Common Two-Factor Authentication (2FA) Scams and How to Avoid Them

It’s become so mainstream, you may have forgotten what it’s called. You try to access an app or one of your online accounts by entering a password, then you are asked to provide a second form of authentication — such as a one-time code sent to a separate device — before you’re allowed to log in. Once you satisfy that extra layer of security, you’re let in. This is called two-factor (2FA) authentication.

Select companies have used 2FA going back to the mid-1990s, though many were resistant to modernizing and thought passwords would be enough to keep accounts safe from online scammers. But by the late 2000s, smartphone usage became common and widespread data breaches began to shake consumer confidence, so companies and their customers started taking online account security more seriously and 2FA became a standard cybersecurity option. Since then, 2FA has proven hugely successful; however, scammers have developed methods to get past 2FA.

What Is Two-Factor Authentication and Why Is It Important?

Public since at least 1996 when AT&T began using it, two-factor authentication is a security method in which the user must provide two separate forms of identification to access an app or online account. It’s a layer of additional security meant to keep a hacker from gaining access. A way to help prevent identity theft, the idea behind 2FA is that even if your account password is compromised, 2FA security can prevent scammers from accessing or stealing an account or sensitive data from you.

The main 2FA methods are:

• Codes sent via SMS. This is when an authentication is sent via text message to your phone. With this security method, you are usually given a short period to enter the texted code to finish logging in.
• Authenticator apps. There are a variety of choices here, with Duo, Google Authenticator, and LastPass among the industry leaders. Authenticator apps are safer than SMS and provide a higher level of security, since authentication is kept within a device rather than shared across a network.

Other 2FA methods include push notifications, a physical security key such as a USB, or biometrics, which can include fingerprint or facial recognition.

How Scammers Exploit Two-Factor Authentication

Scammers try and bypass 2FA using social engineering tactics, which include:

• Phishing texts (known as smishing)
• Voice phishing (known as vishing)
• SIM swapping (named for SIM cards, or Subscriber Identity Modules, which are small physical or digital cards that store information in your smartphone or tablet about your phone and network)

For phishing texts and voice phishing, scammers will deceive targets by providing false information intended to present themselves as a trusted source — such as a customer representative from their credit union, a bank, or cell phone provider. They create a sense of urgency, trying to get their target to make a mistake they can take advantage of. For example, a scammer posing as a banker may message you saying your account isn’t secure, but to secure it you can send the verification code you just received. Once the scammer has the information they need to bypass your 2FA security, that’s when they do a SIM swap.

A SIM swap is when a scammer transfers their victim’s cell phone number and stored data to a different device, controlled by the scammer, by convincing the victim’s cell phone provider that they are the account owner.

Once they have control of what’s meant to go to your smartphone or other device, it’s much faster and easier for them to take control of your accounts.

Recognizing 2FA Scams

It usually becomes obvious very quickly if you’ve fallen for a two-factor authentication scam. If your smartphone has its SIM swapped, you may no longer be able to make or receive calls or texts. You may start receiving email alerts thanking you for your online purchase for items your scammer bought, rather than you. Or you contact your cell phone provider or banking institution to report the breach only to find out your personal identification information has been changed, keeping you from verifying your identity with a live agent.

Any of the above can be stressful and frustrating, but the sooner you can reclaim your device and accounts, the easier it will be to mitigate the damage being done.

How to Protect Yourself From 2FA Scams

There are some key ways to protect yourself from 2FA scams:

• Never share your 2FA codes with anyone, sent via text or phone, even if that person claims they are a DCU employee.
• Instead of SMS-based 2FA, use authenticator apps such as Duo, Google Authenticator, or LastPass for additional security.
• Use passkeys when available. Passkeys use biometrics, such as your fingerprint or facial scan, to log in to your account. Passkeys can be a more effective and secure method of authentication.
• Monitor account activity regularly so you can quickly identify any suspicious behavior.

What to Do If You Suspect You’ve Fallen for a 2FA Scam

If you think you’ve fallen for a two-factor authentication scam, try to immediately change passwords and remove any compromised devices, such as your smartphone. You should also reach out to your banking institution to report the suspicious activity and contact the Federal Trade Commission (FTC).

DCU members who fall for a two-factor authentication scam should contact us at 800.328.8797 immediately. Members are also encouraged to leverage the Identity Theft Hotline for guidance through the whole process, even if their DCU account doesn’t seem to be compromised.

Federally insured by NCUA.

This article is for informational purposes only. It is not intended to serve as legal, financial, investment or tax advice or indicate that a specific DCU product or service is right for you. For specific advice about your unique circumstances, you may wish to consult a financial professional.