The 2FA Bank Phishing Scam: How It Works and What to Do

Joel Lee 06-03-2018

If there’s one account you don’t want hacked, it’s your bank account. But you shouldn’t worry so much about hacks, because scams are the bigger threat.


In general, while far from perfect, banks are pretty good about security. Hacks and breaches are fairly rare in the grand scheme of things. When a bank account is drained, it’s often because the owner was careless and unwittingly gave away access (e.g. compromised ATM skimmers and wire transfer con scams).

Two-factor authentication (2FA) is supposed to protect your bank account, but scammers have found a way around it—by tricking you with a new phishing tactic What Exactly Is Phishing & What Techniques Are Scammers Using? I’ve never been a fan of fishing, myself. This is mostly because of an early expedition where my cousin managed to catch two fish while I caught zip. Similar to real-life fishing, phishing scams aren’t... Read More . In this article, we explain how the scam works and how you can evade it.

How 2FA Protects Your Bank Account

Before we explain how the scam works, it’s important to understand how most bank 2FA protocols work.

2FA is simple: in order to access your account, you start by entering your password, which is your first factor, and then you confirm that your identity using a second factor, such as a security question or a verification code sent in a text message. Learn more about the pros and cons of different 2FA methods The Pros and Cons of Two-Factor Authentication Types and Methods Here are the pros and cons of two-factor authentication methods to see which is the best for you. Read More .

Text messages are the most common form of 2FA used today. The idea is that you can only log in to your bank account if you have the account password AND the phone with the right SIM to which the text message is sent.


2FA also comes into play when you want to change account details and settings, usually requiring you to log out and log back in after making a major change. Generally speaking, 2FA is awesome—it’s a lot harder to intercept SMS text codes It's Time to Stop Using SMS and 2FA Apps for Two-Factor Authentication While two-factor authentication is generally a good thing, you may be shocked to know that SMS and 2FA apps are both insecure. Here's what you should use instead. Read More than it is to brute force a weak password, so 2FA keeps you safer most of the time.

Despite the risks involved in using 2FA 3 Risks and Downsides to Two-Factor Authentication Two-factor authentication use has exploded over the last decade. But it isn't perfect, and can come back to haunt you if you aren't careful. Here are a few overlooked downsides. Read More , it’s always better than not using it at all.

How the 2FA Bank Phishing Scam Works

It starts with a phone call. You may or may not recognize the number, but it doesn’t matter because phone numbers can be spoofed (which happens often with robocalls How to Stop Annoying Telemarketers & Robocalls From Calling You Are you tired of being called by prerecorded messages and robots? Here's why that happens and what you can do to stop them. Read More ).

When you pick up, the caller will say they’re from your bank, they’ve noticed a fraudulent charge on your account, and they want to help resolve the issue but first need to confirm your identity.


To do this, they’ll offer to send a confirmation code by text message and ask you to read the code back to them over the phone. They may do this two or three times, stating that the first one didn’t go through for some reason.

2FA Bank Phishing Scam - man using cell phone

At this point, you might be suspicious, but because the call started with a suggestion of fraudulent charges on your account, you’ll feel compelled to stay on the line. After all, the fraudulent charges could be real, and if they are, better to take care of them ASAP.

The scammer reads off a handful of your most recent bank charges, then ends with a final non-existent charge.


You don’t recognize it, so you think it must be fraudulent. You let the scammer know. They reassure you that it’s okay, promise to reverse the charge, then send over one last confirmation code by text message. You read it back. That’s it, done!

Except the next time you log in to your bank account, you see that thousands have been drained from your account and now you need to contact fraud services.

Here’s What Actually Happened

Every time you received a confirmation code, it was actually the scammer trying to access your bank account. When you read the code back to them, they typed it in and successfully bypassed your account’s 2FA security.

Once in, they can do things like change your username, change your password, change your phone number for 2FA, or even send money from your account to their account.


In order to pull this off, the scammer needs to know quite a bit:

  • Your username
  • Your password
  • Your phone number
  • Your recent charges

Unfortunately, these details aren’t difficult to obtain.

