The verification code scam has one rule worth memorizing: any person who asks you to read them a verification or 2FA code is trying to break into an account — yours or one being created in your name. Those six-digit codes exist to prove that the person logging in controls your phone or email. When you share one, you hand a stranger the key that your password was supposed to protect. No legitimate company, buyer, seller, or support agent will ever ask you to read a code back to them.
Why the Code Is the Key
Two-factor authentication works like this: after entering a password (or requesting a login link or account recovery), the service sends a one-time code to the account owner's phone. Whoever types that code in is treated as the owner. Scammers often already have your password — from data breaches, phishing, or guessing — and the code is the only thing standing between them and your email, bank, or payment app. So they call, text, or message you with a story engineered to make you hand it over. The code typically expires in minutes, which is why these scams always happen in real time, with you on the phone or in a chat.
Received a suspicious message?
Paste the message here for instant analysis.
No signup · 6 detection layers · Results in seconds · Cmd+Enter
The Most Common Versions
- The marketplace "are you real?" check. You list a couch on Facebook Marketplace or Craigslist. An interested "buyer" says: "I've been scammed before — can I verify you're a real person? I just sent you a code, read it back to me." The code is a Google Voice verification for your phone number. Read it back and the scammer creates a Google Voice number tied to your number, which they then use to run scams on other victims while tracing back to you. This is one of the most reported Facebook Marketplace scams, and the FTC has warned about it repeatedly.
- The fake fraud department call. "This is your bank's fraud team. We've detected a suspicious charge. To verify your identity, read me the code we just sent." The scammer is on your bank's real login or money-transfer page at that moment; the code you receive is genuine — triggered by them — and reading it aloud completes their login or authorizes a transfer. The same play drives many Zelle scams: the code you recite is literally the confirmation for sending your own money away.
- The account recovery hijack. A message from a "friend" (whose account is already compromised): "Hey, I accidentally sent my code to your number, can you forward it?" That code is the password reset for your WhatsApp, Instagram, or email account. Forward it and the account is gone — and the scammer starts messaging your contacts with the same line.
- Fake support and delivery verifications. "Apple Support" calling about your compromised iCloud, or a "delivery driver" who needs a code to release your package. Any script works; the constant is the request to say the code out loud.
Red Flags That End the Conversation
- Anyone asks you to read a code aloud or forward it. This alone is disqualifying, regardless of who they claim to be or how plausible the story sounds.
- A code arrives that you did not request. That means someone, somewhere, is actively trying to log into or register something with your number. Do not share it — and consider changing the password on the associated account.
- The message with the code says "do not share this with anyone." Services print this warning because this exact scam is so common. Believe the message, not the caller.
- Real-time pressure. "Quick, it expires in 60 seconds!" Urgency is the mechanism, because the scammer's window really is that short.
What to Do
- Refuse and hang up or stop replying. You owe no explanation. Legitimate organizations verify you through their own systems, never by having you recite inbound codes.
- If you already shared a code, act within minutes: change the password on the affected account, sign out all sessions/devices, and check recovery email and phone settings for changes the intruder made to lock you in later.
- If it was the Google Voice variant, you can reclaim your number by setting up Google Voice yourself with the same number, which unlinks the scammer's account. Google publishes a reclaim process for exactly this scam.
- If money moved, contact your bank immediately and file reports with the FTC (reportfraud.ftc.gov) and the FBI's IC3.
- Upgrade where possible. App-based authenticators and passkeys are far harder to socially engineer than SMS codes, because there is nothing convenient to read aloud.
Why This Scam Works on Smart People
The verification code scam succeeds because it inverts the mental model most people have of 2FA. We are taught that the code proves we are safe — so when a caller frames reading the code as a security step ("to verify your identity," "to confirm you're a real person"), it feels like cooperation with security rather than the defeat of it. The scam also happens live, under time pressure, with a confident voice guiding you. There is no suspicious link to hover over and no misspelled domain to catch; the text with the code genuinely comes from your real bank or from Google. The only forgery is the human on the other end of the line. That is why the defense has to be a rule about behavior, not a checklist about messages: codes get typed into websites by you, never spoken to people.
One Sentence to Remember
Verification codes are meant to be typed by you into a website — never spoken, texted, or forwarded to a human. Every version of this scam, from marketplace buyers to fake bank agents, collapses against that single rule. For the surrounding tricks these scammers pair with codes, see our phishing scams hub.
Got a suspicious message or call script involving a code? Paste it into IsThisAScam.to for a free, instant analysis of the pattern — before anyone gets your six digits.