FBI Warns iPhone And Android Users—Do Not Share These Texts

Do not make this mistake on your phone.
AFP via Getty Images
Republished on July 31 with new text attack warnings for all smartphone users.
The FBI warns that “malicious actors” continue to send fraudulent texts and voice messages to “gain access to personal accounts.” Do not reply to messages unless you recognize the sender’s number. But there’s more you must do to safeguard accounts.
America is under attack from a malicious texting industry sending out billions of messages. Whether undelivered packages, unpaid tolls and DMV fines or Amazon refunds, the objective is to steal your data, your money, even your identity.
But sometimes even legitimate texts can be dangerous.
We’re talking two-factor authentication (2FA), which the bureau says you should set up “on any account that allows it,” and should “never disable.” But most 2FA codes are delivered by text. And the problem with texts is that you can send them on to others.
Never do that, the FBI warns — regardless of who’s asking.
“Actors may use social engineering techniques to convince you to disclose a 2FA code,” the bureau says in an advisory reshared this week. Doing so lets attackers “compromise and take over accounts.” Even if the request comes from someone you know, “never provide a two-factor code to anyone over email, SMS/MMS or encrypted messaging.”
ESET’s Jake Moore warns the same. “Scammers often trick people into revealing them to bypass security checks and take control so even if someone claims to be from your bank, trusted company or even a family member, keep OTPs to yourself.”
This all sounds very basic. But if an attacker hijacks one of your friend’s messaging accounts, they can pretend to be your friend and ask you to send a code, telling you their phone is not working. The scam is remarkably effective.
While you should never share OTP text messages, you can better protect yourself if you stop using them altogether. Use an authenticator app, or better still use a passkey. This links your account to your physical device, making it impossible to steal and use a code.
Shifting from SMS to authenticator apps or passkeys is critical now SMS interception and bypass is more common. Per Cybersecurity News, “criminal enterprises no longer require extensive technical expertise to deploy advanced mobile threats, as ready-to-use malware kits are now available for subscription fees as low as $300 per month.”
Banks in Australia and UAE are already calling time on SMS 2FA codes, and you should now do the same. But if you are using those codes, it’s even more critical that you never share them, regardless of who is who’s asking and the reason they’re giving.
While SMS persists, Cybersecurity News warns of a “fundamental shift toward industrialized cybercrime, where specialized providers handle technical complexities while criminal customers focus solely on victim targeting and monetization strategies.”
This isn’t new. Per one warning from 2021, while “figures suggest users who enabled 2FA ended up blocking about 99.9% of automated attacks, as with any good cybersecurity solution, attackers can quickly come up with ways to circumvent it. They can bypass 2FA through the one-time codes sent as an SMS to a user’s smartphone.”
And the warnings keep coming. “As attack methods become more sophisticated,” Cyber News has just warned, “hackers have discovered multiple ways to bypass 2FA when the authentication method consists of one-time codes sent as an SMS message. There are many terrifying ways to easily trick users into unwittingly downloading malware onto their device or perform a socially engineered SIM swap fraud.”
Examples of such attacks include Coinbase, where where “several techniques to overcome SIM 2FA and drain accounts of 6,000 consumers. T-Mobile’s recent data breach should also be a warning to customers who are using SMS for two-factor authentication. The attack reportedly leaked IMEI and IMSI information which compromises the security of SMS-based two-factor authentication.”
And it’s 2FA code bypass, interception or socially engineered thefts that have fueled many of the recent headline ransomware attacks, where support staff have been tricked into disclosing codes, which opens up initial access to systems.
As Google now warns, “over the past year, defenders have been facing heightened pressure,” as “attackers intensify their phishing and credential theft methods, which drive 37% of successful intrusions,” and that includes 2FA attacks.
One such example is Scattered Spider, of course, where “threat actors use multiple social engineering techniques — including push bombing — and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA), the bureau has warned.
“Do not use SMS as a second factor for authentication,” CISA, the U.S. cyber defense agency warns. “SMS messages are not encrypted — a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them. SMS MFA is not phishing-resistant and is therefore not strong authentication for accounts of highly targeted individuals.”
That said, CISA also notes the challenge where “some online services may default to SMS during account recovery flows,” and so “it may not be feasible for you to completely eliminate SMS messages from the service.” But where you can, you really should.