Hackers are stealing two-factor authentication codes by using voice bots that sound authentic

Hackers are stealing two-factor authentication codes by using voice bots that sound authentic
  • Hackers target users on platforms such as Amazon or PayPal by stealing the temporary passwords users receive on their phones.
  • They use customisable bots to ask users of 2FA or OTP codes to log in to their accounts.
  • Unsuspecting users get voice calls from such bots, asking them to enter verification codes, which can then be accessed by the hackers.

Users are generally advised to use two-factor authentication (2FA) and one-time passwords (OTP) wherever possible to enhance the security of their respective accounts. But according to a report in The Vice, hackers have deduced a way to steal these sensitive codes by using voice bots to trick the users.

The hackers can either login or make money transfers or perform other sensitive functions by using the 2FA or OTP verification codes that the users are tricked into revealing. The hackers use voice bots that are sold online.

Here’s how hackers can steal the 2FA or OTP codes.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More
Hackers, who earlier used to pretend as bank executives or customer care agents to trick unsuspecting customers into sharing their verification or login information, now use customisable bots that can place automated calls and ask for the temporary passwords to access your account.

These bots are made to sound like you are talking to an authentic customer care agent and then they ask you to enter the 2FA/OTP during the call. Once you enter it, the verification code reaches the hacker and they can now login to your account and perform sensitive transactions.


The Vice in their report demonstrated one such instance where the user gets a call from PayPal’s fraud prevention system.

According to the call, someone wanted to spend $58.82 by accessing the user’s PayPal account. Over the call, it said, “in order to secure your account, please enter the code we have sent your mobile device now.” Once the code was entered, it said “Thank you, your account has been secured and this request has been blocked.”

Apart from these, the voice call also informed the users saying “Don’t worry if any payment has been charged to your account: we will refund it within 24 to 48 hours. Your reference ID is 1549926. You may now hang up.”

The call was actually from a hacker who used the customisable bot to trick the user into giving their one-time codes for verification. Similarly, hackers can target your Apple Pay, PayPal, Amazon, Coinbase, and other accounts to steal money or cryptocurrencies.

To hack into an account, one will need a username or email address or phone and password. This can be obtained from a previous data breach, and if the user has 2FA or OTP enabled, the hackers bring in voice bots to their use.

Users also use these combinations of emails, phone numbers and names to determine whether the specific user has an Amazon or PayPal account before targeting them.

How to stay secure

Users can stay secure by being aware of such attacks. Whenever you get a call from any customer care asking for personal information, drop the call. Also, you should not share the 2FA or OTP codes with anyone.

In case you are worried about a potential breach of your account, you should log in to your account and track your transactions. Change the email address to prevent such attacks but the hackers can still find it and target your account. So you will beware of these attacks at all times.
Xiaomi 12 expected to be the first Snapdragon 898 powered smartphone
WhatsApp may soon introduce Communities, offer more control to admins
Facebook's own researchers found the app is bad for 360 million of its users, according to a report