Scam Message Checker

What to do if you shared an OTP

An OTP lets someone complete a login or payment. If you shared one, treat the linked account as at risk right now.

Quick answer

An OTP lets someone complete a login or payment. If you shared one, treat the linked account as at risk right now.

  • Change the account password immediately from a trusted device
  • Log out of all active sessions
  • Contact the service provider to secure the account
  • Do not share any further codes
Most urgent

Do this now

  1. Stop sharing codes - your bank never asks you to read one out.
  2. Change your banking/account password now.
  3. Call your bank if the code related to a payment or login.

Understanding what happened

A one-time code is the last lock on your account, so sharing one is serious - but it's also fixable if you move quickly. The code itself usually expires fast; the lasting risk is what the scammer did with it in that moment, such as logging in or approving a payment. Securing the account now closes that window.

Scammers get codes by creating a believable reason in real time: a 'bank security check', a delivery 'confirmation', or a friend who 'sent it to you by mistake'. The constant across all of them is that they need you to read out or forward a code that was sent to you - something no genuine bank, platform, or real friend ever needs.

The immediate exposure depends on what the code protected. For banking, assume a login or payment may have been attempted and contact your bank. For an account login, assume someone may have signed in and reset access. Changing the password and signing out other sessions removes them even if they got in.

Going forward, the strongest fix is to stop relying on codes that can be read aloud. App-based authenticators and passkeys can't be socially engineered the same way, and turning them on for email and banking makes a repeat far less likely. Treat any future 'share the code' request as an automatic red flag.

First 5 minutes

  1. Change the account password immediately from a trusted device
  2. Log out of all active sessions
  3. Contact the service provider to secure the account
  4. Do not share any further codes

First 24 hours

  1. Turn on app-based two-factor authentication
  2. Review recent account activity and transactions
  3. Warn contacts if a messaging account was involved
  4. Report the incident to the provider and authority

Next 7 days

  1. Monitor the account daily.
  2. Move 2FA to an authenticator app.
  3. Watch for further 'security' calls.

What not to do

  • Do not pay anyone who promises to recover your money for an upfront fee
  • Do not act on follow-up messages claiming to be the fraud team
  • Do not delete evidence before saving it

Evidence to save

  • Screenshots of the message and sender details
  • Phone numbers, usernames, links, and account or wallet addresses
  • Transaction references, receipts, and amounts

How to save scam evidence →

How to report

  1. Gather your evidence first (screenshots, dates, amounts, any reference numbers).
  2. Report to your national fraud/cybercrime body and, if money moved, to your bank.
  3. Find the right official links for your country in the reporting directory.

Find official reporting links for your country in the reporting directory.

  • Do not use phone numbers or links from the suspicious message - look up the official ones yourself.
  • Report quickly if money was sent or ID documents were shared; speed improves your options.
  • Keep your evidence - see how to save scam evidence.

Beware of recovery scams: no legitimate service guarantees getting your money back for an upfront fee.

Stop it happening again

Use an authenticator app or hardware key instead of SMS codes where you can - they can't be talked out of you the same way.

Adopt one simple rule that defeats this entire category: you never share a code with anyone, for any reason, including people who claim to be support or your bank.

Related scam types

Related red flags

Related terms

This is general safety information, not legal, financial, or cybersecurity incident-response advice.

Still have the message?

Check it to understand the red flags and how to report it.

Check a message

Frequently asked questions

How quickly should I act?

As soon as possible. Fast action - especially contacting your bank - gives the best chance of limiting harm or stopping a payment.

Will I get my money back?

Sometimes, if you act quickly, but there is no guarantee. Be very cautious of anyone who promises guaranteed recovery for an upfront fee - that is a recovery scam.

What can a scammer do with one code?

Depending on the code, it can approve a login, a payment, or a security change. Treat the related account as exposed: change the password, sign out all devices, and turn on app-based two-step verification.

Get scam safety updates

Practical scam alerts, new examples, and simple safety tips. No spam. No sensitive message data.

We only collect your email address, optional name, consent status, signup page, and signup time. See our privacy policy.