Skip to main content
U.S. flag

An official website of the United States government

Customer Assistance: 1-800-613-6743

File a
Complaint

Get Answers to Your Banking Questions

Message from the Director - Multifactor Authentication and Scams

The primary goal of the Office of the Comptroller of the Currency’s (OCC) Customer Assistance Group (CAG) is to process and resolve consumer complaints that fall under our jurisdiction. While CAG seeks to resolve complaints in an objective and expeditious manner, not all consumer issues are covered by banking laws or regulations and not all consumers will obtain the resolution they are seeking.

With the increased use of electronic devices for financial transactions, there is also an increase in victims of scams and other fraudulent activities. Financial institutions employ various methods to protect their systems from unauthorized access; however, consumers also need to remain vigilant in protection of personal identifiable information (PII).

To make transactions more secure, many banks either offer or require multifactor authentication, including two-factor authentication. If it is optional, customers are encouraged to opt-in to using multifactor authentication. Multifactor authentication is a verification process in which two or more authentication factors are used to verify the identity of the user before the account or website can be accessed. Examples of authentication factors include information you know, such as passwords; information you possess, such as a unique pin technology or randomly generated authentication codes derived from a hardware token or cell phone; and information about who the user is, such as biometrics like your fingerprint or facial scans. Using more than one authentication factor can help prevent a hacker from gaining access to your PII and other banking data, even if your password has been compromised. Although this adds an additional layer of security, there are scams and other techniques that can be used to circumvent multifactor authentication.

The OCC urges consumers to be aware of the rise in phishing phone calls, emails, and text messages and learn how to protect sensitive information, such as PII. Below are examples of scams intended to undermine the security offered by multifactor authentication:

  • A consumer receives a text message saying there is suspicious activity on their bank account. The text asks the consumer to reply with an authentication code they are about to receive. At this point, the scammer has already obtained the consumer’s username and password from another cyber attack and is trying to log into the account. Because the consumer has multifactor authentication, the financial institution transmits an authentication code through text messaging to the consumer’s phone. When the consumer replies with the authentication code, the scammer has everything needed to access and transfer funds from the consumer’s account.
  • A consumer receives an email asking them to verify their contact information on their account. The email provides a link to “log in” to the account. The link directs the consumer to the scam website, where the consumer enters their log in information. The information is captured by the scammer and used to log into the consumer’s account on the official bank website. The bank sends a one-time authentication code, which is entered into the scam website. The scammer in turn enters the information into the real bank log-in page and is able to change information, such as passwords or email and phone contacts. The scammer is also able to withdraw all the available funds in any accounts linked to the log in.

Here are some measures customers can take to avoid multifactor authentication scams:

  1. Never provide your authentication code in response to text messages, emails, or phone calls, even if the communication appears to be from a bank representative. Bank representatives will never call you and request that you provide your authentication code. If you are asked to provide a randomly generated authentication code, hang-up or stop replying immediately.
  2. Monitor your accounts for suspicious activity. The only time you will be sent an authentication code is to verify an attempt to log into your account. This means if you did not just try to log in and you suddenly receive a verification code through a text message to your smartphone, it is because a scammer already has your user name and password and is trying to hack into your account.
  3. Do not click links in unsolicited emails. Links in emails are a very common method of installing malware or viruses that will allow scammers to capture personal information.

Although multifactor authentication remains one of the best ways to ensure your accounts are secure, it is crucial to be diligent in detecting scams that hackers use to get around these security measures. A successful multifactor authentication scam could leave you locked out of your accounts, and your accounts vulnerable to data theft and other cyberattacks.

July 2021