Two Factor Authentication Fraud – copyright Steve Burgess, 2025

One of the better ways to protect yourself from online fraud is Two-Factor Authentication (2FA). This scheme is also known as 2-Step (or dual-step) Verification or Authentication, or Multi-Factor Authentication.

Reportedly, AT&T has been using 2FA since 1996, so it’s nothing new. As a result, there has been plenty of time for fraudsters to try to figure ways around it. Yes, there exists 2FA Fraud.

More on this in a few paragraphs below.

When you log into your email, bank account, or social media and all you need to do is type in a password, that’s one-factor (or single-factor) authentication. Two-factor authentication just means you have to take an additional step.

The way 2FA protection works, which it mostly does, is by having a code of some kind sent to your phone or computer when you try to log in to a private account. 

Other means of 2FA, besides something you know (e.g. a password, as above), include something you have (like a hardware token or cell phone), or something you are (like your fingerprint, your face, or other biometrics).

The problem with using just a single factor.

Even though an increasing number of online accounts require 2FA, there are still many that do not. And after all, who wants to go through a big rigamarole just to read some email, or buy something

Many people choose insecure passwords, such as “1234” or “password.” Many also use easy to guess words or phrases, such as a favorite color, team, or car. These things are easy for a bad guy to guess with just a little research – or simply by reading what you share on FaceBook or other social media.

There are certainly ways to choose a better password, like at the end of this article by yours truly, which gives many suggestions for better password-choosing.

So, even though it may be a pain in the tuchus, it’s a good idea to have to take that second 2FA step before logging into an online store that has your payment info in their servers – you know, to make it easier to buy, but which also makes it easier for someone you’ve never heard of to buy thousands of dollars worth of stuff for themselves on your dime. Or take all of the dimes in your bank or investment account.

But, increasingly, the bad guys are figuring out ways around 2FA – 2FA Fraud.

What in the world is 2FA fraud? I thought that two-factor authentication was supposed to protect me.

Where there’s a will, there’s a way. As I’ve often said before, human nature doesn’t change but the tools do. There’s always that small fraction of people who are out to get other people’s stuff one way or the other. It used to be that Ugg had to sneak up in the night to grab that yummy haunch of  aged woolly mammoth meat that you had stored in your cave. But as tech advances,  the schemes to rip you off do so as well.

2FA Fraud

At the current time, the two primary means of 2FA fraud involve SIM swapping and Port-out fraud.

SIM Swapping

This usually starts with the perpetrator collecting personal information about you. This can be by scraping social media for information you have freely shared, like your favorite stuff or experiences you have had – you probably see these fun little quizzes on FaceBook and other social media all the time.

Another way is by phishing emails or texts, where they impersonate some person, organization, or company you know in order to get you to give up your personal information, including passwords. These are easy to fall for because they can look quite authentic.

SIM swapping is named after SIM cards but does not involve actually taking a SIM card out of your phone or other device. It’s when the fraudster manages to transfer your phone number to their own device by convincing the victim’s cell phone provider that they are the account holder. 

Then they get the phone provider to activate a new SIM card (physical, or an e-SIM) with your number. Then their phone appears to be yours. This is what they use the personal information about you for – to convince someone or some algorithm that they are you!

Once they have control of your phone number, it’s a lot easier to take over your other accounts. Now, when a 2FA message or call is sent to your number, it goes to them and not to you. This allows them to dive into other accounts of yours and notably, locks you out.

The next step may be that the scammer starts changing your personal information while diving into and controlling other accounts of yours.

Port-Out Fraud

This is similar but involves the scammer contacting a different phone service provider than the one you have and requests that they bring your number over from your current provider., whereby the same takeovers of your information and identity can take place.

One sign that you’ve fallen victim to one of these scams is that you may not be able to make or receive calls or texts on your own device. If you are able to receive them, you may start getting messages thanking you for your purchases – purchases you did not make. You may call your phone provider or your bank only to discover that your personal info has been changed and you don’t have the info in their database to prove it’s really you.

What are some ways to protect yourself?

Don’t give personal information away. For instance, don’t share your social security number. In general, the only organizations with the right to that are the government, your employer, and financial institutions that lend you money. 

And don’t overshare personally identifiable information online – especially your favorite things, because those are gateways to faking your identity to banks and other institutions.

Sign up for 2FA whenever possible and never share your 2FA codes with anyone, whether sent via text or phone, even if that person claims to be a trusted employee of the company sending you such a code.

When possible, use authenticator apps instead of getting an SMS text for authentication purposes.  Both Google and Microsoft offer an Authenticator. PC Magazine offers its take on the best ones for 2025.

Use passkeys when that option is available. Passkeys can use biometrics, such as your fingerprint or a facial scan, to log in to your account. Right now, iPhones come with that as standard issue.

Don’t Respond if someone calls or texts you and asks for personal information, do not provide it. If the caller claims to be from a business you are familiar with, hang up and call that business using a number you trust, such as the number on your bill, in a phone book, or on the company’s website

Don’t respond #2: If you get a text or call from someone you don’t recognize, or a friend request on social media from someone you don’t recognize – don’t answer and don’t text back. Scammers send out thousands or even millions of texts and bogus phone calls. Hoping that the unsuspecting will pick up or answer. Then they know they’ve got a live number. If you don’t respond, they don’t know you’re there.

Monitor account activity regularly so you can quickly identify any suspicious behavior.

What to Do If It’s already happened

Time is of the essence.

Try to change your passwords immediately.

Remove compromised devices – like your phone – from your accounts. It may be time to get a new one. 

In extreme cases, change your phone provider altogether, as well as your Internet Service Provider

It’s especially important to contact your banking and financial institutions to report suspicious activity. Remember – banks have branches where you can walk in and prove your identity with drivers licenses and the like..

If you think someone is using your personal information, go to IdentityTheft.gov to report it and get a personalized recovery plan.

While Two-Factor Authentication can make you safer, there are ways that some scammers can work around it. Being aware of the activity in your accounts, and not falling prey to phishing and oversharing of personal information can help.

Look, most people are honest and caring. But others are unscrupulous or hungry. And most of the bad guys are looking for the low-hanging fruit. There’s plenty of it around. Be hard to pick. A bit of awareness and and proactive safety precautions can make you one that they’ll pass right by.