Bots Are Now Robocalling to Phish For Your Two-Factor Authentication (2FA) Codes

Most of us are familiar with Two-Factor Authentication, or 2FA, as an additional security measure when logging in to various sites such as Google, Apple, Facebook, Microsoft, Amazon, and other popular websites and applications we use every day. The idea is that a user should, in addition to providing a username and password, also provide an additional code or token provided by the website or app. This code is sent as a One-Time Password (OTP) via SMS or a token obtained from a mobile app like Google/ Microsoft Authenticator. They are usually valid for a short duration before a new token needs to be entered. Codes valid for a short time are also known as Time-Based OTPs (TOTP) and are commonly used when logging into websites and apps, or to approve a banking or financial transaction.

The idea behind 2FA and OTP tokens is that even if a user’s password is breached or stolen, an attacker still cannot access the user’s account without the second factor to authenticate the login. That second factor is usually obtained from an authenticator app on the account holder’s mobile or desktop device. Recently, however, crooks and fraudsters have started using a phone phishing technique to make phone calls to their victims. It uses specialized bots sold on underground websites. The technique poses as a security verification call from the website or app that the potential victim uses. It tricks them into providing the actual OTP or 2FA code sent by the website or app. This occurs immediately after the fraudster logs in and attempts a purchase or financial transaction via that portal.

How does 2FA phishing work?

The latest specialized bots now make it far easier and quicker for fraudsters to fool their targets into providing their authentication codes or OTPs. Again, a website or app the victim uses sends these codes. Using massive lists of breached and leaked log-in credentials and personal data available for sale on shady underground sites found on the dark web, nefarious parties first correlate these personal details to the victim’s name and mobile number. They then activate the bot to robocall the victim from a fake Caller ID number that purports to be from the victim’s bank or a payment service, like Stripe or PayPal.

These phishing bots sound just like the robotic-voiced customer service bots that we hear when calling our bank or other companies we often deal with. The phishing bot first enters the previously obtained login credentials for the victim’s account at the bank or payment processing website. The bank or payment service then immediately sends an SMS OTP to the victim’s phone number, which the fraudster has already obtained from prior breaches and personal data leaks. The bot then calls the victim and plays a legitimate-sounding message stating that the account holder must complete a “security verification” by entering the OTP that the victim’s bank has just sent.

If the target is fooled and enters the legitimate OTP from the bank’s text message that the bot’s log-in attempt triggered, the fraudster successfully logs in, takes over the account and quickly depletes it. This happens fast before the victim has an opportunity to alert the bank. If the victim uses an authenticator app rather than getting codes via SMS, the bot asks the victim to enter the code shown in that app.

How can 2FA phishing be prevented?

Though 2FA codes have significantly helped reduce the incidence of fraud and account takeover, they are vulnerable to interception by specialized phishing bots now being sold on underground sites. When a victim gets a phone call appearing to be from the bank, they can easily be tricked into giving up the 2FA code sent by the bank or another website. There is little chance of stopping the crime once it’s in progress.

While some enterprises now use push notification services like Okta to verify log-in attempts, most banks and other businesses still do not use them. And even if they do use such log-in confirmation apps, victims could still be defrauded if they are unaware of recommended online security practices. As a result, phishing robocalls fool the victim, who approves the push notification received from the security app on their mobile devices. It’s all triggered by the fraudster’s log-in attempt into a bank or another company’s website or app.

The only fool-proof way to prevent 2FA phishing bots is by implementing a dedicated bot management solution that accurately detects bots in real time on a website or app. It prevents the initial login attempt by the fraudster’s bot. A purpose-built bot mitigation solution analyzes hundreds of data points and differentiates a bot from a human. It also leverages machine learning and artificial intelligence to detect each visitor’s intention. This includes phishing bots that enter correct login credentials and other types of bots programmed to execute various types of harmful attacks.

Want to Stop Phishing Bots? Here is the Perfect Next Step

Reach out to the cybersecurity experts at Radware. They have made it their mission to protect customers against automated threats like bots. They provide comprehensive protection of web applications, mobile apps and APIs. They’d love to hear from you.

Also, make sure and take Radware’s Free Online Assessments to know how protected your organization is from bad bots.

Neetu Singh

Neetu Singh is a cybersecurity solution lead with Radware. In her role, she specializes in application security and threat intelligence, working closely with Radware's product and threat research teams. Here she has led marketing initiatives, partnerships, collaborations, and campaigns for enterprise and SMB markets. She frequently writes about cloud trends, industry 4.0 and SMAC (social, mobile, analytics and cloud) among other topics. Neetu holds an MBA in marketing from NMIMS University in Mumbai.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center