BBB Tip: Do's and don'ts of multi-factor authentication
There’s a lot of money flying around during the holiday season, and you’ll almost certainly use multi-factor authentication to access a bank account, credit card or the website for your favorite store within the next couple weeks.
Multi-factor authentication (MFA) is a process that helps keep your important online accounts secure. The Cybersecurity and Infrastructure Security Agency classifies the types of MFA as being one of the following:
Something you know, like a PIN or password
Something you have, like an authenticator or text message with a six-digit code
Something you are, like a fingerprint or face scan
This extra level of protection keeps scammers and hackers out, even if they manage to learn your password.
Scammers know they need that extra information to get into your accounts – so they may pose as someone you trust, such as a representative from your bank or utility company, and ask for your PIN, 6-digit code, or answers to your security questions. If you hand it over, they can log in and access your personal information or money.
These scams can also happen on social media. BBB St. Louis has warned in the past about a scam on Facebook Marketplace where scammers posed as buyers and requested a seller’s phone number and six-digit code to “verify the seller is real.” The scammers were likely using the phone numbers to set up Google Voice accounts, which they then went on to use for other schemes or to commit identity fraud.
There’s no situation where you should share a six-digit code or PIN – not even with customer service or tech support. If someone asks you for it, that’s a scam!
How can I use MFA and 6-digit verification codes safely?
Use the code right away and delete it from your texts or emails after you log in to your account.
Never give a verification code to a stranger. No one should ever ask you for a six-digit verification code – not a stranger on social media, not tech support, not even your bank. The same goes for PINs or security questions. If someone asks for this information, end the conversation and block their number.
Don’t give in to pressure. It’s a red flag if someone insists you need give them a code immediately, says that something is wrong with your account or threatens that something bad will happen if you don’t give them the code.
Contact customer service directly if you think there’s a problem with one of your accounts. Use a phone number you trust, such as the number on a past statement or a verified number from your phone's address book. Beware of unsolicited messages claiming something’s wrong with your account.
Don’t share your phone number with strangers. Most social media sites and online marketplaces have built-in messaging, so you shouldn’t need to give a stranger your phone number to have a conversation or make a sale. Never share your phone number in a public social media post.
Know scam protection policies. Most websites or apps that allow you to talk to strangers (like dating apps, online marketplaces or vacation booking sites) have fraud prevention policies – but you lose that protection if you take the conversation elsewhere. Be cautious if someone you just met insists on messaging you through another platform.
Report it. If someone asks you for a verification code, report the conversation to BBB Scam Tracker.
If you think someone is impersonating your bank or another organization, contact them using a phone number you trust to let them know.
If you run into a scammer on social media or your account has been compromised, you can report it to the social media platform.
