FBI Warns All Smartphone Users—Never Send These Texts
Do not make this mistake on your phone.
The FBI warns that “malicious actors” continue to send fraudulent texts and voice messages to “gain access to personal accounts.” All smartphone users have been told not to reply to messages unless they recognize the sender’s number or email address. But the bureau has also issued advice for citizens to stop accounts being hijacked.
This relates to text messages. America is under attack from a malicious texting industry sending out billions of messages. Whether undelivered packages, unpaid tolls and DMV fines or Amazon refunds, the objective is to steal your data, your money, even your identity. But sometimes even legitimate texts can be dangerous.
We’re talking two-factor authentication (2FA), which the bureau says you should set up “on any account that allows it,” and should “never disable.” But most 2FA codes are delivered by text. And the problem with texts is that you can send them on to others.
Never do that, the FBI warns — regardless of who’s asking.
“Actors may use social engineering techniques to convince you to disclose a 2FA code,” the bureau says in an advisory reshared this week. Doing so lets attackers “compromise and take over accounts.” Even if the request comes from someone you know, “never provide a two-factor code to anyone over email, SMS/MMS or encrypted messaging.”
ESET’s Jake Moore warns the same. “Scammers often trick people into revealing them to bypass security checks and take control so even if someone claims to be from your bank, trusted company or even a family member, keep OTPs to yourself.”
This all sounds very basic. But remember, if an attacker hijacks one of your friend’s messaging accounts, they can message you pretending to be your friend, asking you to send the code you will receive. They will tell you their phone is not working and they have given your number for the code instead. The scam is remarkably effective.
While you should never share OTP text messages, you can better protect yourself if you stop using them altogether. It’s far better to use an authenticator app, which most major platforms now offer as an alternative to SMS. And better still use a passkey. This links your account to your physical device, making it impossible to steal and use a code.
Banks in Australia and UAE are already calling time on SMS 2FA codes, and you should now do the same. But if you are using those codes, it’s even more critical that you never share them, regardless of who is who’s asking and the reason they’re giving.