Account Verification Scam - What is it and how to spot it? - Truecaller Scam Alerts

Account Verification Scams

What are account verification/account verification code scams?

Verification codes are unique, system-generated numbers sent to a user's registered phone or email to confirm their identity when logging into their accounts. In account verification scams, cybercriminals deceive people into giving away their verification codes through trickery. This type of social engineering scam allows scammers to access victims’ accounts and carry out fraud or other malicious activities once they obtain the unique verification codes.

Example of a verification code scam: An Indian businessman received a message from a friend's wife asking how he was doing. They chatted for a bit and then she told him that she had bought a new phone and accidentally sent a code to him and she needs it urgently. Believing it was a legitimate request, he shared the code, and his WhatsApp was immediately hacked.

How do account verification scams work?

Initial contact:

Scammers often approach unsuspecting individuals with urgent messages like “Your account will be suspended due to suspicious activity” or “Please share your verification code to confirm your identity”. These scammers commonly pose as tech support or security representatives from trusted companies like TikTok, Facebook, Google, or Microsoft. Their ultimate goal is to trick you into giving up that code, which then allows them to gain access to your account and misuse it.

Urgency and fear tactics:

Threat actors often use urgency and fear tactics so their targets have no time to assess the situation and then proceed. Statements like “Your account will be disabled in the next 10 minutes. To verify your identity, send the 6-digit code immediately” are designed to pressure and scare you into acting without thinking.

Phishing and vishing:

Verification code scams often occur through phishing and vishing, which are types of social engineering attacks that rely on a pretext to trick victims. In phishing scams, scammers send emails or text messages containing malicious links or attachments, using clever wording to trick the target into clicking on them by making the message look like it’s from a legitimate organization. By clicking on these links, users may unintentionally allow scammers to hack their accounts or access verification codes.

A vishing scam is conducted over the phone, but the goal remains the same: to trick the victim into revealing their account verification code, which the scammer can then use to gain unauthorized access to accounts.

Saying it was a mistake:

Cybercriminals might pretend to be your friend or a trusted colleague and say something like, “I accidentally sent a login code to your device—could you send it back to me?” Thinking you’re helping them, you might share the code. But in reality, you’re giving them the access they need to take over your account.

How to protect yourself from account verification scams?

Never share verification codes:

It goes without saying that no ethical person would ever ask for your verification codes. These codes are a crucial part of multi-factor authentication (MFA), which adds an extra layer of security to protect your accounts. They should never be shared with anyone.

Verify the source:

If someone is threatening to close or block your account unless you share the verification code, take a moment to pause and think. Always contact the organization directly through official channels to verify the claim.

Grammatical errors:

More often than not, phishing emails are laced with grammatical errors. If you spot any, consider it a red flag.

Install Truecaller app:

Truecaller flags scam calls and messages and blocks spam numbers, protecting you from unwanted interactions that can waste both your time and money.

What to do if you are a victim of an account verification scam?

Victims of account verification scams should take following steps in order to minimize damage to their accounts:

Change passwords: As soon as you figure out it was a scam, change the password of the account immediately.
Multi-factor authentication (MFA): MFA adds an extra layer of protection to help secure your account.
Notify the organization: Contact the tech support of the organization the scammer impersonated and where your account was compromised. They may be able to assist you in recovering your account and taking further action.
Alert your contacts: If your account has been hacked, make sure to alert your contacts right away. Scammers often use compromised accounts to reach out to friends or followers and continue the scam. It’s like a chain reaction that needs to be stopped quickly.
Monitor your accounts: Keep monitoring your accounts for any unusual activity and watch out for any unauthorized sign-in attempts.
Report on Truecaller app: Since Truecaller is a community-based app, it heavily relies on reports from users who have experienced such unfortunate incidents. By reporting fraudulent numbers, you can help protect others from falling victim to similar scams.