Two-factor authentication (or 2FA), as well as multi-factor authentication (MFA) are excellent methods for protecting your accounts from hackers. Stealing your login info won’t be enough, since you also need a special code sent to a trusted device to fully authenticate yourself. Bad actors, however, are already finding ways to steal those codes right from under your nose.
Here’s the hack; you receive a phone call from one of your “trusted accounts” (let’s say PayPal). “PayPal” calls you to let you know that someone tried to use your account to spend a lot of money. The “company” just needs you to confirm your 2FA code in order to block that transaction from happening.
It should probably go without saying, but never send your 2FA code to anyone.
Companies will never ask for your 2FA codes in this manner. The only time you will be asked for a code is if you are actively trying to log in to your account. If you are asked for this code unprompted, or due to “suspicious activity” on your account, hang up and ignore.
You see, if hackers gain access to your login credentials, they won’t be able to get past the 2FA without your trusted device, unless they figure out the 2FA code. What they will do is pretend to be the company in question, then attempt to log in, which will send the 2FA code to your device. The hackers will say that code is confirmation to block the suspicious activity; however, if you send the code, you’re just giving the hackers exactly what they need to access your account.