FBI Warns iPhone And Android Users—Do Not Share These Texts
Do not make this mistake on your phone.
Republished on July 29 with new text attack warnings for smartphones users.
The FBI warns that “malicious actors” continue to send fraudulent texts and voice messages to “gain access to personal accounts.” Do not reply to messages unless you recognize the sender’s number. But there’s more you must do to safeguard accounts.
America is under attack from a malicious texting industry sending out billions of messages. Whether undelivered packages, unpaid tolls and DMV fines or Amazon refunds, the objective is to steal your data, your money, even your identity.
But sometimes even legitimate texts can be dangerous.
We’re talking two-factor authentication (2FA), which the bureau says you should set up “on any account that allows it,” and should “never disable.” But most 2FA codes are delivered by text. And the problem with texts is that you can send them on to others.
Never do that, the FBI warns — regardless of who’s asking.
“Actors may use social engineering techniques to convince you to disclose a 2FA code,” the bureau says in an advisory reshared this week. Doing so lets attackers “compromise and take over accounts.” Even if the request comes from someone you know, “never provide a two-factor code to anyone over email, SMS/MMS or encrypted messaging.”
ESET’s Jake Moore warns the same. “Scammers often trick people into revealing them to bypass security checks and take control so even if someone claims to be from your bank, trusted company or even a family member, keep OTPs to yourself.”
This all sounds very basic. But if an attacker hijacks one of your friend’s messaging accounts, they can pretend to be your friend and ask you to send a code, telling you their phone is not working. The scam is remarkably effective.
While you should never share OTP text messages, you can better protect yourself if you stop using them altogether. Use an authenticator app, or better still use a passkey. This links your account to your physical device, making it impossible to steal and use a code.
Shifting from SMS to authenticator apps or passkeys is critical now SMS interception and bypass is more common. Per Cybersecurity News, “criminal enterprises no longer require extensive technical expertise to deploy advanced mobile threats, as ready-to-use malware kits are now available for subscription fees as low as $300 per month.”
Banks in Australia and UAE are already calling time on SMS 2FA codes, and you should now do the same. But if you are using those codes, it’s even more critical that you never share them, regardless of who is who’s asking and the reason they’re giving.
While SMS persists, Cybersecurity News warns of a “fundamental shift toward industrialized cybercrime, where specialized providers handle technical complexities while criminal customers focus solely on victim targeting and monetization strategies.”
This isn’t new. Per one warning from 2021, while “figures suggest users who enabled 2FA ended up blocking about 99.9% of automated attacks, as with any good cybersecurity solution, attackers can quickly come up with ways to circumvent it. They can bypass 2FA through the one-time codes sent as an SMS to a user’s smartphone.”