, regardless of what number they appear to call from.
I already read the code - what do I do now?: Act immediately. Go to the real account (bank, email, Amazon, etc.) and change your password now. Check for any transactions, password changes, or new devices added in the last hour. Call your bank's real fraud line if the account involves money. If you cannot get back in, contact the company's official customer support to report the account takeover.
How did the scammer know to call me right when I got the code?: They triggered the code themselves. The scammer already had your username and password (from a data breach or phishing attack) and tried to log in to your real account. The platform sent you a verification code to confirm the login - and then the scammer calls to trick you into reading it back. Your phone receiving the code is the signal that they are already at your login screen.
Which accounts are most at risk?: Any account protected by SMS-based two-factor authentication: bank accounts, email, Amazon, social media, crypto exchanges, and PayPal. Bank accounts and crypto wallets are the most targeted because the financial loss is immediate. Email accounts are also high-value because they can be used to reset passwords on every other account.
How do I protect myself going forward?: Use an authenticator app instead of SMS for two-factor authentication wherever possible. Authenticator apps generate codes that cannot be intercepted by a phone call. Also use a unique password for each account so that a breach of one does not give access to others. If you receive an unexpected verification code you did not request, someone already has your password - change it immediately without reading the code to anyone.

Sources

Federal Trade Commission, "What's a verification code and why would someone ask me for it?", March 2024. FTC consumer alert specifically addressing OTP extraction fraud. Also source of $3B imposter scam loss figure for 2025.
FBI / IC3, Public Service Announcement on Account Takeover Fraud via Impersonation of Financial Institution Support, 2025. Source of 5,100+ complaint and $262M+ loss figures for this specific pattern.
IC3 / European law enforcement, JokerOTP operation documentation, 2025. 28,000 attack figure and multi-country scope. Reported by multiple security researchers and law enforcement press releases; cited here as an illustrative documented case rather than an exact total.
CISA, More Than a Password - Multi-Factor Authentication. Source of CISA recommendation to use phishing-resistant MFA (authenticator apps) over SMS-based OTP.

Researched and maintained by ScamChecker.online

We document recurring online scam patterns using primary sources - government agencies, law enforcement, and security researchers. We do not accuse named businesses, and ads on this page do not influence our reporting. Read about how we research or who we are.

Last verified: June 2026 · Reviewed against current FTC, FBI IC3, and CISA guidance