{"id":13366,"date":"2018-05-22T05:31:32","date_gmt":"2018-05-22T09:31:32","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/dont-send-codes\/13366\/"},"modified":"2020-04-02T16:07:36","modified_gmt":"2020-04-02T10:37:36","slug":"dont-send-codes","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/dont-send-codes\/13366\/","title":{"rendered":"Never share verification codes"},"content":{"rendered":"

\u201cDon\u2019t share this code with anyone!\u201d When it comes to one-time codes and passwords, this advice would seem so axiomatic that it hardly bears repeating. Then again\u2026<\/p>\n

A polite request for help<\/h2>\n

We recently came across this phishing<\/a> scam. A person receives an SMS message that goes roughly as follows:<\/p>\n

\u201cHello, you don\u2019t know me, but your phone number once belonged to me. I\u2019m trying to log into an old account linked to this number, and it\u2019s telling me that it will send a verification code in an SMS to this number. I\u2019d like to know if it\u2019d be OK with you if I request the code and if you can just send it back to me? If not, that\u2019s totally fine.\u201d<\/p>\n

It\u2019s true that if you don\u2019t use a phone number for a long time, your mobile operator may disconnect it and sell it to someone else. So there is a chance that your number might once have had another owner, especially if you only got it recently. And many people know about this.<\/p>\n

The request is written in polite language, and it looks extremely convincing. Good-natured people appreciate politeness, and the request seems reasonable, so they are likely to agree. The code arrives and the recipient sends it to the author of the polite request, who responds with profound gratitude. But the good Samaritan has just handed over access to their account.<\/p>\n

\"Here's<\/a><\/p>\n

What really happened<\/h3>\n

Sure, there\u2019s a very small chance that it might have been a message from someone who really owned your number once and needs your help. But it\u2019s unlikely. Phishing is a more probable explanation. Here\u2019s how it happens.<\/p>\n

In the wilds of cyberspace, the attacker discovers an e-mail address (yours) that is linked to a phone number (also yours). If you have or once had an account with Yahoo, Twitter, or LinkedIn (or one of hundreds of lesser-known services that recently leaked their user data), it\u2019s not hard to find out which phone number is linked to your e-mail.<\/p>\n

The attacker begins by stealing access to your e-mail. To do that, they need to reset the password. When they attempt to reset it, the service sends an SMS message with a verification code to the number linked to the account to confirm that it is the owner of the account who is trying to reset the password.<\/p>\n

But before taking this step, the fraudster writes you a touchingly polite SMS as above. The code is valid for just a few minutes, so the cybercriminal needs to groom you in such a way that you\u2019ll send it without delay.<\/p>\n

With access to your e-mail, the attacker can reset the passwords for all accounts linked to the address\u00a0\u2014 social media, other mail services, online wallets, and so on. The links for password reset are sent to this e-mail, and voil\u00e0! The cybercriminal has access to all your accounts \u2014 and you don\u2019t.<\/p>\n

That\u2019s why you should never share any verification codes that arrive in SMS, no matter how nicely anyone pleads with you for assistance. Sharing just one code could lock you out of almost your entire online existence.<\/p>\n

How to keep your accounts on a short leash<\/h3>\n