Most people use the exact same usernames and passwords for all of their web accounts, so if one account gets breached, every other account becomes vulnerable. This is why we recommend using unique passwords 8 Tips for Online Safety Used by Security Experts Want to stay safe online? Then forget everything you think you know about passwords, antivirus and online security because it's time to be retrained. Here's what the experts actually do. Read More .

Gaining access to one of your accounts can also give the scammer more information to play with. For example, if they manage to log in to your Amazon account, they might look at your saved credit cards and see the last four digits of each.

If you aren’t sure if your account details have ever been breached or leaked, head over to HaveIBeenPwned? and check right away. This is the only account checker you should use—it’s safe, reliable, and trusted.

Phone numbers are easy to dig up online. This is why you should never share your personal details online, especially in social media profiles.

As for your recent charges? The scammer could’ve gotten his hands on a bank statement that you didn’t think twice about tossing in the trash. You may not think it’s necessary, but home paper shredders Buying A Paper Shredder For Your Home Office Read More are crucial for fringe cases like this.

What should you do to avoid this scam?

If anyone ever calls YOU and then asks you to confirm your identify over the phone, politely say you aren’t comfortable doing that on an incoming call. Hang up and call them back using their official customer service line, which you can find online.

Staying Safe in the Face of Scams

This 2FA phishing scam isn’t the only one you need to be wary of.

Clever criminals will always be coming up with new ways to con innocent people out of their hard-earned money. Stay on top by reading our articles on the newest internet scams to avoid Do You Know 2017's New Internet Scams? Millions are tricked by cybercriminals every year, and the scams of 2017 will live on into 2018 and beyond. Here are just a few of the latest internet scams you need to protect yourself against. Read More , not getting tricked by phone scams Why They Keep Ringing: How Cold Calling Telephone Scams Work The Microsoft tech support scam is hugely profitable, and has proved both effective and lucrative for scammers around the world. But have you ever wondered how it works? Read More , and identifying fake IRS scams Avoid IRS Scams: 7 Warning Signs to Watch Out For Do you really owe as much tax as the email says? Or is it an IRS scam? Here's how to avoid getting taken in by scammers impersonating the IRS. Read More .

Related topics: Online Banking, Online Security, Two-Factor Authentication.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Missey J
    March 10, 2018 at 4:06 am

    Banks are forever telling people not to hand out information to anyone who's initiating contact with you. They advise everyone to hang up and manually call your bank, or the fraud department number (listed on back of one's ATM/Credit Card), or go into the bank. Thus, avoiding handing off any information to so-called bank/financial callers.

  2. BertieBassett
    March 8, 2018 at 11:49 am

    "Hang up and call them back using their official customer service line, which you can find online."

    Just to be sure, ring back from a different phone, in case they pull the old "Don't hang up their end, and pretend to be who you we calling" trick.

  3. dragonmouth
    March 7, 2018 at 1:49 pm

    A simple solution is to do your banking in person.

    I know, it is 'Oh So Inconvenient' for today's convenience oriented crowd to visit the local bank branch but how convenient is it to have your bank account(s) cleaned out and/or you identity stolen? It is very easy for scammers to impersonate bank personnel over the phone. It is much harder to do so in an actual bank branch.

    Security and privacy are the price of convenience. If we weren't so damn lazy and wanting to do EVERYTHING from our smartphones, many of the scams would not be exist or at least be as successful.

  4. Dave Lee
    March 6, 2018 at 8:06 pm

    They probably don't need a list of your recent transactions. From your description, they will ask for proof of identity first. Everyone is used to this from dealing with financial institutions.

    So, they try to log into your account, it sends a message to your phone which you read back to them. They now have access to your account. They can read your most recent transactions back to you while adding a fraudulent one. This reassures the victim that it is the real bank and that there was an actual issue.

    So, it's still difficult because they need your username, password and phone number, but they can get away with not knowing any actual transactions.