FBI issues urgent warning to smartphone users over rising 2FA text scams

Written July 29, 2025 – 14:00 EDT

The FBI has issued a renewed warning to iPhone and Android users across the United States, advising them to avoid responding to suspicious text messages—even those that seem to come from friends or familiar companies. According to a recent public service advisory, cybercriminals are exploiting text-based two-factor authentication (2FA) to hijack personal accounts, steal identities, and defraud individuals.

With billions of scam texts circulating annually in the U.S., federal authorities say Americans must remain vigilant and adopt stronger digital security habits to avoid falling victim to these increasingly sophisticated attacks.

Rise of scam texts targeting personal accounts

The FBI’s alert focuses on the growing use of fraudulent text messages and voice calls—also known as smishing (SMS phishing) and vishing (voice phishing)—to trick users into giving away sensitive information such as login credentials, financial data, or temporary security codes.

Common scam text examples include fake messages about:

• Undelivered packages
• DMV penalties or unpaid tolls
• Suspicious bank activity or Amazon refunds

These messages often impersonate trusted institutions and urge users to click a link or reply urgently. Once a victim engages, attackers use social engineering techniques to gain access to personal information or send malicious links that install spyware.

In its most recent advisory, the FBI emphasized that users should never respond to text messages or emails unless they can verify the sender’s identity. Even if a message appears to come from a friend, coworker, or family member, it may be the result of a compromised account.

Why sharing 2FA codes is dangerous—even with people you know

Two-factor authentication (2FA) is widely used as an added layer of protection for online accounts. It typically requires a user to enter a one-time passcode (OTP) sent via SMS or email after entering their password. While 2FA is strongly encouraged, text-based OTPs are also one of the weakest links in digital security when misused.

According to the FBI, threat actors can manipulate users into forwarding 2FA codes, even when those users have followed standard security practices. For example, if a criminal gains access to a person’s messaging account, they might impersonate that person and ask their contacts to forward an authentication code.

“Actors may use social engineering techniques to convince you to disclose a 2FA code,” the bureau stated. “Doing so lets attackers compromise and take over accounts.”

Cybersecurity expert Jake Moore of ESET echoes the FBI’s concerns:

“Scammers often trick people into revealing OTPs to bypass security checks and take control. Even if someone claims to be from your bank, a trusted company, or even a family member, keep OTPs to yourself.”

This type of scam is especially dangerous because it preys on human trust—users are more likely to send a code if they believe the request is coming from someone they know.

Better alternatives: Authenticator apps and passkeys

To improve digital security, both the FBI and industry experts recommend using authenticator apps or passkeys instead of relying on SMS-based codes.

Authenticator apps (like Google Authenticator, Microsoft Authenticator, or Authy) generate time-sensitive codes on the device itself, meaning they are not sent through SMS and cannot be intercepted or forwarded.

Passkeys go even further. They link an account directly to a user’s physical device (such as a phone or laptop) using biometric data or a secure hardware token, making them significantly harder to steal or spoof.

Many tech companies, including Apple, Google, Microsoft, and major financial institutions, have already implemented passkey support across their platforms. Meanwhile, banks in countries like Australia and the United Arab Emirates are phasing out SMS-based 2FA entirely in favor of more secure authentication tools.

How to protect yourself from 2FA scams

If you still rely on SMS codes for two-factor authentication, it’s crucial to understand the risks and take the following precautions:

• Never share your 2FA or OTP code with anyone, no matter who is asking.
• Avoid clicking on links in unsolicited text messages or emails.
• Verify the sender by contacting the institution directly through their official website or phone number.
• Enable 2FA on all your accounts—preferably using an authenticator app rather than SMS.
• Use unique, strong passwords and consider a reputable password manager.
• Regularly check account activity for any unusual logins or changes.

By making small changes to your digital habits, you can significantly reduce your vulnerability to scams and protect your personal accounts from compromise.

Final thoughts

The FBI’s warning serves as a crucial reminder that while digital tools like 2FA are designed to protect users, they must be used correctly and cautiously. The real danger lies not in the technology itself, but in the ability of cybercriminals to manipulate people into bypassing their own safeguards.

As cybercrime continues to evolve, so must our approach to security. Upgrading from text-based authentication to more secure methods like authenticator apps or passkeys is not just advisable—it’s essential.